Security Implications of WordPress in The Enterprise

My Chileno brother from another mother, Chris Lema, put out a great guest post on WPEngine yesterday talking about WordPress and the Enterprise. He talks to the how and why of it’s emergence in the enterprise scene, but in the process makes a number of statements that very clearly explains the challenges we face as information security professionals. That, however, does not take away from the great points he makes around why it is a good enterprise platform.

Quick side note:

If you’re not familiar with Chris Lema, he’s perhaps one of the most engaging and insightful people you’ll meet and loves to write. WP Engine on the other hand is one of the premiere managed WordPress hosting providers in today’s market specializing in the ability to make your website grow wings, yes like Red Bull.

The Discussion

Of the various things I do at Sucuri, the one I am fondest of, is the ability to lead our incident / intrusion handling team. This is an unadvertised service that we provide enterprises. At a high-level we perform forensic analysis of the incident, outline the impacts of the compromise and perform offensive countermeasures to attacks if so required. It’s in this capacity that I have gained a unique perspective on this subject. I can attest to its arrival in the enterprise, and I’d argue that it’s no longer sneaking in – that was perhaps 2 years ago.

As technology has grown more and more accessible, it has simultaneously freed up the enterprise to operate more efficiently, and it was only a matter of time until your corporate IT team wasn’t quite as essential to get your website built.

Chris Lema

While I agree on the reason for why it’s used, I strongly disagree with the scenarios he provides for how it gets integrated. Not because they are not true, but because they are.

In the last 12 months we have handled half a dozen incidents for large enterprises. When I say large, I’m talking organizations with NOC/SOC implementations and revenue in the $100 – $500 million range. In that process I would categorize WordPress in the Enterprise in the following categories:

  • Integration within the Enterprise
  • Subset within the Enterprise
  • Complete isolation from the enterprise

You would think that one category would have a bigger impact than the other, and while they do, they don’t. In every situation, there was an equal amount of impact on the brand, but in almost all instances no-one had given that much thought. In each incident, it also came down to the same thing:

  • The business unit defined the need
  • The IT/SEC groups recommendations were ignored
  • The IT/SEC groups were held accountable for the compromise

The similarities in each concerns me greatly, but unfortunately, it’s not something that is new. This has been the dilemma that has faced security professionals for decades. In our minds, no-one understands what it is we do, no one understands the impacts, well, until it’s too late that is.

They take it to the IT department who has no bandwidth for these “little” projects. And then some young, enterprising employee who is a non-programmer pulls a MacGyver – the decide they are going to make the project happen, and find the tools they understand how to work with, figure out what they can’t, and develop a solution.

Chris Lema

To me, these problems are reminiscent of our antiquated approach to the implementation and governance of our enterprises. We have forgotten that our jobs are to enable, not deter. The only sure way is not to say “No”, but to collaborate with the different groups and find a compromise. The facts are that budget cuts and business pressures will always win so we have to get creative in the way we engage, but then again, this has been a reality we have been living with for a long time. Personally, I would prefer to have ownership of all facets of the enterprise before giving it up and getting blamed for it anyway. Let’s not be confused though, it’s not just about the IT/SEC entities, organizations and their respective leadership need to open their eyes and better understand the threats. The idea of allowing websites to be managed and sustained outside of your networks is absurd.

Bringing The Point Home

Here is the cliff note version of two recent WordPress incidents that we have addressed in the enterprise:

Just two weeks ago I was on the phone with the representative for the media group of a Division I university. As you might imagine, their WordPress website had been compromised. In my initial discussion I asked for points of contact with their system administrators. There response, “Yeah, this is effort is not supported by our IT group, but we have a guy in-house that knows how to log into wp-admin and get things done.”

In another incident, a large enterprise, under pressures by its business units, set up a cluster of servers on their network dedicated to the website for one of their major properties. The business unit was given full administrative rights, per their request, and against the advise of the IT group. The new “administrator” proceeded to give all its contributing authors administrative rights. A few months later the application was compromised with a shell that provided the attacker full access to the server. Yes, the same server that sat within the network. The analysis of of the incident showed that it occurred when a users account was compromised, yes one of the users with full administrative rights.

I am willing to bet, regardless of where you sit on the fence, no one wants to be a part of either scenario.

Thinking it Through

In each situation a number of things went wrong.

The biggest failure was the breakdown in communication, but let’s face it, this isn’t new. For years it has been an us versus them approach. Those business units just don’t understand us, and those security types only care about their mountain dews and cheerios. It’s the reality that we live in, and have been for a long time, but there are things that we can do to improve that.

  • Stop with the idea that the other is too stupid to understand what the other is doing
  • Refactor your policy frameworks – 500 pages is dumb and highly ineffective
  • Remember what it was like to be forward thinking and nimble? Good, now apply it to your job
  • Technology is evolving, learn to embrace that fact and come up with solutions

In my experience, rational people can live with not getting their way if they can engage in good intellectual debate; let’s open the lines of communication and maybe we can avoid the incidents I outlined above.

If you find yourself dealing with a website compromise and require immediate incident handling you can always send us a note at info@sucuri.net.