It is rare to go a day without hearing about a vulnerability impacting a certain WordPress plugin or theme. Most recently, vulnerabilities targeting WordPress thumbnailing plugin TimThumb, SEO plugin All in One SEO, and MailPoet, the newsletter plugin with more than 1.7 million downloads, have been exposed, leaving users and their web hosts scrambling to update to patched versions.
“WordPress core is actually fairly stable and secure,” WPEngine senior technical advisor Jason Cosper says. “There are occasional bugs and exploits that bubble their way to the top but they tend to be relatively minor. The big place where a lot of exploits and issues come from is out-of-date plugins.
While the size of WordPress certainly has something to do with the number of vulnerabilities uncovered each day, the open community and ability to develop for the platform is both a blessing and a curse when it comes to security.
“[WordPress] powers about 20 percent of the online space, and that’s great for the WordPress ecosystem. The problem is that everyone wants to jump in and be a developer, and that’s kind of the beauty of the platform,” Sucuri co-founder and CEO Tony Perez tells the WHIR. “The problem though is that everyone is trying to do this, but what they’re forgetting are the principles of computer science; they’re forgetting the rules of secure coding.”
Perez founded Sucuri in 2010 with Daniel Cid, Sucuri co-founder and chief technology officer. Sucuri offers two main website security services: website antivirus, and website firewall, and partners with web hosts, including WPEngine, to help clean up hacked customer sites.
Cid’s background as a security researcher at TrendMicro has also helped the company form a research division, which focuses on malware and anti-malware techniques. Sucuri’s research division has been steadily disclosing WordPress plugin vulnerabilities, including the controversial disclosure of the MailPoet vulnerability in June.
The MailPoet disclosure spurred a discussion around responsible disclosure, or how much time is appropriate to let pass between when a security issue is disclosed to a developer and the vulnerability is released to world. While each company went into detail about their positions on their respective websites, essentially MailPoet believed that Sucuri should have waited longer to publish the vulnerability to give its users more time to upgrade the plugin. In a blog on Sucuri’s website, Perez called the event “unfortunate” but stood by his company’s actions.
“I think what Sucuri did was the right thing,” Cosper says. “They maybe could have waited a few days longer but I understand both angles. As somebody who works for a host and would want to make sure that I had a chance to upgrade everybody before the exploit came out I understand where the MailPoet guys are coming from. But as somebody who has been around the hacker-side of things I can appreciate where Sucuri was coming from as well.”
According to Perez, who worked as a defense contractor before working in the information security space for four years prior to starting Sucuri with Cid, 70-80 percent of malware is distributed through everyday websites.
“Web hosts are just not equipped to manage that,” he says. “They’re concerned with their infrastructure and networks, not necessarily the everyday consumer or website owner.”
Even paying for managed WordPress hosting can’t solve all security problems for end-users.
“These managed environments have a lot of challenges,” Perez says. “The biggest challenge is the flexibility the end-user is accustomed to. They are good for the users who know absolutely nothing and are okay with the bare-bone minimums. That’s only going to satisfy a small segment of the population. A lot of these communities like WordPress and Joomla, there are a lot of DIYers, people that link to tinker and like to have the ability to pay, modify and update. We think that will continue to happen.”
Cosper says that in many cases, customers of managed WordPress hosting services don’t want their security upgrades automated by their hosting provider.
“Some hosting providers actually automatically upgrade plugins and that’s something we’re looking into doing, especially in the case of the security issues,” Cosper says. “However, we’ve actually asked our customers on this and polled them and we actually got a pretty overwhelming response of, ‘I’d like to handle that on my own because it’s something that I just want to make sure that the new version of the plugin will work with my site.’”
“That’s one of the biggest problems with these security issues,” he says. “You end up running into people who have been bit by a bad upgrade before. Even if it’s a bad upgrade on their personal computer, people who don’t want to get stung or accidentally take their site down just because they want to keep their site safe. You run into people who are a little gun shy about this. We do what we can with our checkpoints that we take nightly of our customer sites, and our support team who really does what they can to hold the customers hand through the upgrade process.”
Cosper says that WPEngine does automate some processes, including running automatic and frequent scans of customer files so it knows if a site has been hacked or has an exploit running on it that could give hackers access to the site.
WPEngine is currently working on some web application firewall solutions, and is continuing to refine how it blocks particular attacks that it has seen on customer WordPress sites.
“One of the big problems is when you deal with a technology like ModSecurity, things like that, you’ll actually end up making the site slower while it checks to make sure it passes particular security checks,” Cosper says. “We’re doing what we can to increase the speed on that and help our customers in those ways.”
Perez believes that WordPress users will start to employ website firewalls as a way to prevent software vulnerabilities on their own as security solutions like static fuzz testing and vulnerability testing is too expensive for the everyday website owner and not something web hosts typically invest in.
“We always like to start around the basic principles of security. Things like access control and strong passwords,” Perez says. “When it comes to vulnerabilities it is very difficult for end-users because end-users are not developers and don’t understand the intricate details of code development and how things interact with each other. What we recommend to them, whether it’s our product or not, it’s our impression that within the next 12-14 months website firewalls, similar to firewalls you see on networks and infrastructure, are going to become commonplace. There is really no other way for end-users to handle software vulnerabilities.”
Ultimately, no matter the level of hosting a WordPress user pays for, they should take some responsibility in ensuring that their plugins are up to date to prevent any major security issues down the line.