27 Jun

The Problem With WordPress Forum Moderators Handing Out Inaccurate Security Information

One of the ways we keep track of security vulnerabilities in WordPress plugins is by monitoring the WordPress Support Forum for new posts related to that. In doing that we come across a lot of inaccurate information coming from the moderators of the forum. You won’t find much information from those that are knowledgeable about security there, because if our experience is any indication, they get run off by the moderators. That is one of the reasons that we said that a plan for overhauling the moderation of the forum needs to be put forward before we will start notifying the Plugin Directory of publicly disclosed unfixed vulnerabilities that exist in plugins in it again (the lack of us doing that means that there are currently plugins with publicly disclosed known vulnerabilities that have 323,400+ active install that are still in the Plugin Directory).

Through that monitoring we came across an example of the really troubling claims made by the forum moderators. In response to someone that had found malicious files on their website the moderator began by writing:

Are you asking for support? WordPress is secure and a lot of responsibility is on WordPress’ side, but it is also on the side of the webmaster. The webmaster needs to ensure all dependencies and core is kept up to date, and that secure passwords are used. That will be enough to prevent a hack, however there are ways to improve security as well: https://codex.wordpress.org/Hardening_WordPress

Considering that, for example, the last widely exploited plugin vulnerability was never fixed, just keeping plugins up to date will not at this time will not prevent hacks if you are using a vulnerable plugin. Or to look at a more recent example, a vulnerability was fixed in a plugin and then plugin returned to the Plugin Directory without the version number being bumped, so anyone already using the latest version is still wide open to being hacked even after we notified the developer of that. (If you used our service you would have already been notified if you were impacted. If you use another provider of vulnerability data you would not know about it because only we do the extensive monitoring and testing that is catching that sort of thing.)

Telling people that WordPress is secure in a way it isn’t puts them at risk, but it also helps the issue to fester, when, as we have been pushing for over five years, there is a solution.

Pointing people that Codex page isn’t much better, since it has been extensively edited by a few security companies and seems to be largely focused on pushing their products and services.

For example those security companies often are pushing the false claim that brute force attacks against admin passwords are happening, despite that not being the case. You would think otherwise if believed that page:

Website Firewalls allow you to proactively mitigate external attacks like exploitation attempts that try to abuse software vulnerabilities, brute force attacks that try to break into your admin panel, or denial of service attacks that try to kill the availability of your website. All real security threats.

Their are ability to prevent the exploitation of software vulnerabilities is limited at best, based on our testing and their makers lack of awareness of vulnerabilities being exploited.

The section on plugins makes no mention at all about unfixed vulnerabilities either:

Themes / Plugins

The vulnerability most affecting WordPress website owners stem from the platforms extensible parts, specifically plugins and themes. These are the #1 attack vector being exploited by cyber criminals to hack and otherwise misuse WordPress sites.

These vulnerabilities are not introduced intentionally, they are a normal part of software development. Developers address this by releasing updates. It’s important you take an inventory of all the plugins the website uses and subscribe to the developers mailing list to ensure you stay current with the latest updates.

It also really important to mention that while vulnerabilities can accidentally happen, the idea that they are a normal part of the development process is deeply troubling.