
WordPress 5.2: Mitigating Supply-Chain Attacks - CiPHPerCoder
https://paragonie.com/blog/2019/05/wordpress-5-2-mitigating-supply-chain-attacks-against-33-internet
======
oliwarner
Criminals: We can break 33% of the internet with one wrench!

Because that's what this still comes back to. If you can bribe or intimidate
_one developer_ with valid credentials, you can sign as many hashes as you
like, if nobody else reviews and catches that commit, the users are toast. And
even if Wordpress has a strict review policy, what about the plugins? There
are some furiously popular examples out there made by very small teams, well
outside Automattic's control.

All in all, there are thousands of people out there that one or two swings of
a wrench mean that a _massive_ network of servers become compromised. And in
many cases you might not even need that. Hack the personal computer of one of
these people, and you're 99% done.

Sleep well.

------
someexgamedev
I set up a WordPress site for a family member a couple years ago and threw
wordfence on there just to see what the ecosystem is like. I get near daily
alerts of attempted hacks mostly from Eastern Europe. Most common thing is
trying to brute force the login page.

Any improvements to WordPress security are welcome. It's got such a huge
target painted on its back. Reminds me of windows in the 90s.

As for what I learned, I would move the admin login page and disable common
usernames like admin and anything derived from the site url. Probably stop 90%
of attacks just with that.

~~~
frereubu
This plugin allows you to rename the login page -
[https://wordpress.org/plugins/rename-wp-
login/](https://wordpress.org/plugins/rename-wp-login/). It says untested with
the last three versions of WordPress, but we use it on all our sites and have
had no issues. It also doesn't redirect non-logged-in requests for /wp-admin/
to the login URL like the standard setup, so it doesn't make the new login URL
available in any way. We were experiencing server slowdowns because of brute
force attacks and this plugin really helped.

The best thing to do after that is to set up an .htaccess rule to return a 401
Forbidden error for /wp-login.php, because even with the plugin above the
request is processed by PHP, which can still slow things down depending on the
intensity of the attack.

This is obviously just security through obscurity, and you need other security
measures in place too. Having said that, I find plugins like WordFence are
overkill and often confusing, although we build WP sites from scratch so we
control a lot of that side of things ourselves, and use a WP-focused hosting
service which takes care of the other things like server-level security.

~~~
rograndom
Do not use that plugin. It has a unintentional back door where you can just
bypass it completely and get the login screen. All of the forked plugins that
are based on it, that I have seen, have the same issue.

Plus, since it's more than 3 versions old, many of the security plugins will
flag it. If it's your site, that's fine. If you have set a site up for someone
else, it's hard to explain that it's ok to use this plugin.

~~~
frereubu
Can you give me more detail than "unintentional back door"? I'm obviously
interested, but it's difficult to know what to do without more of a pointer on
what the issue is.

Edit: Found this - [https://github.com/ellatrix/rename-wp-
login/issues/27](https://github.com/ellatrix/rename-wp-login/issues/27) \- and
can reproduce that behaviour, so I'm going to start looking for something new,
or potentially taking over that plugin.

Edit 2: This seems to be a maintained fork that is in active development and
covers the issues on the original abandoned GitHub repo -
[https://wordpress.org/plugins/wps-hide-
login/](https://wordpress.org/plugins/wps-hide-login/)

------
kiesel
The update mechanism itself is still insecure, as the wordpress instance must
have the ability to exchange its own source code - something you'd at least
call risky. Web applications should run with the least possible privileges,
ie. only with permissions to write to dedicated locations on the filesystem
(user uploads), and read permissions for the code.

PHP has composer, a dependency management system. There's an option to build a
wordpress project using composer.

Even more, there's even a boilerplate project that you can use to bootstrap
your new wordpress setup - see
[https://roots.io/bedrock/](https://roots.io/bedrock/)

~~~
CiPHPerCoder
> Web applications should run with the least possible privileges, ie. only
> with permissions to write to dedicated locations on the filesystem (user
> uploads), and read permissions for the code.

This isn't _wrong_ but I'd argue it's a lower priority concern than you
believe it is.

A comprehensively secure automatic update system would have process isolation
between the normal web interface and the updater (and the latter would run as
a different, more privileged user). However, not everyone can do that. (Shared
hosting, etc.)

[https://paragonie.com/blog/2016/10/guide-automatic-
security-...](https://paragonie.com/blog/2016/10/guide-automatic-security-
updates-for-php-developers)

The goal of an automatic update mechanism should be to prevent the rampant
exploitation of 1days, like what happened with Drupal not too long ago.

If you had to choose between "owned within 7 hours of the advsisory" or "less
theoretically secure in a constrained environment but still securely self-
updating" in the CMS/blog threat model, the latter wins.

There's no easy way to rearchitect WordPress to support the principle of least
privilege and process isolation for their auto-updater in a way that ensures
everyone still uses it. So for the time being, that's worthy of being called
out, but isn't a big enough deal to label the whole shebang insecure. Because
"insecure in _which_ threat model?"

~~~
kiesel
> A comprehensively secure automatic update system would have process
> isolation between the normal web interface and the updater (and the latter
> would run as a different, more privileged user). However, not everyone can
> do that. (Shared hosting, etc.)

That's right, and I also think the popularity stems from the simplicity _and_
the fact that it existed when the whole blog thing took off.

There's actually the option to provide your FTP credentials in the admin
console and have wordpress update itself over an FTP connection. It is process
separation, then, but OTOH potentially exposes your webspace credentials to an
attacker. :-)

------
huxflux
Perhaps HN should give Wordpress a thumbs up for once! I start, nice.

~~~
jaden
Agreed, Wordpress has come a long way,along with PHP for that matter. Both
deserve a little more praise and less criticism for the warts of bygone days.

------
ggm
I think this is very good because it reduces the attack surface for people who
track current code.

It's important to remember a large set of un-updated nodes will remain. Not
that anyone can do much, but equally not that the entire surface of bad
Wordpress will go away. I would be interested how big the long tail is. one
third? more?

It is also worth thinking about the code signing problem firefox just had, and
reflecting on the possibility of the hack in the head still taking place:
either a denial-of-service or a bad code intrusion risk remains.

Its far far less likely, and it can be mitigated, but this is the reality of
distributed systems: You can only do the best you can, nothing is guaranteed.
(even TMR units fail)

------
eitland
> In the future, we will be working to implement a system that allows vendors
> to sign their own releases and publish these signatures (and related
> metadata) to an append-only cryptographic ledger.

Without dismissing all crypto currencies this seems more immediately
practically useful:-)

~~~
CiPHPerCoder
If you're curious:

[https://paragonie.com/blog/2016/10/guide-automatic-
security-...](https://paragonie.com/blog/2016/10/guide-automatic-security-
updates-for-php-developers#decentralized-authentication)

[https://paragonie.com/blog/2017/07/chronicle-will-make-
you-q...](https://paragonie.com/blog/2017/07/chronicle-will-make-you-question-
need-for-blockchain-technology)

I've written a lot about the design and utility of append-only cryptographic
ledgers for this use case.

Mozilla has their own implementation based on Certificate Transparency:
[https://wiki.mozilla.org/Security/Binary_Transparency](https://wiki.mozilla.org/Security/Binary_Transparency)

Filippo Valsorda is working on bringing something similar to the Go ecosystem,
based on a Trillian personality.

There's a lot of work going on, there's just not a marketing team behind these
efforts, so you only ever hear about blockchains and ICOs.

------
pepoluan
I misread that as WordPerfect 5.2 ...

------
dplgk
I have old WordPress blogs sitting around. They got hacked of course. Because
they are so old, it would be a huge pain to upgrade. I restored from backup
and chmod 550 the whole WP installation. Much easier than upgrading and less
time than migrating to static blog framework.

~~~
Angostura
If they are simplish blogs, I can't see that there should be any difficulty in
updating WP and the theme, and you'll be doing the rest of the Internet a
service.

