alex sysoef

WordPress 3.0 Security Design That NEED to Be Addressed

Minneapolis St. Paul WordPress User Group #1
Image by Mykl Roventine: Out & About via Flickr

With release of WordPress 3.0 Beta 2 we are inching closer to the main release of the newest version of this very popular blogging platform. I’m quite excited as new version brings us not only a host of enhancements but also some new functionality that was not previously available. Mashable did an excellent job of covering most important new features of the WordPress 3.0 and I will not make any double takes on it.

But new features include ONE particular enhancement and functionality that I think will bite many bloggers and cause a lot of pain and I want to share some thought on how it could be possibly avoided!

I believe that ANY new functionality should not be coming at cost of security!

Unless you’ve lived under the rock I’m sure you heard about all the latest attacks against several hosts which initially believed to be a WordPress issue. Quite frankly I will disagree here that WordPress is at fault and it is in my personal view a host issue. Although the first penetration could be due to outdated installation of WordPress or any other vulnerable script!

An important distinction to understand that leads me to the rest of my article. Security issues can exist in ANY community developed script and WordPress is NOT an exception. In fact we have seen a few exploits against this platform bu developers and community were always quick to act and release patches.

In fact as I have previously wrote on this blog SEVERAL of the exploits relied on “elevation of privileges” exploits.

WordPress 2.8.6 is a security release that addresses 2 vulnerabilities that can only be exploited by active “registered, logged in users who have posting privileges”.

WordPress 3.0 Takes That Danger to a Whole New Level!

A major new functionality added to new version is integration of WordPress MU into the stand-alone blog. I LOVE this functionality and I think many Niche Bloggers will be very much appreciative of this but it opens new doors for exploits and opportunities!

Now you will be able to create MANY blogs under single installation and create community sites, allowing each user have his or her own blog. In fact, I think these type of sites will become the primary target of attacks to take advantage of ANY security flaws related to elevation of privileges due to couple issues:

  1. Right now WordPress doesn’t offer ANY mechanism by default to limit number of failed logins and while WordPress 3.0 allows you to choose username for administrative user to make it harder to guess – targeted attack is still possible via script as most bloggers will use that username to publish blog posts and it will be clearly visible! I highly recommend using some type of plugin to Limit Login Attempts and protect yourself from this fault!
  2. Password complexity is NOT enforced! This one is HUGE and with introduction of ability to create multiple blogs by your registered users in 3.0 it can become the Achilles heel of new version and an opportunity for plugin developers!

Just consider this simple scenario:

  • You choose to create a community site based on WordPress 3.0. You choose all precautions to create secure blog installation, protect it the best you can and keep it up to date while using ONLY good plugins.
  • You allow your visitors and readers to create accounts on your new site and publish their own blogs for FREE (great way to encourage participation). While initial password created by WordPress during registration is complex and secure – your users by default have option to change it, once logged in. While I know that most of your users will be responsible people and security conscious – I can 100% guarantee that there will be at least ONE, who out of laziness will create simple and easy to guess password.
  • Attacker comes and through determined effort (because your community site because extremely popular and presents a brightly painted target) identifies that user, gets his password through brute force guess attack and gains control over his blog. Than using elevation of privileges flaw he proceeds to take control over your entire network and possibly penetrates your hosting account and all other sites on same shared host.

I know that scenario above is very bleak and many might say UNLIKELY but I assure you, if I can think of it, people who scripted latest  attacks a HELL OF LOT smarter than me and a lot more devious when it comes to scripts security and programming.

How to Protect WordPress 3.0?

My personal opinion here is simple…

It should be dev team responsibility to STOP now ignoring the issue and add missing functionality I have pointed out above!

I know it might make WordPress to be perceived as less user-friendly by new adopters but it will be greatly appreciated by their vivid users and supporters! It is long overdue as I don’t believe in functionality through security ignorance! Enforcing passwords complexity and limitation of failed login attempts should be quite simple!

But for now we are left on our own and an opportunity for plugin developers to create new plugin that does a few VERY simple things:

  • Limit Login attempts, similar to what is provided in one plugin I shared or any other similar
  • Enforce password complexity! I couldn’t find any plugin right now that provides this measure and with WordPress 3.0 it could become a MAJOR opportunity!

I know many might bitch about how hard it is to remember strong passwords but here are couple solutions for you:

  1. Use some form of password manager. I use Robo-Form To Go and it makes entire process very simple for me. You can read great review by fellow blogger Gobala here.
  2. Create EASILY remembered but still very strong passwords. And here is how to do it…

Think of a memorable phrase, a common saying or something that will be unique to you and easily remembered. For example:

Chip On Your Shoulder

Now let’s create secure password from this phrase, one that will be hard to guess but easy to remember.

  1. First: let’s take 2 first letters from each word and combine them to create ONE mix of 8 characters: ChOnYoSh
  2. Second: lets replace couple of the alpha character with numeral substitutes easily remembered, I will replace “o” (ou) on “0” (numerical zero): Ch0nY0Sh
  3. Third: let’s replace one of the letters with the special character, normally you can always replace “a” with “@”, “s” with “$”, etc. In our case I will replace “S” (es) on “$” (dollar sign): Ch0nY0$h

Voila! We have just created a VERY strong password that follows all best security recommendations for strong passwords, as it has:

  • 8 characters
  • Upper and lower case characters
  • Mix of alpha and numerical characters
  • Contains at least one special character

…and still easy to remember!

I use this method to create secure passwords for accounts I need to be able to access even when I don’t have my thumb drive with Robo-Form and it never fails.

So now you have NO EXCUSE not to use strong password and developers should get cranking on creating a plugin that enforces it before we are all presented with a another round of hype on security flaw in WordPress! Any script can only be as secure as host it resides on and users that use it!

WordPress 3.0 Multi-Site Correction

05/14/2010 – After going back and forth with Andrea (whose comment you can read bellow) on Twitter I have realized that I wasn’t clear enough in this post on couple MAJOR points (and no, my writing style and CAPS is not one of them 😉 ), which can lead to major missunderstanding:

  1. WordPress MU functionality is NOT presented on new install by default, in fact it will require you to jump through a few hoops prior to install in order to enable it. Read the WordPress Codex on how to get it done.
  2. Many hosts will not support WordPress Network by default.

I still stay with my concerns and even though login attempts limitation is not new to 3.0, I still think with new functionality introduced to the core it simply becomes more of an issue. As I posted in reply to comment – some hosts will decide to separate themselves from the competition by offering Network Installs by default, I’m sure of it and then my “far-fetched” scenario can turn into nightmare.

I do apologize for any confusion my initial unclear writing have caused.

Filed under WordPress
Tags: , , , ,

33 Responses to “WordPress 3.0 Security Design That NEED to Be Addressed”

  1. barney says:

    It is easy thing – and commonly done! – to focus on one aspect of a conversation to the exclusion of all else. It happens every day, at work, at home, at leisure/play. (More than one [bar] fight has been started for just that reason.)

    It’s not quite so easy to ignore the possible incendiary nature of a single concept until the conversation has completed and the whole can be taken in context.

    Several folk commenting here have chosen that 1st path & ignored the 2nd.

    Any discussion involving security will include ‘scare tactics’ … it’s the nature of the beast. Security can only be evaluated _when it fails_. So, any rational discussion of security is likely to include a worst-case scenario. That’s not fear-mongering, it’s rational thought. Before we implement a security _solution_, we need to have a reasonable expectation of what to expect if it fails – what happens when the failsafe fails?

    Andrea_R had several points, some of which violated the precepts of her own post on contributing.

    Some time back, when I first became interested in password strengths, a casual search turned up four (4) of them, which produced four (4) widely variant strength judgements on the same eight (8) character password. So the question is how good is the validator? (TheSpotter, pay attention.)

    Her 2nd & 3rd points have to do with privilege and elevation, an issue which WP has _addressed_, but not _resolved_.

    The 4th point (as well as the 2nd and 3rd)? Don’t tell a developer/hacker that they cannot do something: they will take it as a challenge, do it, and publish it.

    The 5th point is irrelevant to the post upon which you comment – the mention was of a possibility of hacking the server from within WP, not an aim, per se, of taking over the server.

    The following paragraph containded several statements not germane to the discussion at hand – obfuscation & misdirection, whether intended or not. (Oh, yeah, she used caps to complain about caps .).

    Andrea_S seems to have violated several precepts of her own recommended post:
    precepts 1-3, although that is open to interpretation;
    precept 7, to my mind, was definitely violated by the sftp/ftp comment and the closing paragraph.

    (Follow your own advice, young lady .)

    Then Philip M Hofer came up with an extraneous and totally invalid [grandfather] argument that a fault in the discussion has always been there. Does that mean it should remain? As for the analogy, although analogy is always suspect, _yes_ – if the umpire made an obviously bad call, chastise the umpire.

    Although I have [cosmetic] complaints in regard to the post (TheSpotter, you have italics & bold capability – use them!), the meat of the post proposes a real concern. I disagree with a couple of the statements, but the overall concept registers as valid and true.

    While WPMU has been around for a while, it has been in a very tightly controlled environment. This version of WP will release it into the wild, where control will be questionable, at best. The built-in safeguards are simply not adequate to the projected usage. A fairly simple SQL injection attack, while it might not work on, could be sufficient to take control of MU elements in the wild. From there, total control is a possibility.

    • TheSpotter says:

      Thanks Barney,

      I don’t expect everyone to agree with my personal option or like my choice of style used in the post but I feel sometimes that bold or italics simply don’t do justice to emphasize the point.

      I do appreciate the time you took to provide such a detailed comment and obviously glad that my concern rings true for you as well. I know for a fact of hosts planning to provide mass support for WPMU to separate themselves and I see it becoming (higher priced) norm at some point.

    • Actually my claim is there no more security risks in the standalone vrs. the multisite. The login attempts not-withstanding which can be protected with a plugin that handles that even more so with things like the SI Captcha plugin which can captcha logins.

      I challenge *anyone* to try to inject into my site. I’ll even give them a bonus and give them access to their own site on my server to help them along.
      .-= Philip M. Hofer (Frumph)´s last blog ..Frumph & Crew on TGT Webcomics tonight, 6pm PST =-.

  2. Michey says:

    Alex, I am looking forward to the release of WP 3.0, this is good and deep info you provide here, I have your security DVD so I try to stay informed and apply your tactics…
    May I have a question, do you intend to have an update of the Security DVD which will work for WP 3.0?
    .-= Michey´s last blog ..CB Predators Review =-.

  3. Hi Alex,

    Hey Bro. great job man and thank you for letting everyone aware on security it is very important matter especially when your running a Business Blog. My blog been hacked before and it was a nightmare so I really appreciate you making your effort on this again thank you and way to go…

    God bless you and yours,

    Albert Hallado
    .-= Albert Hallado´s last blog ..Need More Customers? =-.

  4. Lorrette says:

    Alex I have been following you for sometime now and I have to say I could not be more grateful for the security DVD and other valuable advice that you so freely provide. Please keep us posted if you do upgrade the Security DVD … Oh … and keep up all the good work Alex, there are many of us that do appreciate it.

    Celebrate Life
    .-= Lorrette´s last blog ..Good Blonde Jokes =-.

  5. Jaki Levy says:

    These are great WordPress resources – I actually just started digging into a really really solid book on WordPress 3.0. It's got some really nice code samples, and is written by a few pro WordPress developers (including some from Envato). I'm actually giving away 2 copies of the e-book on my site – check out the details about the e-book and the giveaway here – I think you'll dig it :


  1. […] Snippets To Prepare Your Theme For WordPress 3.0WordPress 3.0: Changing The Way We Manage ContentWordPress 3.0 Security Design That NEED to Be AddressedP.S : If you find this roundup post useful, do share it with others. And if you have any good […]