WordPress.org

Ready to get started?Download WordPress

Forums

Security Review Process (32 posts)

  1. Gregg Banse
    Member
    Posted 8 months ago #

    As a mod for the WordPress forum at Webmaster World I started a thread about WordPress security - or the lack there of. Largely because I'm tired of the beating WP takes and I wanted to see if anyone could actually prove there were security issues. What has come out of the thread so far is lot of accusations about how there is no dedicated security team or process for handing issues. SO I'm here to ask, what is there for a security team or security review process/protocol for code and issues when they're uncovered?

  2. Ha. That's a good one. Give this a read for a good response to that.

    http://wpengine.com/2013/05/08/wordpress-core-is-secure-stop-telling-people-otherwise/

    tl;dr is that WordPress core is secure. But there are a lot of problem plugins, themes and shared servers running other exploitable code and that results in all the apps on that server getting compromised.

  3. Gregg Banse
    Member
    Posted 8 months ago #

    Thanks for the reply Jan. That's a helpful post. Do you know of a formal review process for security issues/exploits in place? It's all well and fine to say it's secure but part of the issue is a lack of transparency about what WP does to review it's code and ensure the core is tight and secure.

  4. It's all well and fine to say it's secure but part of the issue is a lack of transparency about what WP does to review it's code and ensure the core is tight and secure.

    Lack of transparency? How? Have you visited the developers' blog? The entire development effort is open and you can alway browse the source.

    http://make.wordpress.org/core/

    I'm not sure exactly what you are referring to but security is taken very seriously and everything about WordPress is open and transparent.

    There's the Hardening WordPress Codex link.

    http://codex.wordpress.org/Hardening_WordPress

    Which has a section on reporting security issues.

    http://codex.wordpress.org/Hardening_WordPress#Reporting_Security_Issues

    Which also links to the FAQ Security.

    http://codex.wordpress.org/Security_FAQ

    To me this is the critical part of that FAQ.

    • For a WordPress plugin security issue, email plugins [at] wordpress.org with as much detail as you can. You should also contact the plugin developer either via email (if it's listed in the plugin source code), or by posting in the support forum on their plugin page asking how best to send them details.
    • For a security issue with the self-hosted version of WordPress, email security [at] wordpress.org with as much detail as you can.

    In all cases, you should never publish details of a security vulnerability. Doing so is irresponsible and unprofessional.

    See that last part? I happen to agree completely with that last statement. The important thing about an identified vulnerability is to fix it. It's not for providing a road map on how to exploit older versions.

    The problem with talking about security and WordPress is that the topic becomes a dog whistle. Too many folks just respond to the whistle and start with a mistaken premise.

    Security should be talked about but without the preconceived notion that WordPress is insecure. When a vulnerability or exploit is determined (or even a POC) it get's a patch and an update is rolled out. That doesn't make WordPress insecure or lack transparency.

  5. Gregg Banse
    Member
    Posted 8 months ago #

    Jan,
    I'm sorry but i wasn't clear enough. By lack of transparency I meant with the security review process and if there's a dedicated security team. I can't find a clear indication of either. It would help with the credibility of the claim that WordPress is secure if there's a clear protocol for testing, reviewing, and resolving security issues by a dedicated team. I have visited the developers blog. I see sections for the Core, Community, Themes, etc but not Security. Which also leads people to the question of why not?

    I assume there is some form of review process - the FAQs and resources you list (which I have read through) all indicate there is (plus I know issues DO get resolved) but there's no indication of what happens when an issue is discovered. I'm in agreement with not posting the details of a security vulnerability and that's not what this is about. I'm trying to uncover how the WordPress team approaches security.

  6. Gregg Banse
    Member
    Posted 8 months ago #

    In thinking about how to articulate this better I think the issue is a matter of perception and public awareness.

    Coders care and they can read through the development blog posts - if they care to. Joe & Sue Public aren't going to and even if they did, wouldn't understand 99% of it. What WordPress is missing is a few confidence builders - akin to the "Protected by Verisign" logos on eCommerce sites. Something that clearly indicates the WordPress team has an organized approach to security.

    Example: Joomla - http://www.joomla.org/announcements/general-news/5205-the-new-joomla-security-strike-team-attacks.html

    Example: Drupal - https://drupal.org/security-team

    That the Joomla and Drupal communities have organized clear security teams with clear objectives has a powerful impact on public and community perception/confidence - even if it's no different than what the WordPress community has. It's just that they packaged it into an easy to understand black box, with a clear label and outcomes.

    Again, please don't get me wrong. I'm not questioning if WordPress is secure or not. I'm trying to help erase the myth that it's not.

  7. WPyogi
    Volunteer Moderator
    Posted 8 months ago #

    It's referenced in security releases - i.e.

    http://wordpress.org/news/2013/09/wordpress-3-6-1/

  8. Gregg Banse
    Member
    Posted 8 months ago #

    Ah, thank you WPyogi. So there is a team. Perhaps they prefer to lay low.

  9. leejosepho
    Member
    Posted 8 months ago #

    I have copied a few lines from the Drupal link:

    Goals of the security team

    Resolve reported security issues in a Security Advisory

    I would assume WordPress has a place for users to report security issues, and maybe WPyogi or Jan or someone else can post the link.

    Provide assistance for contributed module maintainers in resolving security issues

    Here at WordPress, I would assume that would translate into assisting plugin authors trying to help users who have reported security issues.

    Provide documentation on how to write secure code

    Writing any code at all is beyond my own ability, but surely WordPress has that kind of documentation available.

    Provide documentation on securing your site

    http://codex.wordpress.org/Hardening_WordPress

    Help the infrastructure team to keep the...infrastructure secure

    As far as I know, that would not be applicable here since WordPress.org is not running in WordPress.

    Members of the security team sometimes perform analysis of core or contributed project code...but in general the team does not review core nor contributed code.

    Maybe trying to educate more WordPress users about the difference there would be helpful. The internet can be like an alligator-infested swamp, and the folks who work on security are dealing only with the 'gators, not supervising the improvements on the swamp.

  10. esmi
    Forum Moderator
    Posted 8 months ago #

    I would assume WordPress has a place for users to report security issues

    See http://codex.wordpress.org/Security_FAQ

    Maybe trying to educate more WordPress users about the difference there would be helpful.

    How? There are already resources in the Codex on security (as mentioned above) but we cannot force users to read them.

  11. leejosepho
    Member
    Posted 8 months ago #

    How?

    Threads such as this can help people see the difference between the Security Team and the Development Team, and my metaphor was intended to help increase the overall awareness and understanding of the presence, commitment, tasks, chores and successes of the Security Team.

  12. Gregg Banse
    Member
    Posted 8 months ago #

    Right. We're talking about perception here - the perception of insecurity that could be significantly reduced if not erased by including more visibility of the security team itself.

  13. esmi
    Forum Moderator
    Posted 8 months ago #

    In what way? And bearing mind that the work of a security group, almost by definition, needs to be "behind closed doors"?

    It might also help if there was some clarification as to which "security group" is being discussed. In theory, there are 4 distinct groups dealing with core, themes, plugins and wordpress.com.

  14. leejosepho
    Member
    Posted 8 months ago #

    the perception of insecurity that could be significantly reduced if not erased by including more visibility of the security team itself.

    Yes, and esmi knows:

    there are 4 distinct groups dealing with core, themes, plugins and wordpress.com.

  15. Gregg Banse
    Member
    Posted 8 months ago #

    >> In what way?

    It could be as simple as a one pager that acknowledges there IS a security team, it's objectives, and the general process it uses proactively as well as reactively. I know this may seem silly and redundant but users like convenient, easy to understand packages of information. That they have to visit several pages to get the answers isn't working and leads to misunderstanding.

  16. Andrew
    Forum Moderator
    Posted 8 months ago #

    Doesn't the burden of proof lie with the person making the claim that WordPress isn't secure? Why would WordPress shoo off claims that have no evidence to begin with?

  17. Gregg Banse
    Member
    Posted 8 months ago #

    It's not about proving WordPress is secure. The issue is a public perception.

    Imagine a website developer selling a site based on WordPress to a client. It could just as easily be anyone thinking about using WordPress. The client may have heard rumors that WordPress isn't secure and challenges the developer to prove it is secure. The developer has to do what I've been doing - piece together the evidence.

    It would be much easier if there was a single page, under the WordPress.org site, to go to answer the question clearly and concisely. Highlight the existence of a security team, their objectives, the work they do proactively and reactively. No need to mention names or specifics.

  18. Andrew
    Forum Moderator
    Posted 8 months ago #

    But how would you get people to read that resource?

  19. Gregg Banse
    Member
    Posted 8 months ago #

    That's a good question. But having it is better than not having it and I know there will be people like me referring people to it - especially when people are spreading rumors and lies.

    It could be linked to or even a part of the Security Category Archive on the blog: http://wordpress.org/news/category/security/

  20. leejosepho
    Member
    Posted 8 months ago #

    ...users like convenient, easy to understand packages of information. That they have to visit several pages to get the answers isn't working and leads to misunderstanding.

    In my own opinion, that is the crux of this entire matter...and I continue here without complaining...

    For security at my own site (and I now handle security at four), and while knowing nothing at all just a year ago, I did begin at the often-mentioned "Hardening WordPress" page. However, achieving the level of security I know today has required great amounts of time and effort in searching, sifting and sorting through all kinds of things discovered and learned by doing Google searches (and occasionally landing back here at these forums) along with trying various suggestions and settings made available in different security plugins. Looking back, I would want to never again have to do all of that, and in looking ahead, I think it is time to lessen the level of that challenge for others getting started.

    Edit: As an aside, consider the different between not having to deal with security at all (as far as I know) at a WordPress.com-hosted site and having to "do it all for yourself", so to speak, at a self-hosted site. Folks who move their sites from one to the other so they can have more flexibility should be made clearly-aware of at least some initial security (such as "Hardening WordPress") needing to be a priority ahead of the reason behind the move, and then the information they need should be readily-available. Apart from that, the shock of a mis-perceived "lack of security" can only continue to hit people who had no way to know, understand or address the need.

  21. esmi
    Forum Moderator
    Posted 8 months ago #

    The developer has to do what I've been doing - piece together the evidence.

    In this scenario, wouldn't an independent resource be more credible - such as http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

  22. Gregg Banse
    Member
    Posted 8 months ago #

    That certainly helps but something coming from the WordPress team itself provides clear evidence of a commitment by the team to security - rather than implying it by having others speak about how secure WordPress is. Sort of like guessing if Hillary Clinton will run for president or not. She hasn't said but everyone seems to think she will - there's that bit of doubt that nags at people. Why not erase it? A simple one pager as I described shouldn't be all that difficult to create.

    BTW - the Hillary reference was just for an example and not my endorsement. ;)

  23. esmi
    Forum Moderator
    Posted 8 months ago #

    So a security mission statement, yes? Perhaps this could be pitched via http://wordpress.org/ideas/

  24. leejosepho
    Member
    Posted 8 months ago #

    The developer has to do what I've been doing - piece together the evidence.

    It would be much easier if there was a single page, under the WordPress.org site, to go to answer the question clearly and concisely.

    Finding a reasonable balance there will/could be quite a challenge, and especially while considering the blogger who does not even know what "self-hosted" means -- no technical expertise at all -- and also has yet to even learn to blog...

    ...and I knew all along that Hillary was just a plant to help the show along!

  25. Gregg Banse
    Member
    Posted 8 months ago #

    Whatever it's called it needs to:

    • Acknowledge there IS a security team
    • Identify the team's objectives
    • Identify Proactive tasks
    • Identify Reactive process/tasks
  26. Gregg Banse
    Member
    Posted 8 months ago #

  27. leejosepho
    Member
    Posted 8 months ago #

    Whatever it's called it needs to:

    Acknowledge there IS a security team
    Identify the team's objectives
    Identify Proactive tasks
    Identify Reactive process/tasks

    Since downloads at WordPress.org are simply made available, never marketed, the WordPress.org "community", as such, has no actual obligation along that line other than possibly that of the morality of willingly sustaining the fiber behind its continuing to do as always:
    http://wpengine.com/2013/05/08/wordpress-core-is-secure-stop-telling-people-otherwise/
    ** tips hat to Jan **

    Past anecdotal evidence of any circumstantial "lack of security" (as actually experienced simultaneously by anyone at all with a computer) in relation to WordPress proves nothing other than "its" past and the many challenges its "community" has since overcome...and anyone who gives WordPress a fair shot while accepting the personal responsibility of at least "Hardening WordPress", as suggested, will soon learn for himself or herself of its present-day security. And for those who either want or need an already-gotcha-covered-so-you-can-just-turn-it-on-and-hit-the-accelerator site, the same can be discovered at WordPress.com.

  28. Andrew
    Forum Moderator
    Posted 8 months ago #

    Btw I had no idea that this was an issue for WordPress, that people think it's insecure. How big of an issue is this?

  29. leejosepho
    Member
    Posted 8 months ago #

    The client may have heard rumors that WordPress isn't secure and challenges the developer to prove it is secure.

    How big of an issue is this?

  30. Helen Hou-Sandi
    WordPress Dev
    Posted 8 months ago #

    Linked for information; am not expressing any opinion on what could or should be written where: http://www.slideshare.net/govloop/word-press-as-anopen-source-projectwp-as-an-open-source-project-nacin (in particular, slides 16 and 17).

Reply »

You must log in to post.

About this Topic