Understanding WordPress Security

The key to tackle security issues is understanding. Understanding the adversary (the hacker) and understanding yourself (or your website). Most security plugins on WordPress.org massively add features to allegedly fix certain hacks. The truth is that security is not in features offered, but in understanding how the bad guys attack.

We found this quite disturbing so we are currently developing a plugin (and an ebook to accomanie it). Here is our take on a few attack vectors and the best way to solve them

  1. Bruteforce Login Attacks – It is simple to try thousand of passwords a minute with automated tools from different IP’s. Especially since the admin user or any other user that has published a post on your website is know. We fix this with a two-pronged approach: login via email and password and lockouts. Emails are much harde to find out, preventing you from being bruteforced in the first way. We also add the support to send a ‘lock-in’ link  so that a legitimate user won’t be annoyed.
  2. SQL Injection Attack – The main purpose of this attack is to extract information from the password database. SQL Injection attacks in general don’t add files, add admin user, etc. We want to prevent this with a two-pronged approach: parameter filtering and table lockdown. Parameter filtering will also work for serverside inclusion attacks (which are quite easy to filter). Table lockdown makes sure that queries can only be executed against the WordPress user table when they originate from wp-login.php (not from vulnerable plugins).
  3. Cross Site Scripting – In contrast to popular belief these are dangerous. When an admin get’s tricked to click on a link (by WordPress comment spam or an exceptionally rude comment), an adversary is able to add a new admin user. We fix this attack by introducing tokens, so that the request originates from an admin action only, effectively defeating Cross Site Scripting and other similair attacks on a WordPress website.

We also add other features if they fit our criteria: minimal user annoyances, robustness and operational effectiveness. Subscribe to the list to be notified when we release it (we don’t send any other mail).