The news outlet (barely disclosed to be owned by they head of WordPress) the WP Tavern on Tuesday covered a guide for promoting WordPress to enterprises, which they described as “a useful resource for large organizations examining WordPress as a platform or for small agencies looking to pitch WordPress to larger clients”. They also described that as coming from a “collection of leading WordPress agencies” that “have launched a collaborative project to promote the platform to large-scale organizations”. Those agencies are “Big Bite, in partnership with 10up, Alley, Human Made, Inpsyde, and XWP”. We reviewed the section on security and found that it to be littered with misleading, at best, information. But it does point to areas where agencies could help to get WordPress more secure.

(The guide also including contributions form WordPress VIP, which is part of the head of WordPress’ company Automattic, but no disclosure was made of his role of both that and the WP Tavern.)

What Hackers Can and Actually Attack

Early in the section, it is claimed that WordPress’ “widespread use greatly
increases the probability of attacks and issues”. That isn’t true in multiple ways. First, if the code is secure, it doesn’t matter how popular it is, it will still be secure. It could be that security issues in more popular software are more likely to be found and exploited, but the WordPress space shows plenty of evidence that suggests that isn’t all that true. For many years, we have seen hackers trying to exploit vulnerabilities in WordPress plugins with only 10s of installs, and in 2018 we posted about a hacker probing for a plugin with less than 10 installs.

Passing Fault

Then this is this quote from someone claiming that a system (maybe WordPress?) isn’t at fault despite claiming around 95% of the time things being done improperly:

The good thing and the bad thing about WordPress is that everybody can work with it. I’d say around 95% of the people who are really developing on it are not doing it in the proper way, and then when things go wrong and websites get hacked, or websites are not performing well, and so on, it’s easy for them to blame the system instead of admitting fault. It’s also easy to add features here and there with additional plugins, but there’s no thought about long-term performance, maintenance, security, etc. To get to fast solutions, it’s genius, but you really need to consider long-term goals and which plugins are the right ones.

If things are being improperly handled that often, that seems like a problem with the system. Especially when WordPress is designed around the idea that it will be used with plugins instead of it containing everything needed in the core software.

There is a blaring example of a WordPress issue that has helped lead to vulnerabilities in plugins for years without being fixed, the poorly named is_admin() function.

Vetting Plugins

The person quoted previously went on to say this:

With the plugins that are out there, there is no signature that they are approved for security issues or anything like that, or forced to update, so on one side WordPress is very liberal which is really good, and that’s why it grew so much, but on the other side you should also have some sort of seal to indicate that a plugin has been tested. Unfortunately it’s difficult to make this happen because WordPress has such a big community, so people will become frustrated because they don’t get the seal or whatever, and there are many, many plugins out there, making it really difficult to manage them all.”

One issue with that is that there are actually forced updates for plugins, but the team running the WordPress plugin directory hasn’t put in a good system to make sure they are used when they should be. Another issue is that all new plugins are actually supposed to be checked for security issues. The person that was supposed to be doing that for years, but likely wasn’t, was sponsored in that role by one of the agencies behind the guide XWP.

The largest issue with that is the claims about a “seal or whatever”. It doesn’t make sense that there can’t be that sort of thing because some people wouldn’t get it. In fact, there is already that sort of thing, we have been doing security reviews of WordPress plugins for years. (We also issue advisories for plugin developers who have a shown an inability or unwillingness to improve the security of their plugins.) The problem is that we appear to be the only ones doing that and releasing results.

Shortly after that, another agency behind this, 10up, claims that they are doing some sort of vetting and they are saying that what has been vetted should be public:

We have an internal list of all the plugins that we have vetted, and we vet every single plugin that we use for security and performance – that should be a public-facing thing because one, it will help other plugins get better and be enterprise-ready, and two, it will help us have the right narrative – don’t just go grab this thing over here and use it.

No explanation is given why they are saying that should be public, but they are not making it public. Without that being public, it is impossible for anyone to check if their vetting is actually doing a good job, in contrast with our security review results. Curiously, we are not aware of 10up being a large source of vulnerabilities disclosures, which makes it seem likely that they are not doing much vetting considering the poor state of even many of the most popular plugins.

Vetting of Open Source Software

The lack of vetting of WordPress plugins is contrasted with a claim that follows about the vetting of open source software (emphasis ours):

Red Hat’s 2022 State of Open Source report, its findings show that 89% of IT leaders believe enterprise open source is as secure or more secure than proprietary software. That has significantly shifted as there’s a sense that there’s a global community and the codebase is open and constantly reviewed. The track record of proprietary platforms having major security issues has continued, whereas the open platforms haven’t really had that problem. I think WordPress security issues now are mostly contained within plugins and the ecosystems around it which are less mature than the core software. Usually if we’re having to convince clients, it’s only because they have been convinced that WordPress is insecure by a competing platform.

A sense that vetting is occurring contrasts with the real world results with security issues in open source software, whether in WordPress plugins or elsewhere (the vulnerability commonly refereed to as Heartbleed being a frequently cited example).

The last part of that, that WordPress is seen as insecure only because of competitors, contrasts with the admission before that plugins are not secure.

Comparing Apples and Oranges

The section finished off with this:

The number of high profile brands that rely on WordPress is also testament to its robustness, as Michael at WordPress VIP summarises: “Where security is raised as a concern, I often ask, do you really have higher security requirements than the White House? Do you really have higher security requirements than Al Jazeera? That’s what we do, we make WordPress work for those types of organisations, and we do that with a platform that we’ve engineered over a decade to handle the security requirements”.

This doesn’t seem like it is even trying to be serious. The White House website is a simple information website. So if you were, say, running an eCommerce website, you would likely have higher security requirements.

With both websites mentioned, the source code of their homepages contains no references to files in the plugin directory for WordPress, which is unlike many other WordPress websites. If those websites are not using many plugins, they would have a different security risks than many other websites.

Agencies Could Help Improve WordPress Security Instead of Misleading About It

Instead of putting out misleading information about the security of WordPress, the agencies behind this guide could help to improve things. The guide highlights an obvious area to do that, with additional vetting of the security of WordPress plugins. Either they could do that themselves or they could hire others, like us, to do that for them. That would have a significant impact on the security of plugins.

Another area of improvement would be to make it more widely known what plugins are handling security well, handling security poorly, or a combination both. We already do some of both of those.

Improving the team running the WordPress Plugin Directory, so that things like forced updates are better handled, would be another area that could be improved. That team is looking for additional members, so these agencies could sponsor additional members for the team.