The Dilemma that is WordPress Security

The past few weeks WordPress Security has come to the forefront of the discussion again, as it often does every few months. As is often the case, it’s highly emotional and generates a lot of discussion. Chris Lema shared a post, Our discussions around WordPress security should change, and that sparked some interesting conversations.

He’s absolutely right, it should.

What many fail to realize within the community however is that the crux of the problem goes beyond Access Control and Software Vulnerabilities. The problem is the end-user, the website owner, the grandma turned website owner, the full-time mommy turned SEO expert, and the message that is pushed from top down through the various niches / factions of clicks within the community.

The irony of it all is that it revolves around the concept that made WordPress so popular — it’s ease of use.

But First, A Story… That Seems to be the thing…

I was a United States Marine at one point in my not so long ago past. I spent close to 1.5 years in Iraq over a 2 year period. At one point I was the Geospatial Intelligence lead for a 3 provinces. I would need a series of posts to explain what that is, but the gist of it is I analyzed geography to understand the implication of specific actions. Can we go that route? If we do, what happens. What are the potential pitfalls, etc…

The standard classification in the space when constructing things like Cross Country Mobility Studies was always Red, Yellow, Green. Red always meant bad, Yellow meant caution. Green met good. Pretty standard I’d say, something that we all understand as humans. So standard it’s something we deal with every day at stop lights around the world.

One day under a series of combat operations. Everything was a buzz in the command center. We had operations going. Had various high value targets in mind. One specific event was to occur in 24 hours. This event however require cross country mobility (i.e., no roads or infrastructure to be leveraged). I worked with our various analysts (i.e., weather, all source intel, open source) etc.. to understand what the environment would be like. Based on the composition of the soil and vegetation, coupled with the locals told of us of the area, bundled with the state of the weather, the state of the two main axis of advance were going to be no-go’s.

As was the approach, I prepared my report. Prepared my presentation. And presented it to the commander of the operation with a well thought out and prepared plan, clearly articulating the analysis and the implications of why we could not do those approaches (i.e., the attack) at that time.

Commanders response: “What is all that red stuff on the map?”

My response: “Sir, that is the no-go area.”

Commander response: “But that’s where we need to go.”

My response: “I understand sir, but that’s a no-go, it must be red to signify we can’t go that route.”

Commander response: “That’s not going to work. Need you to change that to something less drastic before I send to the guys on the ground.”

I did as I was told. The mission failed. Every vehicle that went through the entry point got stuck do to inclement weather and the impact that had on the terrain. Was it because of me? I have no idea, but what if I would have followed the established protocol? Would they have seen the issues and delayed the operation?

The WordPress Security Challenge is Communication

WordPress and Security and the Dilemma that Ensues

When I look at the challenges with WordPress Security I boil them down to few things for me:

1: The communities insatiable appetite for debate.

To be fair though, this is more the world of social media and open communication than WordPress specifically. There is however an interesting dynamic that I have noticed creep into the WordPress ecosystem over the past few years and as is grows it’s grows exponentially as well. It’s the social mob mentality which turns highly irrational and emotional – I too am victim to this.

In security specifically it is rampant.

Here is the thing to note. Personally, I love intellectual debate, it’s healthy, it should be encouraged. The problem we have in WordPress security is that we’re not having intellectual debates. Everyone has an opinion for the sake of having an opinion with little to no understanding of the domain.

2: Security is categorized through the lens of the platform and not security.

What this talks to is specifically platform bias, so much so that it clouds judgement. The community spends more time defending a weakness than acknowledging it and moving on. This is a hard lesson that others learned long ago, just look at Microsoft.

This unfortunately is brought about because of emotion and that emotion is high, because in relative terms, this community is very young and immature. I don’t say that in a negative sense, I mean that sincerely. It is.

I had a great conversation with a friend of mine that said:

Executives of companies get in trouble when they go off-script. In WordPress however, it’s a bunch of adolescents, and I don’t argue with 12 year olds.

I found that to be very profound insight. The beauty is, it wasn’t meant derogatory, but it struck at the issue that the community has a whole, far beyond Security.

In the past few months I have heard from several people, in passing and in presentations:

Gosh how I hate presentations that scare end-users.

or

Many talks out there will tell you of all these security issues in WordPress, but I’m hear to put a lighter spin on the discussion. To show you it’s not a scary place.

I’ll be honest, I was a bit dumbfounded by this. This idea that if we call it something nicer for the sake of calling it nicer is preposterous to me. Do allow me to caveat, I’m obviously not saying we should call a puppy a lion, well, unless it’s a lion pup.

An example of what I mean can be found this last week when we look at the recent Security patch pushed by the Core team. The key however is in their message to the community:

This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team

This in turn leads to a butterfly and flowers post about collaboration, which was great, until you read:

The bug itself is relatively minor, but of interest is the collaboration between the WordPress and Drupal teams to create a fix.

You then look at Drupal’s release:

The PHP XML parser used by this XML-RPC endpoint is vulnerable to an XML entity expansion attack and other related XML payload attacks which can cause CPU and memory exhaustion and the site’s database to reach the maximum number of open connections. Any of these may lead to the site becoming unavailable or unresponsive (denial of service).

They even provide the correct classification:

Security risk: 13/25 ( Moderately Critical) AC:None/A:None/CI:None/II:None/E:Proof/TD:100

In which they explain, objectively what that categorization means:

Remotely exploitable vulnerabilities that can compromise the system. Interaction (such as an administrator viewing a particular page) is required for this exploit to be successful. Exploits have not yet occurred on systems when vulnerability was disclosed. The exploit requires the user to be registered at the site and have some non-default permission, such as creating content.

Previous examples include: Cross Site Scripting, Access bypass.

Before we turn this into a, off with Tony’s head. Let’s put it on a spike. He says WordPress sucks. Ban him from all WordCamps. I hate his company. Neither of which I have stated, but will undoubtedly be interrupted.

Let’s take a minute to objectively think about that. Drupal was correct, WordPress was not.

Yet, I had a conversation with a developer in which it was explained to me why the severity of this was minor:

Submitting massive POST requests isn’t really any different.

And here in lies the problem. We are so clouded by our greatness that it leads us down the wrong path when it comes to security. Every other platform and technology has learned how to deal with security issues, yet as a WordPress community we have not.

3: Everyone is an Expert

I can think back to 2010, a time where there were more issues in Core than anyone has seen in years. It was the year of big breaches at places like GoDaddy and many other hosts. It’s actually where and when all the discussion of how bad shared hosts firs started. It is also when the recommendation of the prefix started. What many don’t realize is that the reason the prefix even started was because of the shared hosts and the way they configured the environments. The attackers had written a script just looking for the prefix and in doing so quickly attacked multiple servers. It was actually not because of remote attacks, but internal ones. Awkward, I know.

This led us into 2011 where we saw some of the biggest issues around security specifically with a little script called TimThumb. Oh what a cluster that was.

Everyone scurrying, everyone trying to understand what had happened.

Oh and how in 4 years everything has changed. Today, everyone knows. Everyone knows that if you want to stay safe you must:

  1. Change the Admin user
  2. You must update
  3. You must not use the default DB prefix
  4. You must use SFTP, not FTP
  5. You better have SSL installed.
  6. Oh and so many more gems….

This followed by statements like:

The key to security is updates, not auditing

Matt Mullenwegg

These do nothing more than amplify the issue we have loud and clear, it amplifies are lack of understanding of the security space. These are things we have heard, yet have very little understanding for. It is not to say that some don’t have some value, some do, absolutely. The reality however is that attacks and payload’s have become ever so clever. The ones that cause the most damage to the communities actually leverage very little of the things everyone just loves to recommend.

The internet has made us all experts about everything though. We are security experts. We are marketing experts. We are business experts. We are SEO experts. We are WordPress experts. The harsh reality is, we’re experts at search, not knowledge. As a community, this is forgotten and that leads to this overwhelming number of ridiculous posts that carry little merit and provide very little value to the end-user. In reality they cause confusion and deteriorates the end-users trust in the platform.

This additional noise makes it difficult for real information to find it’s way to the surface.

The Fix is Easier Than Most Realize

Unlike Chris’ email my recommendation is not partnerships, but better communication. Openness and disclosure, collaboration if required, and the value that comes from learning from our predecessors. We should be looking at technologies like Java and Windows, and organizations like Microsoft and Oracle for guidance on how security should be handled.

Remember, security is not an open-source thing. It’s not a WordPress thing. Security has been around a lot longer than most technologies. There are established principles and practices in place, defined over decades of experience. While a platform like WordPress is awesome, it is not the end all to be all for all facets of life, and we have to bear that in mind. It is possible that insight comes from other domains that are older and more mature than this one.

I leave that with a very insight post by Jason Cohen, in which he talks to the challenges of Growth. While the post is not specific to security, he said one thing that holds true to us in WordPress Security:

The hardest thing about growth is that rare things become common.

Bear that in mind. You can’t own 22% of the market and not expect issues. Is it best to fight it and blindly convince yourself that they don’t exist, or is it better to embrace it?