25 thoughts on “Keep WordPress Secure

  1. Matt,

    I’m rather appalled by the security of wordpress of late and your handling of it in this post. Firstly this problem started a month ago, here’s the proof http://wordpress.org/support/topic/297639?replies=58. Why wasn’t this investigated and a fix released immediately. Which brings me on to why a fix still hasn’t been released a day since the crisis began? There are still huge vulnerabilities in the source code. It just happens that changes in 2.8.3 make the current “hack” impossible to acheive. For me this hack brings to light 3 major vulnerabilities.

    How are you going to deal with the millions of wordpress blogs which are currently vulnerable? And more importantly how are you going to stop this from ever happening again? It is simply not true that you could not have predicted this attack, all attacks are possible and therefore security should be increased to protect users as much as possible. I would very much like to hear (and I guess most wordpress user’s would like to hear) the answers to these questions.

    Of course, it is unfair to solely blame you. All of us in the wordpress community should except that we could of prevented this incident. However, it is fair to say that you influence the community the most and thus I am addressing these questions to you.

    1. “Why wasn’t this investigated and a fix released immediately. Which brings me on to why a fix still hasn’t been released a day since the crisis began?”

      This probably was fixed over two months ago. There are no new releases today, the current version of WordPress is completely secure against this worm.

      “There are still huge vulnerabilities in the source code.”

      Then you should report them immediately to security@wordpress.org — there are no known problems at this time.

      “How are you going to deal with the millions of wordpress blogs which are currently vulnerable?”

      Exactly what we have been doing: We’re going to build in a one-click upgrade and tell everyone they should upgrade.

      “And more importantly how are you going to stop this from ever happening again?”

      No software in the world can guarantee they will never have a bug or security issue in the future, anyone who does is trying to sell you something. All we can do is be proactive about fixes for problems that haven’t happened yet (which we are, in fact there’s an audit going on right now) and make solutions for problems that do arise available as quickly as possible, often within 24 hours of the problem being reported.

      1. 1. Vulnerability using the double slash vector. Kind of fixed by adding current_user_can(‘manage_options’) but function user_can_access_admin_page() is still broken due to incorrect setting of $pagenow in vars.php.

        2. I don’t know the specifics of the vulnerability but I know that somehow hackers have found a way of exploiting the permalink variable in xmlrpc.php to execute arbitrary code. I am still investigating this but this is difficult since I don’t have access to the variables the hackers used.

        3. XSS vulnerability due to no sanitation of username when retrieved from the database. This allowed the attacker to hide the extra administrative user using javascript.

        The hack was at least 3 months old http://www.markturner.net/2009/05/27/mt-net-recovers-from-another-hack/ before the 2.8.3 update.

      2. Could you email #1 to security@wordpress.org? I don’t understand that sentence. #2 it isn’t specific to XML-RPC, once they have backdoored your permalink structure in the DB they can execute code from any URL. As for #3, in many places in the application we sanitize when things come in, not when they come out. This was a performance decision — sanitation code is expensive to run, especially dozens or hundreds of times on the same page. After ‘WP in insecure’ people love to attack that ‘WP is slow’, we can add outgoing sanitation on every value in the DB, but it’s far more efficient to make sure bad stuff doesn’t get in the DB in the first place.

      3. Hi Matt,
        I am glad I finally found your personal blog. You rock, man. I admit I became an WP addict. WP changed my life completely in the last 3 months.
        My WP website BREEAM Club “Fivicons” is performing so well lately and is maintained so easily it is almost scary for a 37 year old architectural engineer.
        The incredible reliability of your software is something I have never seen and I want to thank you for making this all happen for me. THANK YOU!

        About the worm I have to say that I have been spared this time. Unfortunately it is so that we have to secure ourselves every time all the time and keep up-to-date in responding to these ever lasting threats. Your WP is destined to overcome the threats very quickly, but in the end this game is always won by the attacker. Good luck helping us survive!

        I started with WP 2.8 and 2.8.3 seems to work perfect with Akismet. No attacks yet, only some spam attempts. A similar problem happened yesterday when my %^&& keys were altered. Whether this had to do with WP or another joker attempt I don’t know. No harm done.

        Hopefully the spammers and hackers of this world will finally start to realize we want them to use their creativity in a more sustainable and constructive way.
        My site is a perfect way to start. Yours too.

        So, creators of this world: search for a Remixer’s Manifesto on the net and learn about the boundaries of your creativity and start sharing your sustainable expressions on the web.

        All the best and thanks again for WP.

  2. HI, Matt. I agree with your rebuttal on Thomas’s comment. You and the WP community have a still are doing the things necessary to keep the blogs out there secure.( proactive ) is the word you used.

    Thomas !!… I do think it is naive to think that software of any description can be “secure” completely, now and into the future. WP has done a good job of being proactive on past security issues. If blog owners do not heed the warnings, then they have only themselves to blame for any breach of their respective blogs. I trust though you have upgraded your WP blog(s) given the latest scare.

  3. I think the WordPress team does an outstanding job at reacting quickly and accurately to threats as they arise. It’s impossible to anticipate every kind of attack that a devious hacker can devise, so all you folks can do is anticipate and fix what you can ahead of an attack, then deal with the ones that slip through the cracks as quickly as you can. I for one am very satisfied with the timeliness of your security responses.

  4. Rod, yes, it’s possible to make applications more secure. I agree that it’s not easy and that there will be issues, but WordPress track record has been awful in this area.

    Matt, how about taking security more seriously? We can forgive the ‘mostly’ awful php source code WP has, but please do improve things, and please do treat your code like poetry.

    For now, “code is poetry” is laughable. Start treating it like one.

    I do support WordPress one way or another (e.g. donated to the plugin developers in the past), and I’m thankful for your effort. But this is 2009, you are / will be millionaires out of this free open source code, you have a moral responsibility to the users.

    “Code is poetry” please.

    1. Chris, if you have some patches that would make WordPress more secure and improve the user experience they would be more than welcome. If you don’t have time for that, maybe just email me your ideas.

  5. I appreciate the dedication of the WordPress team to quickly fixing issues. And I agree that much of the criticism against you is unfounded.

    However, WP has been getting some bad security press lately. I’d love to see a plan (or at least assurance that one exists) for making the platform more secure–not just from known attacks, but from unknown. Perhaps some built-in structure to prevent the amount of damage a hacker can cause, even if one gets access.

    I’m not a programmer, so I don’t know what goes into all that. But I think the community would benefit from knowing that resources are going towards a more secure WordPress overall.

    There will always be users who are slow to upgrade (or never do), but even for those of us with the best intention and attention, are not always to upgrade as quickly as we’d like. It’s a difficult situation all around.

    But lastly, I just want to re-emphasize my support for you guys. The entire WordPress product and community is an amazing thing to be a part of, and ultimately I, along with countless others, trust you to guide it. Thanks.

  6. I appreciate your honesty. Bugs, Worms and hacks do arise. That’s never going to stop. But it’s good that you recognize that and work to immediately release security patches.

    And how can we beat 1-click updating? Oh yeah…we can’t.

    Thanks Matt for the hard work on all of this stuff. I love my WordPress blog and if you all stay the same then I’ll stay with you. Keep up the awesome work.

  7. Matt,

    WordPress today is FAR easier to upgrade than it was even a few point releases ago. I think most people haven’t got the message yet — the community should really emphasize how easy WordPress is to upgrade.

    That said, I think WordPress can do a lot more to make upgrades simpler and take less work. For example, updates should happen automatically and should back up data first so there’s no data loss. If an auto upgrade fails the site should be placed in some kind of maintenance mode or reduced-functionality mode. And so on.

    Getting upgrades to work right takes work but it’s totally worth it for users. If Windows could do it so can WordPress 🙂

  8. Thanks Matt for all you do, we were hit once by a hole in a plug-in, our backups and heads down work got our site and 2,000 posts (at the time) back up in about 4 hours.

    One of our service providers sent out a “reminder” about upgrading this weekend since we had done it when “lectured to” on our (your) dashboard, we were all set.

    “How are you going to deal with the millions of wordpress blogs which are currently vulnerable? And more importantly how are you going to stop this from ever happening again?”

    All the buzz has us checking lesser used and test WP installations, that’s a good thing too. So Mr. Miburn, we are going to take accountability for our own actions.

  9. It is good to remind users that upgrading alone is not enough. My blog was hacked into even when I was using the latest wordpress. The most common hack is the SQL injection via your login page or any other un updated plugin. Installing necessary security plugins such as wordpress firewall should help secure your blog.

    1. If your blog was hacked even though you were on the latest version then WordPress wasn’t the problem: you likely have a backdoor somewhere in your account or an insecure plugin, and you should try to track it down as soon as possible, ideally with help from your web host or a systems person.

  10. Totally agree with the come back Matt,, Thomas get real nothing can ever be totally secure unless you unplug it from the network.

  11. I had several blogs running wordpress and I hated every update because it was always related to exploitable security issues though I wasn’t concerned that much most of the time because I have user registrations deactivated but still.

    Now I’m using wordpress MU and Donncha O Caoimh’s domain mapping plugin and I’m totally satisfied.

    There is an update? No problem! I click the button and wordpress is fine :).

    Someone in the irc made a request for better code reviews because almost every new release is also a security release. I don’t know if this is true but if, I guess he is not that wrong :).

    However, wordpress is still the best blogging engine available and I also like it as a small cms.


    1. Every change to WordPress is sent out to mailing list with about 200 people on it, in addition to all the pre-checking and discussion of patches that goes on in Trac. If you’d like to get involved with this review process drop by Trac and subscribe to wp-svn.

  12. I agree wholeheartedly with Matt. I’ve just had a client complaining after my host got hacked that I shouldn’t allow this kind of thing.
    Of course I don’t but I cannot guarantee it won’t happen. Hacker’s by their nature often take on “so called secure” sites just to prove they aren’t. Well done to WordPress for releasing fixes when it doesn’t improve their popularity.

  13. That being said, it might be sound to include this plugin in WP’s core – I can’t count the number of times I forgot to upgrade some blogs under my control, just because I forgot they even existed!

    Many self-hosted blogs are under the surveillance of “a geek guy I know” of sort, and if that friend can’t remember which blog he should be looking after, then the problem just gets harder to solve.

    Built-in update notification for all admins is one great way, IMHO, to have updates by applied not only faster, but also in a much broader way.

    And throw in a checkbox for plugins update notifications, too 🙂 (you never know, some plugins might contain that very potential backdoor WP’s core is being proactive against).

  14. Other than the occasional spammer, I am still reiterating what you said at WC Chicago this year in regards to the question about security. People who used hacked code of WordPress may need to refer to what WordPress has been doing to eliminate these issues, or just get the official most up-to-date version.

    As a small webhost on the side, I see what has happened to some of my clients who have hacked versions versus those with the actual and it is amazing the flaws in the hacked versions. Those same people come back and want support. I tell them they should just download WordPress, re-install and go from there. Of course, I always suggest hardening the security as a secondary issue, but as much as I have seen Greymatter and CuteNews go to the potty (trying to not be too vulgar…lol), I have stuck with WordPress for a long time and will continue to stand by the product.

    Thank you for all the work. This is one of those articles I will be blogging about, but I am trying not to sound too smug about it as I knew when the question came up that you were going to respond exactly how you did. I am just glad to see that you have written about it now even though I am sure you have answered the question many times verbally.