Thoughts on WordPress Security and Vulnerabilities
As avid readers of this blog know, we’ve discovered or written about multiple vulnerabilities within the WordPress ecosystem over the last couple of weeks specifically relating to popular plugins. MailPoet and Custom Contact Forms drove the bulk of the engagement, but those using WPTouch, TimThumb and vBulletin were also made aware of vulnerabilities.
If it seems like most of the problems occur with plugins, it’s because it’s the truth. In fact, it’s not just restricted to Plugins, but includes Themes and any number of other extensions or services that a website might make use of. This actually applies beyond the realm of WordPress and is something that all website owners should be mindful of.
In a recent interview with The Whir, Jason Cosper of WPEngine relayed a very similar message, WordPress’ core is actually fairly secure, even with the most recent DOS vulnerability. The real threat to websites is the extensibility of the platform and, in reality, are issues that end-users introduce to their own environments. That is where the true vulnerability lies.
Size and Open Source
WordPress is the the largest CMS platform in existence right now, with over 22% market share and dominates the CMS space by a whopping 60.6%. Let that sink in for a minute…
This is great for the platform. It also means that there is a significant amount of incentive for every black-hat hacker to invest a little, or a lot, of time and resources to identifying ways in which to exploit those users. This is not speculation; it’s fact. WordPress simply provides attackers with the largest pool of potential websites to hack. If we look at the greatest challenge enterprise environments are faced with today, you see that one of the more common threads is the concept of “Waterhole Attacks,” in which professionals are referring to the threats their infrastructure faces due to the various types of websites their end-users visit.
Understand however that WordPress core, regardless of what you might hear daily, is relatively secure – as secure as anything can be these days, at least. Who knows what tomorrow will bring? However, there is another interesting aspect of this entire world and that’s the idea of open source and the ethos it fosters.
Open source software is software that can be freely used, changed, and shared (in modified or unmodified form) by anyone. Open source software is made by many people, and distributed under licenses that comply with the Open Source Definition. – Opensource.org
This is a concept that many of the most famous platforms adhere to (i.e., WordPress, Joomla, Drupal, etc) and it is a beautiful philosophical outlook. It’s even one that our own Founder, Daniel Cid, applied when he first built OSSEC – Host Intrusion Detection Systems (HIDS). The interesting dynamic in environments like WordPress however is that the ease of use has extended well beyond just end-users and has started to become commonplace amongst WordPress Developers. Tony, our CEO, recently shared some thoughts on that very point:
WordPress powers about 20 percent of the online space, and that’s great for the WordPress ecosystem. The problem is that everyone wants to jump in and be a developer…but what they’re forgetting are the principles of computer science; they’re forgetting the rules of secure coding.
This is something that we must be thinking about as well. While it’s naturally very easy to accuse the end-user because they are often at fault, sometimes we need to stop and look internally as well. Are we doing everything we can to ensure the quality of the code is such that we reduce the potential risk of exploitation in the future while being mindful that avoiding vulnerabilities is nearly impossible (We’ll come back to that)?
Related to this is a blog post that Bruce Schneier wrote six weeks ago called, “The Human Side of Heartbleed,” about the genesis of the Heartbleed vulnerability. The thesis was simple; humans are fallible and humans write the code that underpins the internet, therefore the code that underpins the internet will contain errors and vulnerabilities. While he was writing specifically about Heartbleed, it encapsulates the underlying problem behind every single website hack.
No legitimate developer sets out to write code that will be easily attacked or taken advantage of, but the reality is that there are so many things that they can’t conceive of when they’re writing code for a platform. Daniel, our CTO, likes to say that, ” every piece of software will have bugs or issues at some point.” The point is to deal with problems when they arise. He’s right!!
A developer may do a great job shutting out all known vulnerabilities at the time of their writing the code, but what about those that will be discovered in the coming six months? Of course, they can’t know what those will be so also can’t plan for them. Even when those vulns are discovered and the plugin developer puts out a patch, they have to rely on their users to update, and when users don’t do so, the attacks can spread.
People tend to hack sites for some sort of gain, usually monetary, and they’ll probe a website’s code to find ways in. In short, as long as there are websites and as long as there are incentives to hack, website breeches will continue to occur. As the number of websites increase, so will the attacks.
What has to be done
Constant vigilance has to become the new normal.
With so much of our collective information online all the time, what can we do to protect ourselves and our information? The key is constant vigilance. It’s not enough to set up a beautiful website and let it run on it’s own or start taking people’s credit card information and assume it will be safe. There really is no way out of this circular process except to vigilantly secure code and then to use our collective power to make end users–the website owners–aware of the threats to their sites and information. WE must also strive to make them more aware of the steps they need to take to secure their websites.