It is rare to go a day without hearing about a vulnerability impacting a certain WordPress plugin or theme. Most recently, vulnerabilities targeting WordPress thumbnailing plugin TimThumb, SEO plugin All in One SEO, and MailPoet, the newsletter plugin with more than 1.7 million downloads, have been exposed, leaving users and their web hosts scrambling to update to patched versions.
â€œWordPress core is actually fairly stable and secure,â€ WPEngine senior technical advisor Jason Cosper says. â€œThere are occasional bugs and exploits that bubble their way to the top but they tend to be relatively minor. The big place where a lot of exploits and issues come from is out-of-date plugins.
While the size of WordPress certainly has something to do with the number of vulnerabilities uncovered each day, the open community and ability to develop for the platform is both a blessing and a curse when it comes to security.
â€œ[WordPress] powers about 20 percent of the online space, and thatâ€™s great for the WordPress ecosystem. The problem is that everyone wants to jump in and be a developer, and thatâ€™s kind of the beauty of the platform,â€ Sucuri co-founder and CEO Tony Perez tells the WHIR. â€œThe problem though is that everyone is trying to do this, but what theyâ€™re forgetting are the principles of computer science; theyâ€™re forgetting the rules of secure coding.â€
Perez founded Sucuri in 2010 with Daniel Cid, Sucuri co-founder and chief technology officer. Sucuri offers two main website security services: website antivirus, and website firewall, and partners with web hosts, including WPEngine, to help clean up hacked customer sites.
Cidâ€™s background as a security researcher at TrendMicro has also helped the company form a research division, which focuses on malware and anti-malware techniques. Sucuriâ€™s research division has been steadily disclosing WordPress plugin vulnerabilities, including the controversial disclosure of the MailPoet vulnerability in June.
The MailPoet disclosure spurred a discussion around responsible disclosure, or how much time is appropriate to let pass between when a security issue is disclosed to a developer and the vulnerability is released to world. While each company went into detail about their positions on their respective websites, essentially MailPoet believed that Sucuri should have waited longer to publish the vulnerability to give its users more time to upgrade the plugin. In a blog on Sucuriâ€™s website, Perez called the event â€œunfortunateâ€ but stood by his companyâ€™s actions.
â€œI think what Sucuri did was the right thing,â€ Cosper says. â€œThey maybe could have waited a few days longer but I understand both angles. As somebody who works for a host and would want to make sure that I had a chance to upgrade everybody before the exploit came out I understand where the MailPoet guys are coming from. But as somebody who has been around the hacker-side of things I can appreciate where Sucuri was coming from as well.â€
According to Perez, who worked as a defense contractor before working in the information security space for four years prior to starting Sucuri with Cid, 70-80 percent of malware is distributed through everyday websites.
â€œWeb hosts are just not equipped to manage that,â€ he says. â€œTheyâ€™re concerned with their infrastructure and networks, not necessarily the everyday consumer or website owner.â€
Even paying for managed WordPress hosting canâ€™t solve all security problems for end-users.
â€œThese managed environments have a lot of challenges,â€ Perez says. â€œThe biggest challenge is the flexibility the end-user is accustomed to. They are good for the users who know absolutely nothing and are okay with the bare-bone minimums. Thatâ€™s only going to satisfy a small segment of the population. A lot of these communities like WordPress and Joomla, there are a lot of DIYers, people that link to tinker and like to have the ability to pay, modify and update. We think that will continue to happen.â€
Cosper says that in many cases, customers of managed WordPress hosting services donâ€™t want their security upgrades automated by their hosting provider.
â€œSome hosting providers actually automatically upgrade plugins and thatâ€™s something weâ€™re looking into doing, especially in the case of the security issues,â€ Cosper says. â€œHowever, weâ€™ve actually asked our customers on this and polled them and we actually got a pretty overwhelming response of, â€˜Iâ€™d like to handle that on my own because itâ€™s something that I just want to make sure that the new version of the plugin will work with my site.â€™â€
â€œThatâ€™s one of the biggest problems with these security issues,â€ he says. â€œYou end up running into people who have been bit by a bad upgrade before. Even if itâ€™s a bad upgrade on their personal computer, people who donâ€™t want to get stung or accidentally take their site down just because they want to keep their site safe. You run into people who are a little gun shy about this. We do what we can with our checkpoints that we take nightly of our customer sites, and our support team who really does what they can to hold the customers hand through the upgrade process.â€
Cosper says that WPEngine does automate some processes, including running automatic and frequent scans of customer files so it knows if a site has been hacked or has an exploit running on it that could give hackers access to the site.
WPEngine is currently working on some web application firewall solutions, and is continuing to refine how it blocks particular attacks that it has seen on customer WordPress sites.
â€œOne of the big problems is when you deal with a technology like ModSecurity, things like that, youâ€™ll actually end up making the site slower while it checks to make sure it passes particular security checks,â€ Cosper says. â€œWeâ€™re doing what we can to increase the speed on that and help our customers in those ways.â€
Perez believes that WordPress users will start to employ website firewalls as a way to prevent software vulnerabilities on their own as security solutions like static fuzz testing and vulnerability testing is too expensive for the everyday website owner and not something web hosts typically invest in.
â€œWe always like to start around the basic principles of security. Things like access control and strong passwords,â€ Perez says. â€œWhen it comes to vulnerabilities it is very difficult for end-users because end-users are not developers and donâ€™t understand the intricate details of code development and how things interact with each other. What we recommend to them, whether itâ€™s our product or not, itâ€™s our impression that within the next 12-14 months website firewalls, similar to firewalls you see on networks and infrastructure, are going to become commonplace. There is really no other way for end-users to handle software vulnerabilities.â€
Ultimately, no matter the level of hosting a WordPress user pays for, they should take some responsibility in ensuring that their plugins are up to date to prevent any major security issues down the line.
Article source: http://www.thewhir.com/web-hosting-news/even-managed-wordpress-hosting-end-users-must-proactive-security