How do we make ourselves less vulnerable in the wordpress exercise?

[MichaelDepner]

In the multi-container exercise, we base the exercise on wordpress:5.7, which is a supported and updated tag on Docker Hub. Unfortunately this doesn't really make a difference, since we ask trainees to expose the unconfigured page to the internet.

This has led to some bitcoin mining incidents, where attackers use the wordpress site to inject crypto-miners to the containers /tmp folder as text files, then get them to execute through hacker magic.

I see 2-3 solutions:

1. As a trainer, lock down the infrastructure on creation, so it only works from the wifi students are on. This should be feasible for most of our training locations (and, to be fair, most trainers probably already do this).
2. Add a Shut it down section to the exercise, and ask students to kill the containers when they are done. This should work on most students.
3. Base the exercise on something that is less of an open invitation to the world. The only way to be absolutely certain this cannot happen again. But then again, Wordpress is a great example multi-container project that most people can resonate with.

I'll leave this task open for comments until I have time to do work on it. If no other suggestions or opinions come through, I will emphasise 1. in our internal trainer readme (different repo), and add 2. to the exercise.

[figaw]

I will emphasise 1. in our internal trainer readme (different repo), and add 2. to the exercise.

Sounds like a great solution.