alex sysoef

WordPress 3.0 Security Design That NEED to Be Addressed

Minneapolis St. Paul WordPress User Group #1
Image by Mykl Roventine: Out & About via Flickr

With release of WordPress 3.0 Beta 2 we are inching closer to the main release of the newest version of this very popular blogging platform. I’m quite excited as new version brings us not only a host of enhancements but also some new functionality that was not previously available. Mashable did an excellent job of covering most important new features of the WordPress 3.0 and I will not make any double takes on it.

But new features include ONE particular enhancement and functionality that I think will bite many bloggers and cause a lot of pain and I want to share some thought on how it could be possibly avoided!

I believe that ANY new functionality should not be coming at cost of security!

Unless you’ve lived under the rock I’m sure you heard about all the latest attacks against several hosts which initially believed to be a WordPress issue. Quite frankly I will disagree here that WordPress is at fault and it is in my personal view a host issue. Although the first penetration could be due to outdated installation of WordPress or any other vulnerable script!

An important distinction to understand that leads me to the rest of my article. Security issues can exist in ANY community developed script and WordPress is NOT an exception. In fact we have seen a few exploits against this platform bu developers and community were always quick to act and release patches.

In fact as I have previously wrote on this blog SEVERAL of the exploits relied on “elevation of privileges” exploits.

WordPress 2.8.6 is a security release that addresses 2 vulnerabilities that can only be exploited by active “registered, logged in users who have posting privileges”.

WordPress 3.0 Takes That Danger to a Whole New Level!

A major new functionality added to new version is integration of WordPress MU into the WordPress.org stand-alone blog. I LOVE this functionality and I think many Niche Bloggers will be very much appreciative of this but it opens new doors for exploits and opportunities!

Now you will be able to create MANY blogs under single installation and create community sites, allowing each user have his or her own blog. In fact, I think these type of sites will become the primary target of attacks to take advantage of ANY security flaws related to elevation of privileges due to couple issues:

  1. Right now WordPress doesn’t offer ANY mechanism by default to limit number of failed logins and while WordPress 3.0 allows you to choose username for administrative user to make it harder to guess – targeted attack is still possible via script as most bloggers will use that username to publish blog posts and it will be clearly visible! I highly recommend using some type of plugin to Limit Login Attempts and protect yourself from this fault!
  2. Password complexity is NOT enforced! This one is HUGE and with introduction of ability to create multiple blogs by your registered users in 3.0 it can become the Achilles heel of new version and an opportunity for plugin developers!

Just consider this simple scenario:

  • You choose to create a community site based on WordPress 3.0. You choose all precautions to create secure blog installation, protect it the best you can and keep it up to date while using ONLY good plugins.
  • You allow your visitors and readers to create accounts on your new site and publish their own blogs for FREE (great way to encourage participation). While initial password created by WordPress during registration is complex and secure – your users by default have option to change it, once logged in. While I know that most of your users will be responsible people and security conscious – I can 100% guarantee that there will be at least ONE, who out of laziness will create simple and easy to guess password.
  • Attacker comes and through determined effort (because your community site because extremely popular and presents a brightly painted target) identifies that user, gets his password through brute force guess attack and gains control over his blog. Than using elevation of privileges flaw he proceeds to take control over your entire network and possibly penetrates your hosting account and all other sites on same shared host.

I know that scenario above is very bleak and many might say UNLIKELY but I assure you, if I can think of it, people who scripted latest  attacks a HELL OF LOT smarter than me and a lot more devious when it comes to scripts security and programming.

How to Protect WordPress 3.0?

My personal opinion here is simple…

It should be WordPress.org dev team responsibility to STOP now ignoring the issue and add missing functionality I have pointed out above!

I know it might make WordPress to be perceived as less user-friendly by new adopters but it will be greatly appreciated by their vivid users and supporters! It is long overdue as I don’t believe in functionality through security ignorance! Enforcing passwords complexity and limitation of failed login attempts should be quite simple!

But for now we are left on our own and an opportunity for plugin developers to create new plugin that does a few VERY simple things:

  • Limit Login attempts, similar to what is provided in one plugin I shared or any other similar
  • Enforce password complexity! I couldn’t find any plugin right now that provides this measure and with WordPress 3.0 it could become a MAJOR opportunity!

I know many might bitch about how hard it is to remember strong passwords but here are couple solutions for you:

  1. Use some form of password manager. I use Robo-Form To Go and it makes entire process very simple for me. You can read great review by fellow blogger Gobala here.
  2. Create EASILY remembered but still very strong passwords. And here is how to do it…

Think of a memorable phrase, a common saying or something that will be unique to you and easily remembered. For example:

Chip On Your Shoulder

Now let’s create secure password from this phrase, one that will be hard to guess but easy to remember.

  1. First: let’s take 2 first letters from each word and combine them to create ONE mix of 8 characters: ChOnYoSh
  2. Second: lets replace couple of the alpha character with numeral substitutes easily remembered, I will replace “o” (ou) on “0” (numerical zero): Ch0nY0Sh
  3. Third: let’s replace one of the letters with the special character, normally you can always replace “a” with “@”, “s” with “$”, etc. In our case I will replace “S” (es) on “$” (dollar sign): Ch0nY0$h

Voila! We have just created a VERY strong password that follows all best security recommendations for strong passwords, as it has:

  • 8 characters
  • Upper and lower case characters
  • Mix of alpha and numerical characters
  • Contains at least one special character

…and still easy to remember!

I use this method to create secure passwords for accounts I need to be able to access even when I don’t have my thumb drive with Robo-Form and it never fails.

So now you have NO EXCUSE not to use strong password and developers should get cranking on creating a plugin that enforces it before we are all presented with a another round of hype on security flaw in WordPress! Any script can only be as secure as host it resides on and users that use it!

WordPress 3.0 Multi-Site Correction

05/14/2010 – After going back and forth with Andrea (whose comment you can read bellow) on Twitter I have realized that I wasn’t clear enough in this post on couple MAJOR points (and no, my writing style and CAPS is not one of them ;-) ), which can lead to major missunderstanding:

  1. WordPress MU functionality is NOT presented on new install by default, in fact it will require you to jump through a few hoops prior to install in order to enable it. Read the WordPress Codex on how to get it done.
  2. Many hosts will not support WordPress Network by default.

I still stay with my concerns and even though login attempts limitation is not new to 3.0, I still think with new functionality introduced to the core it simply becomes more of an issue. As I posted in reply to comment – some hosts will decide to separate themselves from the competition by offering Network Installs by default, I’m sure of it and then my “far-fetched” scenario can turn into nightmare.

I do apologize for any confusion my initial unclear writing have caused.

Filed under WordPress
Tags: , , , ,

33 Responses to “WordPress 3.0 Security Design That NEED to Be Addressed”

  1. Lorrette says:

    Alex I have been following you for sometime now and I have to say I could not be more grateful for the security DVD and other valuable advice that you so freely provide. Please keep us posted if you do upgrade the Security DVD … Oh … and keep up all the good work Alex, there are many of us that do appreciate it.

    Celebrate Life
    Lorrette
    .-= Lorrette´s last blog ..Good Blonde Jokes =-.

  2. Jaki Levy says:

    These are great WordPress resources – I actually just started digging into a really really solid book on WordPress 3.0. It's got some really nice code samples, and is written by a few pro WordPress developers (including some from Envato). I'm actually giving away 2 copies of the e-book on my site – check out the details about the e-book and the giveaway here – I think you'll dig it : http://bit.ly/lq20Ff

Trackbacks/Pingbacks