Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, is warning about a series of security issues that affect the update mechanism used by the WordPress CMS.
The developer has taken the extreme step of making these issues public after he was unable to convince the WordPress team to address the problems in private.
Arciszewski points out three main issues
The first issue Arciszewski highlights is a function in the WordPress CMS source code that’s responsible for contacting the WordPress server and downloading the most recent CMS update.
The developer says that this function verifies the validity of the downloaded file by only checking an MD5 checksum, and not by using a cryptographic signature, as most mature projects handle their update packages.
This particular issue has been reported over three years ago but has been generally ignored. Besides CMS update packages, this also affects the plugin and theme update process as well.
“The update server is trusted explicitly and implicitly by every WordPress website online,” Arciszewski says.
All WordPress sites have a “single point of failure”
This leads to the second issue, which is that WordPress update servers are a single point of failure (SPOF) in the overall architecture of the WordPress ecosystem.
Since over 25% of all websites on the Internet run on WordPress, a determined attacker that manages to take over the update server can push malicious updates to millions of websites with dire consequences.
The third issue is related to the minimum PHP version the WordPress project has chosen to support, which is PHP 5.2.4.
Arciszewski would want this minimum version moved up to PHP 5.6.0, where SSL/TLS is much better, and many security issues affecting older PHP versions are not present.
Arciszewski: Security is not in the “WordPress culture”
Despite his best intentions, Arciszewski says that the WordPress project has chosen to ignore his findings. He blames this on the project’s unprofessional approach to security issues.
The WordPress culture, for those who are not aware, prioritizes higher adoption rates over better security. They see backwards compatibility as a usability problem more than a liability.
The WordPress team also promotes the use of the misnomer “responsible disclosure” over the more accurate “coordinated disclosure”, and refuse to entertain suggestions to improve their vernacular.
In short, WordPress is semi-toxic towards improving their own security– mostly out of negligence and stubbornness rather than outright hostility (see: OpenCart [1] [2]).
I don’t believe there’s much chance of fixing this, due to political problems rather than technological problems.
Other WordPress security experts, including the ones at Colorado-based White Fir Design, have criticized the WordPress team in the past for the same disinterest for the CMS’ security.
Last year, Arciszewski’s efforts in securing web technologies have resulted in the WordPress, Joomla, Laravel, and Symfony teams adding support for CSPRNGs (Cryptographically Secure PseudoRandom Number Generators) in their projects.
To fix the current issue affecting the WordPress update procedures, Arciszewski has put together a comprehensive guide for handling such operations.
Article source: http://www.bleepingcomputer.com/news/security/wordpress-update-process-puts-a-quarter-of-all-sites-on-the-internet-at-risk/