Is WordPress’ security vulnerable at its core?
To my chagrin, my blog is telling me that it’s time to upgrade again.
It’s an urgent security release because if you allow registration on your WordPress blog, users can edit other users’ drafts. WordPress development also mentions the vulnerability in the WP-Forum plugin that I mentioned recently. This is the first time that I’ve seen WordPress themselves mention a plugin security problem. It must be really serious.
Can we discuss WordPress’ security for a sec?
I know that WP fans say that the reason there are so many security breaches is because WordPress is so popular and widespread, more people try to hack it.
WordPress detractors say that there is no excuse: WP gets hacked too much, has too much spam, and too many security problems.
So which is it? Let’s take a look at what a pretty objective group of people have to say about WordPress security: BlogSecurity.net.
BlogSecurity.net is a great blog that reports on social networking and web blog security. A large percentage of their posts are dedicated to WordPress issues. This could be because WordPress is so popular so they’ve decided to dedicate most of their energies to covering it, or it could be because WordPress has more security issues to report about.
It seems to be the latter, and BlogSecurity.net addressed the general issue of WordPress security recently:
We have seen alot of critical vulnerabilities being discovered in WordPress core and its plugins of late, who’s to blame?…
One of the major problems I see with WordPress is that it provides little (if any) protection against input validation attacks. So where does the problem lie?
One of the main problem lies in the way WordPress sanitises user input….
If WordPress is going to get serious about security, we need to come up with hardcore secure functions, that the WordPress core, and its plugin developers can use. These functions should take the security considerations out of the plugin developers hands and secured from within the WordPress core!…
This is one area, where I think blogging platforms like Drupal do a far better job! (my bold)
So is WordPress insecure by design? The answer seems to be yes!
Ramifications? I don’t know. I’m not jumping ship any time soon because no other blogging or CMS platform offers what WP does: flexibility, ease of use, extensibility, and great community support.
I’m no software developer, but I would say that it’s probably in Automattic’s interest to concentrate all their efforts in tightening up security issues now, and only once that’s done to add any new features they planned on implementing in the next release.
——————————
Here are some other plugin vulnerabilities that were recently discovered, in case you missed them:
WordPress WassUp Plugin “to_date” SQL Injection Vulnerability
WordPress AdServe Plugin “id” SQL Injection
WordPress WP-Footnotes Plugin “admin_panel.php” Cross-Site Scripting
dmsguestbook, st_newsletter, Wordspew, wp-footnotes vulnerabilities
wp-calc & wp adserv plugin vulnerabilities
Category: News & Views
I don’t think that’s quite right. For one thing, some of the things DK suggests are implemented in the development version of WordPress, which will be released as version 2.5 in the spring.
It’s not really fair to say WordPress is “insecure by design” when steps are and have already been taken to address those general issues.
And to be fair, the WP developers are pretty quick about addressing security issues when discovered: it took less than two days for the recent XML-RPC bug to get a patched release.
Austin – I know that WordPress acts quickly when problems are identified to fix them. But the point made by BlogSecurity.net is that there is a fundamental problem with the WP core. Do you think that is the case?
I know nothing about the fundamental security of WordPress, that is far beyond my skill base. But WordPress is the most popular large scale web based open source software of all time (I think) and so is being subjected to far more scrutiny and attack than any other piece of web based software in the short history of the internet.
There have been programs with more users, but as far as the number of complete noobs using it and installing it, I’m pretty sure WordPress is top of the pile.
Perhaps this is an overriding factor in WordPress’s security problems?
No. Let me elaborate on what I said above. When he mentions specifics, DK argues that what makes WordPress insecure is 1) that it should be “providing a proper set of SQL safe functions” 2) WordPress should use mysql_real_escape_string(), and 3) WordPress should “have clearly defined coding standards and security policies.”
1) Is true in development WordPress, which implements the prepare method of the WPDB class.
2) Is tricky. WordPress supports a variety of character encoding in databases, and mysql_real_escape_string() doesn’t play nicely with all of them. Right now there’s a Trac ticket in which people are trying to work this out.
3) Is more of a documentation issue than a WordPress issue, and it has to do more with plugin authors than WordPress itself.
I think it’s unreasonable to expect developers to anticipate every possible attack vector. Rather, we should expect them to respond quickly to security flaws when discovered (which WP does) and to follow secure coding practices as much as is possible (which WP generally does).
[...] yes, I know that virually EVERYTHING is rife with vulnerabilities: the debate is fierce and will thrive for some time. At the same time, Zope and Plone have been relatively safe from exploits- yet, [...]