14 Nov

Developer Of WordPress Security Plugin Thinks Its Normal For Security Plugins to be Insecure

When it comes to the poor state of security one of the big problems is that instead of addressing the causes of that poor security, the focus is often on pushing security products, which are often of limited use and when it comes to WordPress plugins, are known to introduce their own security vulnerabilities.

The lack of addressing the causes isn’t due to the causes being hard to find or understand. Take for instance what happened after Apple failed to put out a security update for their Java implementation for the Mac OS in a timely manner back in 2012. Oracle released the security update for Java in February, but it wasn’t until April that Apple released an updated version of their implementation, which was after attackers started using one of the vulnerabilities to get malware on Macs. So you had a clear issue, that Apple was not releasing security updates in a timely manner, and also the broader issue of the responsibility of software makers to release security updates for their software. While that didn’t go unmentioned, much of the coverage was how Macs needed anti-virus software. That was even though anti-virus software doesn’t fix the underlying issues, it instead tries to detect malicious code that would exploit the underling issue, which is rather difficult to accomplish (especially versus fixing known vulnerabilities). If the underlying cause had been the focus back then maybe things would have changed and you wouldn’t have the problem with many smartphones in use that are not (and in some cases never) receiving security updates.

When it comes to the security of WordPress based websites instead of focusing on dealing real issues, far too often the focus is non-existent issues or pushing security plugins. While the handling of vulnerabilities in the WordPress software is quite good and we haven’t seen one be the source of many websites in years, the same can’t be said for plugins. Not only are the plenty of vulnerabilities that have been found in those that hackers would target, but far too often vulnerabilities are not fixed in a timely manner or at all.

As our recent testing has shown WordPress security plugins provide little protection against vulnerabilities in other plugins, with many of the tested security plugins providing no protection against any of three vulnerabilities we have tested so far. One of those that provided no protection is All In One WP Security & Firewall. We recently ran across a review of the plugin, which had a troubling response from one of the plugin’s developers.

The reviewer complained that the “plugin is riddled with vulnerabilities. I have been using it for a year now and almost every new version fixes a vulnerability! Just look at the changelog: sql injection, cross site scripting etc.”.

The developers response reads in part:

I am yet to find a security plugin in the repository that is not been regularly updated with security patches, vulnerability etc and is 100% perfect. However because all these security plugins are being updated it means that their respective developers are doing their best to keep their plugins secure and stable just like the developers of this plugin, which is what an update is all about.

If you are going to worry about this plugin that releases updates to improve the security then I think you might be disappointed because all other security plugins in the repository as I mentioned above also keep releasing updates for the same reason as you stated above.

That is a rather disturbing view. While we wouldn’t expect any software to never have a security issue, as some types of vulnerabilities and not even known yet, so even someone security conscious wouldn’t even know to check for them, and an occasional mistake can be understood. But if you are regularly releasing security updates for a plugin that likely indicates that there is a fairly fundamental lack of concern for security by the developers. The idea that would be something that would be normal with a security plugin should be rather troubling to everyone. In this case it is the view of one of the developers of a plugin that over 400,000 websites are relying on for security.

While it isn’t true that all other security plugins have frequent updates for security vulnerabilities, what we have found in reviewing vulnerabilities for our service, is that security plugins have sometimes had worse than average security, which you wouldn’t expect.

One thing that you rarely see is plugin’s making admin pages available to lower level than intended users, one of the few exceptions was a security plugin, which made it setting’s page available to Contributor level users and above. That would have been big issue with the plugin, since anyone who change the plugin’s settings could place malicious code on the website, but it turned that you could also change the settings without being logged in to WordPress. We ran across that vulnerability after it looks like it had already been being exploited in the wild for five months (at that time the vulnerability existed in the current version of the plugin, which was available on the Plugin Directory).

In another security plugin we found that instead of handling the saving changes to plugin’s setting by sending a request back to setting’s page (which is relatively secure and is how it is usually done) they decided to listen for the setting’s change being sent to any page on the website (fronted or backend) and didn’t do any check to see who was making that request.