Thoughts on WordPress Security and Vulnerabilities

As avid readers of this blog know, we’ve discovered or written about multiple vulnerabilities within the WordPress ecosystem over the last couple of weeks specifically relating to popular plugins. MailPoet and Custom Contact Forms drove the bulk of the engagement, but those using WPTouch, TimThumb and vBulletin were also made aware of vulnerabilities.

If it seems like most of the problems occur with plugins, it’s because it’s the truth. In fact, it’s not just restricted to Plugins, but includes Themes and any number of other extensions or services that a website might make use of. This actually applies beyond the realm of WordPress and is something that all website owners should be mindful of.

In a recent interview with The Whir, Jason Cosper of WPEngine relayed a very similar message, WordPress’ core is actually fairly secure, even with the most recent DOS vulnerability. The real threat to websites is the extensibility of the platform and, in reality, are issues that end-users introduce to their own environments. That is where the true vulnerability lies.

Size and Open Source

WordPress is the the largest CMS platform in existence right now, with over 22% market share and dominates the CMS space by a whopping 60.6%. Let that sink in for a minute…

This is great for the platform. It also means that there is a significant amount of incentive for every black-hat hacker to invest a little, or a lot, of time and resources to identifying ways in which to exploit those users. This is not speculation; it’s fact. WordPress simply provides attackers with the largest pool of potential websites to hack. If we look at the greatest challenge enterprise environments are faced with today, you see that one of the more common threads is the concept of “Waterhole Attacks,” in which professionals are referring to the threats their infrastructure faces due to the various types of websites their end-users visit. If you’d like to find ways to protect your website, we have a plethora of ways to detect, prevent and fix malware on WordPress sites.

Understand however that WordPress core, regardless of what you might hear daily, is relatively secure – as secure as anything can be these days, at least. Who knows what tomorrow will bring? However, there is another interesting aspect of this entire world and that’s the idea of open source and the ethos it fosters.

Open source software is software that can be freely used, changed, and shared (in modified or unmodified form) by anyone. Open source software is made by many people, and distributed under licenses that comply with the Open Source Definition. – Opensource.org

This is a concept that many of the most famous platforms adhere to (i.e., WordPress, Joomla, Drupal, etc) and it is a beautiful philosophical outlook. It’s even one that our own Founder, Daniel Cid, applied when he first built OSSEC – Host Intrusion Detection Systems (HIDS). The interesting dynamic in environments like WordPress however is that the ease of use has extended well beyond just end-users and has started to become commonplace amongst WordPress Developers. Tony, our CEO, recently shared some thoughts on that very point:

WordPress powers about 20 percent of the online space, and that’s great for the WordPress ecosystem. The problem is that everyone wants to jump in and be a developer…but what they’re forgetting are the principles of computer science; they’re forgetting the rules of secure coding.

This is something that we must be thinking about as well. While it’s naturally very easy to accuse the end-user because they are often at fault, sometimes we need to stop and look internally as well. Are we doing everything we can to ensure the quality of the code is such that we reduce the potential risk of exploitation in the future while being mindful that avoiding vulnerabilities is nearly impossible (We’ll come back to that)?

Related to this is a blog post that Bruce Schneier wrote six weeks ago called, “The Human Side of Heartbleed,” about the genesis of the Heartbleed vulnerability. The thesis was simple; humans are fallible and humans write the code that underpins the internet, therefore the code that underpins the internet will contain errors and vulnerabilities. While he was writing specifically about Heartbleed, it encapsulates the underlying problem behind every single website hack.

No legitimate developer sets out to write code that will be easily attacked or taken advantage of, but the reality is that there are so many things that they can’t conceive of when they’re writing code for a platform. Daniel, our CTO, likes to say that, “Every piece of software will have bugs or issues at some point.” The point is to deal with problems when they arise. He’s right!

A developer may do a great job shutting out all known vulnerabilities at the time of their writing the code, but what about those that will be discovered in the coming six months? Of course, they can’t know what those will be so also can’t plan for them. Even when those vulns are discovered and the plugin developer puts out a patch, they have to rely on their users to update, and when users don’t do so, the attacks can spread.

People tend to hack sites for some sort of gain, usually monetary, and they’ll probe a website’s code to find ways in. In short, as long as there are websites and as long as there are incentives to hack, website breeches will continue to occur. As the number of websites increase, so will the attacks.

What Has to Be Done

Constant vigilance has to become the new normal.

With so much of our collective information online all the time, what can we do to protect ourselves and our information? The key is constant vigilance. It’s not enough to set up a beautiful website and let it run on it’s own or start taking people’s credit card information and assume it will be safe. There really is no way out of this circular process except to vigilantly secure code and then to use our collective power to make end users–the website owners–aware of the threats to their sites and information. We must also strive to make them more aware of the steps they need to take to secure their websites.

New Release 11/3/2017:

As part of our continual contribution to the WP Community we are proud to be sharing with you, our newest WordPress Security Guide that covers good practices on protecting your website and discusses the most relevant vulnerabilities, check it out today!

3 comments
  1. Indeed! It’s interesting that we sometimes talk a lot about security and secured code and forget how hard it is to keep it up to date. What’s secure now problably won’t be in six months. So I couldn’t agree more with the post objective. Vigilance is the norm.

    Also I should say that letting the “expert” responsible for something (in this case, the security of our website) is also quite important. Today we see lots of front-end doing some sort of backend in WordPress without the needed security knowledge. What makes plugins unsecure. I think it is like you mentioned, today everyone wants to be a developer what leads to more unsecured code and plugins, what eventually leads to more unsecured websites.

    Great post and thanks for bringing this thought for analysis. =)

  2. With the core of WordPress being secure (mostly) and the plugins being the largest problem why are some basic functions stripped out of WP? Wouldn’t it make more sense to have at least a set of basic plugins overseen by WP? If someone wants something different from that than they can use a third-party plugin but for more website owners this is not needed but still have to go pick from all the available plugins and hope they get ones that are well maintained and written.

  3. Addressing what you say here, I think WordPress itself has provided the ability to address this problem in-part ourselves. Plugin developers can implement custom automatic updates for their own plugins quite easily and I think it should be done for every plugin. We do it for our WordPress Simple Firewall plugin, and we’re integrating it into our other plugins over time.

    I’ve written a post on it, with specific WordPress code examples. I’d be keen to hear if this is something you think is a good idea: http://www.icontrolwp.com/2014/08/security-wordpress-plugins-must-one-thing/

    Cheers!
    Paul.

Comments are closed.

You May Also Like