WordPress Security Issues

Hacks are ALWAYS a WordPress Issue

by Ben Cook on April 14, 2010

Any time a WordPress site is hacked, it becomes a WordPress problem.

Now don’t get me wrong, hacks happen.

Unfortunately that’s just a fact of life in our online world. When a platform becomes popular enough, the ne’er-do-wells will eventually attack it.

WordPress is no exception.

It’s been the target of countless attacks and hacks over the years; some because of vulnerabilities in its code, but most due to vulnerabilities in plugins, servers, or outdated versions.

I recently reported on a nasty attack that’s been targeting WordPress sites with Google cloaked pharmaceutical spam. Just days later, a different hack hit the WordPress installs of many Network Solutions customers.

Disclaimer: I’m the SEO Manager for Network Solutions. I had no involvement in the recent WordPress episode on a professional level. Also, this blog does not, and never has spoken for NetSol. I’m not an official rep for the company or anything like that. I’m simply a big fan of the WordPress platform.

In reading Network Solutions’ blog posts, it seems the WordPress community was very helpful in this situation. However, the sentiments expressed following these hacks, and readily apparent in Matt’s recent post, are what I’m calling into question.

There was so much press about WordPress hacks going around that Matt Mullenweg felt the need to address the issue in a blog post published yesterday. While he was talking specifically about the NetSol attack, the impression I got from that post is “if the vulnerability isn’t in the core code of WordPress, it’s not our problem.”

Not My Problem

When reporting the “pharma hack” in the WordPress support forum as well as the WPtavern forum there were several replies that seemed to be reprimanding the poster for suggesting it could be a WordPress issue and that a smoking gun would be needed before it would be taken seriously.

It was in fact that sentiment, and the lack of coverage about the ongoing pharma hack, that prompted me to cover the attack again, despite it having already been mentioned months ago on several different sites!

Again, let me be clear. I’m by no means suggesting that all hacks are due to faults in the WordPress code. In fact the large majority aren’t.

However, they ALL impact the community, the platform’s brand, and should be dealt with swiftly and aggressively. In short, they’re ALL WordPress’ problems to deal with.

Thousands of WordPress users are being hit with the “pharma hack” (Google has just under 2 million results for title tags that match the hacked pattern) and WordPress hasn’t said a word about it.

Mark Jaquith has reached out privately to a few people and there’s finally a thread on the support forums that didn’t get deleted but we still don’t have the vulnerability pinned down months into this attack.  Chris Pearson has been tweeting about it, in an attempt to solve the issue, but that only earned him a lecture from Matt!

Whether WordPress is the source of this problem or not, if no solution is found, what option will these blogs have other than to stop using WordPress? Sure it might not be WordPress’ fault, but if another platform isn’t being exploited in this way, it won’t much matter.

Brand Damage

WordPress has earned a well deserved reputation as a great CMS. However the frequent updates, many of them security related, have also earned it a reputation of being insecure.

Users who don’t update to the latest version are obviously posing significant security risks, but every time they get hacked, it’s one more person that has a WordPress hack story to tell. Every hack that targets a WordPress plugin is another Do Matt and others within the community really not care whether WordPress’ reputation is damaged in this fashion?

Defensiveness

The root of this “not my problem” attitude is likely defensiveness. No one wants to be at fault when a hack happens. And, WordPress get’s more than it’s fair share of accusations. Since WordPress is developed by a team of volunteers, it’s easy to see why they would take offense to these accusations.

However, with as many security releases as WordPress has put out in the last year or so, it’s certainly not unreasonable to suspect the platform could be the source of a vulnerability. Yes, security releases mean that a threat is being dealt with, but it also means that exploits were there in the first place.

As I said, hacks happen. The WordPress dev team has very limited resources. Unfortunately there are probably thousands of hackers out there right now trying to figure out how to exploit the platform.

The fact of the matter is it’s only a matter of time until the next one is found. That doesn’t mean the WordPress team is made up of horrible people. It just means they’re out-manned.

What would you have us do?

Thankfully, there are several actions the WordPress community (myself included) can take to improve this situation. They include:

  • Be more vocal in praising the WordPress developers for improvements and successes.
    Sure there’s more motivation to comment or blog when you’re upset. But if the team deserves criticism, then they also deserve credit when they succeed (which happens much more frequently than the slip-ups). I’m one of the chief perpetrators of this and resolve to do better in the future.
  • Volunteer to beta-test new releases.
    The WordPress dev team is always looking for more testers. The more people looking at the beta releases, the better chance problems will be found before the full release, thus preventing more of the updates we all love to hate.
  • Don’t take criticism personally.
    This one isn’t easy but just because someone suggests there could be an issue with your theme, plugin, or even platform, doesn’t mean they hate you. Mistakes happen. Let’s figure out how to fix the problem and move on.
  • Discuss hacks openly.
    One of the biggest mistakes I see being made right now is that information about hacks and vulnerabilities is often treated like a state secret. While I certainly can see the merit in keeping information about how to perpetrate a hack private, in today’s Twitter world, everyone is going to know when an attack happens.You’re not going to keep the discussions from happening, so you might as well bring the conversation onto your own turf. When something surfaces that’s affecting thousands of WordPress users, you need to address it.
  • Face the facts.
    Whether it’s earned or not, WordPress has a reputation as being a security problem. The very fact that WordPress get’s so many hack reports proves that people are naturally inclined to blame the platform. Realizing and accepting that will make it easier to go about fixing it.
  • Hire more security experts.
    One of the biggest ways to change the security reputation would be to hire more security experts. It’s obvious the team will never be able to compete with the number of would-be hackers out there. However, by publicly hiring security experts, you’ll not only be making a good PR move, you’d improve the product as well.More folks focusing on security would allow more thorough review of plugins and themes that are submitted, as well as more active pursuit of active hacks or attacks.

Your Suggestions

Thankfully, the WordPress community is full of people a lot smarter than me. I’m by no means a security expert (as I’m sure you’ve seen over the course of the last few posts) but there are plenty of you out there. What kinds of suggestions do you have? How can WordPress improve the security situation, or are things fine the way they are?

image source: rpongsaj

{ 12 comments… read them below or add one }

Previous post:

Next post: