WordPress Security Archives

Open-Source CMS Security In The Enterprise

Published in Security on April 20, 2016

Regardless of the size of your organization, the security challenges with open-source Content Management Systems (CMS) security are the same. In the enterprise the issue stems not from the technology or existing processes, but the fact that security is slipping through our fingers. We’ve made it too difficult for our counter parts in marketing and sales, and where there is a problem new solutions step in to solve them. We see this being enabled by the explosion of cloud platforms like Platform as a Service (PaaS), Software as a Service (SaaS) and technologies that easily work in those environments like open-source CMS applications.

As a community we have to do something about this. These activities stem from the perception that IT / Security is always going to say “no” or “make my life too hard” and I can’t help but think there is a better way to handle this. To do this, we have to be prepared to embrace technologies like open-source CMS application and be willing to silence our personal biases towards them (i.e., WordPress is insecure, which is grossly untrue). A good first steps is better understanding how these technologies might fit into existing governance and their associated security policies and tools.

Accounting for Website Security in The Enterprise

Open-source CMS web applications are no different than any other applications enterprise security teams are responsible for. The principles like Defense in Depth still apply, and integrating things like Prevention, Detection and Response solutions are just as critical. The difference being that in the enterprise, these aren’t new concepts, yet when it comes to open-source CMS applications they’re dismissed.

Compromises within the open-source CMS domain are achieved through two key areas: access control and exploitation of software vulnerabilities. Here are a few tips to help enterprises think through the security challenges they face:

Security In Open-Source CMS Applications

Published in Security on February 12, 2016

Open-source CMS applications are no stranger to the battle they face with security. The size of the organizations adopting the platform also has little to do with it – from bloggers to mom and pop shops to Fortune 500 companies; the concern is the same. Can open-source CMS applications be deployed securely within their respective stacks?

There are those that look at open-source and have a general distrust for it. The idea that people can see the code and submit patches makes them uneasy. There are also those who can’t get their head around the general ambiguity of open-source, in which the code belongs to no-one and everyone. What they don’t realize is that most open-source projects have a stringent commit process.

The security perception is still a very real problem for the open-source CMS industry, and many feel it’s unattainble.

Website Security is Not an Absolute

Published in Security on October 31, 2015

I work in the field of Information Security (InfoSec), specifically website security. With that in mind, it’s but one very small piece of a very large pie. Security is complex, even at the 50,000 foot level; within each specific area of the industry, it can get even more complex. It’s no wonder it can feel overwhelming.

I have to remind myself that Security, regardless of which domain you’re focused on, always comes down to three basic elements working in conjunction with one another:

People
Process
Technology

YoastCon: The State Of WordPress Security

Published in Security on June 9, 2015

Almost five years ago, Joost started the company Yoast, offering website reviews and free plugins. Yoast’s core business was, and is, sharing knowledge and making it easier to create usable websites. Five years later Yoast has turned into one of the biggest WordPress plugin providers with 21 employees (and counting)!

To celebrate reaching five years, awesome growth, and much success, Yoast celebrated with a conference: YoastCon!

The conference was held in de Lindenberg in Nijmegen, with myself, Chris Lema, Marcus Tandler, Karl Gilis, and Joost de Valk speaking, and Marieke van de Rakt, Thijs de Valk, and Taco Verdonschot giving workshops.

The State of WordPress Security

My talk was on the current state of WordPress security. There is no denying that WordPress, powering over 23.5% of the top websites in the world, has become the platform of choice for bloggers and businesses alike.

With this fame however, WordPress has become a target, making it the top targeted platform on the web by malicious actors with ill intent.

Website Access Control and Security

Published in Security on January 23, 2015

Website security has become a hot bed over the past few years. More and more companies are joining the game in hopes of capitalizing on what they perceive to be huge opportunities. The one vector that seems to be all the rave is Access Control.

When I talk to access control, I specifically talk to mechanisms in place to restrict access to a resource. Think how you connect to your website. Are you using WordPress, Joomla, Magento or some vBulletin? Maybe it’s a custom PHP, HTML, ASP website?

Regardless of the platform, you have some form of access vector you employ daily.

If you’re a WordPress user, you’re likely leveraging /wp-admin. If you’re on Joomla, you’re using /administrator, and so on and so on — each platform providing its own means for connection. Access vectors don’t stop there. They extend well beyond the application itself. Think about things like File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP) and Secure Shell (SSH). These are transfer protocols that are still part of your website access vectors.

This can be extended further when you think about things like your hosting panels and database log in panels, additional forms of access vectors. But now we start diving into a very deep rabbit hole.

Website Security and Auto-Updates

Published in Security on November 27, 2014

If we could only auto-update our applications when vulnerabilities are identified, then we’d surely be safe… that seems to be today’s mindset. To a certain extent, that’s true, but it’s also false.

The idea of auto-updates is not new, it’s been around for a while. It’s all the rave as of late when we talk about websites. It only makes sense, if you know that the weakest link in the chain is the end-user (whom for whatever reason is unable to update) then remove the weakest link, and remove the choice.

The Challenges of Auto Updates in Website Security

There are however a few challenges that come to mind when I think about Auto-Updates, specifically how they relate to Website Security:

Does little against Unknowns
Introduces an unmanageable access point
Goes against best practices
Requires applications to write to itself

How We Think About Website Security

Published in Security on October 30, 2014

I recently attended WordCamp San Francisco (WCSF) where Matt Mullenweg, founder of the WordPress project and CEO of Automattic, gave his annual State of the Word.

WordCamps are informal, community-organized events that are put together by WordPress users like you. Everyone from casual users to core developers participate, share ideas, and get to know each other.

WordCamp Central

As I sat there and listened to the various accomplishments the platform had achieved, one common theme continued to pop in my head around security. It’s a theme that plagues all platforms, not just WordPress. It’s something that my business partner and I struggle with on a daily basis — it’s the biggest vulnerability every website and CMS faces, it’s users.

WordCamp Europe 2014: WordPress Security Starts With Posture

Published in Security on October 16, 2014

Recently I spoke at WordCamp Europe 2014 on the topic WordPress Security — It Starts With Posture. The threats website owners face today range in scale and complexity — from large DDOS attacks leveraging WordPress core functionality, to vulnerabilities found in some of the largest plugins in the ecosystem.

The Security dilemma is not shrinking, it’s getting bigger.

Today more than ever, it’s important we take the time to educate and bring awareness to the things everyday website owners can do to improve their over security posture.

Web security is not a turn of a knob, or click of an option, it’s about state of mind — it’s about good posture.

Check out the video of my presentation:

Watch The Video

Importance of Updates in Website Security: WordPress, Joomla, Drupal and CMS’s

Published in Security on August 17, 2014

In my recent post talking to the dilemma that is WordPress Security, there seemed to be some confusion as to my position on updates. Allow me a moment to provide clarity on the subject, yes, updates are very important.

My previous statements are specific to the importance level of updates, it was designed to foster a very different type of conversation than one you would have with an everyday website owner. An everyday website owner doesn’t care about the nuisances or philosophical arguments that occur at higher echelons of a specific domain their concern is what affects them right now.

For the everyday website owner, along with a variety of other best-practices, you should be applying updates as they become available. This post is more specific to you and your needs and what you must understand about the world that is Updates.

The Dilemma that is WordPress Security

Published in Security on August 9, 2014

The past few weeks WordPress Security has come to the forefront of the discussion again, as it often does every few months. As is often the case, it’s highly emotional and generates a lot of discussion. Chris Lema shared a post, Our discussions around WordPress security should change, and that sparked some interesting conversations.

He’s absolutely right, it should.

What many fail to realize within the community however is that the crux of the problem goes beyond Access Control and Software Vulnerabilities. The problem is the end-user, the website owner, the grandma turned website owner, the full-time mommy turned SEO expert, and the message that is pushed from top down through the various niches / factions of clicks within the community.

The irony of it all is that it revolves around the concept that made WordPress so popular — it’s ease of use.

WordCamp Chicago 2014: WordPress Security Is All About the Basics

Published in Security on July 2, 2014

Recently I had the opportunity to share my insights from the past five years working at Sucuri at WordCamp Chicago 2014 held at the University Center in downtown Chicago.

My talk, WordPress Security: It’s All About the Basics, focused on experiences with end-user security issues and threats in the web security industry.

With the goal of greater awareness of security issues for website owners, I share information about the latest security threats and trends, what to watch out for and be careful of, and as always some (hopefully valuable) takeaways and recommendations for the future.

Check out the video of my presentation:

Watch The Video

WordCamp Philly 2014: The Key to WordPress Security Is Awareness

Published in Security on June 12, 2014

This past weekend, I had the opportunity to speak about WordPress Security at WordCamp Philly 2014 as part of the Power User Track.

It’s critical to understand that the key to website security is awareness — and that is exactly what we achieve in this talk.

Getting down to the basics and sharing insight that very few can share through the experiences we have ascertained at Sucuri. The latest threats and trends will be shared, and of course, some good, hardening takeaways and recommendations.

Checkout the video of my presentation:

Watch The Video

WordCamp Minneapolis 2014: The Basics Of WordPress Security

Published in Security on April 28, 2014

Over the years, I have seen and experienced an amazing amount of security threats, vulnerabilities, malware attacks, and other problems website owners face. Recently I had the opportunity to speak at WordCamp Minneapolis 2014 on The Basics of WordPress Security, specifically targeted for the website owner or end user.

In this presentation, I share insights into security threats and trends site owners should be aware of, provide tips and recommendations on keeping your website secure, and share some of my experiences and insights from working at Sucuri.

I also participated in a panel discussion on Commercial WordPress Products with Reid Peifer, Marc Benzakein, Carl Hancock, and Ben Fox that was moderated by Kiko Doran.

Check out the video of my presentation and thanks to Matt Porath for snapping this great photo!

Watch The Video

WordCamp Las Vegas 2013: Real WordPress Security, Kill The Noise!

Published in Security on December 28, 2013

This month I joined my business partner Dre Armeda at WordCamp Las Vegas 2013 to speak about web security.

Our presentation, titled Real WordPress Security, Kill The Noise! cut through the false sense of security many website owners enjoy to address the real security issues, threats, and vulnerabilities facing WordPress websites and their owners.

But don’t worry — it’s not all doom and gloom.

While we address the issues, we also provide tips and recommendations on how you can secure your website and our no nonsense approach to reducing risk with WordPress.

Check out the video of the presentation:

Watch The Video

WordPress Security: Learning From Hacks

Published in Security on December 7, 2013

This evening I will be giving a presentation at WordSesh at midnight PST (0800 UTC).

This goal of this presentation is to learn from hacks as the name implies. It’s fairly straight forward to talk about hardening and malware, it’s something different all together to understand the attackers. That’s what this presentation attempts to do in a very short time period (45 minutes). In it I share two scenarios that were recently analyzed at my company, Sucuri.

Here is the presentation I’ll be giving and the video:

Forensics: Analyzing a WordPress Attack / Hack

Published in Security on November 8, 2013

Recently one of our honeypots was it by an attacker and in the process we were able to gather a bunch of good intelligence on the actions taken by the attacker.

I write and detail the forensics of the attack in my latest post, for Sucuri: Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I. My goal is to put out a part II next week in which we break down the shell used.

All in all, it was pretty interesting and amusing at the same time. Any questions or insight let me know.

Check Out The Article

Crazy April for the WordPress Platform

Published in Security on April 25, 2013

In case you haven’t been following the month of April has been a bit of a whirlwind for website owners, specifically those using the WordPress platform. The good news is it’s motivated me to start writing again, not so much here but on our company blog. That being said, let me get you caught up on what’s been going on.

Fortunately, it all started off with my presentation at WordCamp Miami, which was pretty awesome I might add.

It really kicked off with the big challenges presented by the apparent abuse of trust that came from the Social Media Widget plugin.

If you didn’t hear, the original developer of the plugin sold the rights to a marketing firm, who then outsourced it to a freelancer. That freelancer then took it upon himself to inject code into the core of the plugin, so when it was pushed to the repository and notified everyone of updates it injected everyone with the payload. Nasty, I know. Talk about taking all the fun out of hacking, boo for laziness, yay for ingenuity. The obvious downside here being the abuse of trust as I just stated, making you wonder what is being done to address that very apparent vulnerability. What do you think?

WordPress Website Security: WordSesh 2013

Published in Security on April 15, 2013

Here is an online presentation I gave at WordSesh 2013. Always weird when you give an online presentation, unable to gauge the crowd and respond accordingly. Look forward to your feedback.

WordCamp Miami 2013: WordPress Website Security

Published in Security on April 3, 2013

I’ll be in Miami this weekend, for WordCamp Miami 2013, giving a new, updated talk on Website Security. Come by and say hi if you’re around — If you’re not, no problem, I’ve included my slides below in this post for your reference.

My talk is titled Staying of the Website Threats and Becoming One with Malware. In it, I talk about the latest threats and things you can do to help yourself and your site stay secure. The idea is to educate and in the process, help you gain a deeper appreciation for the underbelly of the web and the realities of the web based malware.

Security Implications of WordPress in The Enterprise

Published in Security on January 30, 2013

My Chileno brother from another mother, Chris Lema, put out a great guest post on WPEngine yesterday talking about WordPress and the Enterprise. He talks to the how and why of it’s emergence in the enterprise scene, but in the process makes a number of statements that very clearly explains the challenges we face as information security professionals. That, however, does not take away from the great points he makes around why it is a good enterprise platform.

Quick side note:

If you’re not familiar with Chris Lema, he’s perhaps one of the most engaging and insightful people you’ll meet and loves to write. WP Engine on the other hand is one of the premiere managed WordPress hosting providers in today’s market specializing in the ability to make your website grow wings, yes like Red Bull.

The Discussion

Of the various things I do at Sucuri, the one I am fondest of, is the ability to lead our incident / intrusion handling team. This is an unadvertised service that we provide enterprises. At a high-level we perform forensic analysis of the incident, outline the impacts of the compromise and perform offensive countermeasures to attacks if so required. It’s in this capacity that I have gained a unique perspective on this subject. I can attest to its arrival in the enterprise, and I’d argue that it’s no longer sneaking in – that was perhaps 2 years ago.