This article gets technical. But I had to write to so I didn’t have to continually repeat the same points during internet discussions of a new WordPress Security Plugin. First, the background:

The New WordPress Security Plugin

Recently a slick marketing campaign has effectively promoted a new WordPress security plugin. A video promoting the plugin demonstrates a successful attack on a WordPress site. The voiceover claims that two popular security plugins Sucuri and WordFence do not effectively defend against this one particular attack type.

But the promoted product does. According to the promoters. So if you buy this one plugin (which I’ll name later in the article) then you can be assured of security for your WordPress site.

Not So Fast!

Like any good ad campaign this one speaks the to it’s audience in the language they understand. However, the campaign targets non-expert while covering a subject that requires expert knowledge. This factor allows the omission of valuable context. The omissions combined with misdirections and other FUD factors create the quality of outright deceit.

The campaign is deceitful.

What’s The Real Story?

Is it possible that Sucuri or WordFence could miss a vulnerability in a popular plugin? Sure it is.

Is it possible that a new entry to the WordPress security plugin market could defeat this vulnerability? Sure.

Do these facts say anything about the value of any of these plugins? Possibly. But only in a very limited sense.

We have to consider a few things:

  • The vendor of the new plugin doesn’t reveal any details about the vulnerability.
  • The vendor of the new plugin has no history of contribution within the WordPress community.
  • The vendor doesn’t specialise commercially in WordPress products.
  • The source code of the plugin hasn’t been released under the GPL license.
  • Since the video release WordFence and Sucuri most probably now provide protection against the vulnerabilty. It’s very unlikely that they don’t. But the original video is still in circulation.

So the claims in the video aren’t outright false. But they are still deceitful.

Vulnerabilities are discovered within any set of web technologies all the time. And every week new vulnerabilities are discovered by all vendors of defensive products who then update their products. I would be very surprised if the Big Scary Vulnerability shown in the video wasn’t fixed within a couple of days of the ad being launched.

WordPress Security Plugins And Community Contribution

Sucuri and WordFence compete. One of the domains of their competition is in their community contribution. They each have public blogs and newsletters. Every serious WordPress consultant consumes from at least one of these channels.

The new product is called ‘wp siteguardian’. If you find it on google you’ll find a very slick advertising page that produces a brilliant story complete with misdirection on the nature of the security, WordPress security, and the WordPress security plugin market.

What you wont find is any real information, substantial on security. The kind of information that other players in the market provide plentifully and for free.

You also won’t find real attempt at client education. Something that WordFence and Sucuri offer for free and in great quantity.

Consider: when WordFence have discovered new, high-impact vulnerabilites they have alerted the community.

What they haven’t done is hidden the details of the vulnerability while using them to scare the crap out of people until they open their wallets. Unlike the WP Site Guardian.

WP Site Guardian have displayed no affinity with the WordPress community. That doesn’t mean that their product doesn’t work. But having shallow roots makes for poor positioning. Especially in terms of technical expertise. And WordPress security requires technical expertise.

And You Won’t Find The Source Code

WP Site Guardian has not opened their code. Moreover the vendor has stated in facebook discussions that he has no intention to do so. He has stated that the code is not covered by the GPL.

That is to say: WP Site Guardian most probably violates the license of WordPress by failing to cover their own WordPress Security Plugin under the GPL. In doing so, they both hide the quality of their own code while violating the rights of their own customers.

Any complete conversation around this is nuanced and should be in detail. The opinion of Matt Mullenweg, the Lead Developer of the WordPress Foundation, and original developer of WordPress itself is that all themes and plugins are covered by the GPL.

Customer rights aside, refusing to apply the GPL to WordPress derivative works makes them less secure.

The Worst Thing About The Advertising Of The New Security Plugin

The target audience of the advertising campaign has a problem. They aren’t in a position to navigate the advertised claims. They don’t know the context. They don’t understand the threat model.

And that’s fine. Consumers shouldn’t be obliged to learn the fine details. That task is for expert consultants.

After purchasing the WP Site Guardian the customer will feel like they have “purchased security”.

But they haven’t. And they can’t. Because “buying security” is impossible. Genuine security for WordPress requires expert knowledge. And an application of the Defense In Depth principle.

WordPress consumers deserve better.

When it comes to self-hosted instances of WordPress security policies must be enacted. WordPress security is taken care of for user of wordpress.com or managed WordPress hosts.

However, when we are managing our own sites or client sites then we have to create our own security policies and deploy the right tools to implement those policies.

Wordfence is a great tool for this purpose. And today it announced it launched version 6. The announcement is here.

The new update maintains a free version of it’s offering while providing support for IPv6. The launch post describes the rational behind that decision.

I like Wordfence for it’s version of a lightweight Web Application Firewall and it’s built-in scanner. The scanner does automatic checks of core, plugin and theme files to test known file versions against the actual installed versions. Differences are flagged. There’s a much larger set of features in both the free and premium versions. But those are the features I particularly like.

Of course one tool does not a security policy make. Security depends on more then tooling and ‘defence in depth’ is key. WordPress security requires defence at the levels of the network, the server, the application and the user.

Having said that, WordFence is a great start for application-level security.

In my recent post on OWASP Day 2015 I remarked that WordPress.org itself takes security seriously. I mentioned the recently-released WordPress Security White Paper and pointed to the documents on hardening WordPress.

Of course WordPress.org doesn’t exist in a vacuum and has a tight feedback loop with its wider community. This in itself may be one of the secrets of success both of the CMS itself and the ecosystem.

The Problem

Due to it’s popularity in the shared hosting space self-hosted WordPress is capable of running on old, outdated versions of PHP, including version that haven’t been getting security updates for three years. This has been a result of a design decision by core developers: new installations should not break existing websites. It’s both a feature and a bug.

Of course running on old, unsupported versions of PHP creates security liabilities. A professional developer will, at the very least, raise these issues with site owners where such issues exist. But the reality is that some substandard hosts continue to provision older version of PHP. And many existing sites live on old hosts that haven’t been updated.

An Approach to a Solution

A community project called wpupdatephp exist. It provides a PHP library “… to be bundled with WordPress plugins to enforce users to upgrade to PHP 5.4 or higher hosting.” The project also aims to raise awareness of the risks associated with running insecure versions of php among site owners, and furnishes template email content for owners to include in requests to their hosting company.

The core functionality of the plugin can be seen in the readme viewable on github.

 

OWASP (The Open Web Application Security Project) is a volunteer-run, non-corporate global organization devoted to making the web a safer place. It provides resources for developers and business to help them secure their assets. It’s many notable projects include the Owasp Top Ten: the canonical list of the top ten most likely types of threat to web applications.

The New Zealand chapter organized another fantastic, amusing and enthralling OWASP Day, and event aimed mostly at Developers. But also of interest to anyone with responsibility for managing (securing) infrastructure.

If that sounds a little dry, you should have seen the metal-as t-shirts worn by the Insomnia crew.

Observations and Thoughts

Pedro Worcel’s presentation ‘CMS Hell’ made an interesting contrast with Nick von Dadelszen’s presentation.

Pedro discussed his own testing of NZ internet for CMS vulnerabilities. Pedro introduced droopscan, a vulnerability scanner for CMS’s. It looks like a really useful tool, and I’ll definitely be experimenting with it.

Nicks talk involved discussion of Section 252 of the Crimes Act, describing penalties for “accessing computer systems without authorisation”. Nicks was focussed on “passive” scanning for vulnerabilities, thus using techniques that can’t be described as possible violations of the Section 252.

One of my takeaways from these two presentations is that a lot of security research that I and others would consider ethically legitimate could be interpreted as violations of the Crimes Act. Even it the resulting research is capable of making the web safer.

The content of Nicks talk can be attained here. (warning: pdf)

Defending WordPress

Adam Bell from Lateral Security presented a case study that provided a cautionary tale about a failure of Defense In Depth. A notorious and very young system cracker had successfully attacked a site managed by the presenter. Adam introduced the log analyser Splunk and described his forensic strategy.

My takeway was that the weakest link will render the entire chain useless. Something anyone in who works around security already knows. But this can be sobering when we consider the possible effect on business. When customers pay for “security”, they tend not to understand that “security” is a thing that can’t be bought. It can be only be defended. But the old maxim holds true: any attacker with sufficient time and skill will always win.

WordPress itself takes security very seriously. WordPress.org has maintained a document for developers and admins on Hardening WordPress for many years. This week they released the WordPress Security White Paper which I read as overview of the security environment of the wordpress world. It applies the OWASP Top Ten to the wordpress world and is required reading for anyone serious about defending wordpress. (Or for that matter, attacking it)