
The detailed story of our new security system - duck
http://wpengine.com/2012/06/the-detailed-story-of-our-new-security-system/
======
jmacd
We recently had to switch off WP-Engine. We were on for ~9 months and it was
frustrating because there were be regular slowdowns. The responses that came
back were things like "someone else on your server had a runaway script that
was eating all the CPU" and other things that made us feel pretty vulnerable.

Eventually the site became so slow so regularly that we were pretty sure we
were going to switch to another host.

The final straw for us though was that we had an interaction with tech support
and we needed to retrieve our password.

The went ahead and sent us our password in plaintext. (actually a screenshot
of the password in plaintext).

So, to put it mildly, blog posts like this feel like a veneer to us. Slow,
vulnerable and poorly secured.

~~~
smartbear
Hi this is Jason, founder of WP Engine.

1\. The password is question is stored _by WordPress_ in plaintext on disk.

2\. It was transmitted to you inside our SSL-secured support system, because
you requested it.

3\. We maintain Pingdom reports on all our competitors, so I know for a fact
that our uptime and speed is superior, in general.

HOWEVER -- I do NOT DISAGREE with your characterization that you might have
seen slowdowns, poor support, etc.. With 1000s of customers, one thing we see
all the time is a handful who, for whatever reason, really do have a terrible
experience with us at every turn -- technical and human -- and it's just bad.

Of course there's the opposite end of that range of luck, and the huge
majority who are happy and don't experience those things in those doses.

It's always frustrating to hear that you've had that experience -- all the
more because I'm sure you're not exaggerating.

It's some consolation that we get praised daily on Twitter for just the
opposite -- that shows we're not, in fact, just completely awful as you're
implying.

But not much, because it always sucks to see even one customer have a series
of bad experiences as you have.

~~~
dpark
Doesn't WordPress support hashed passwords?

[http://codex.wordpress.org/Function_Reference/wp_hash_passwo...](http://codex.wordpress.org/Function_Reference/wp_hash_password)

------
dangrossman
Did I miss it, or did none of the investigating and none of the hiring of 3rd
party firms lead to tracking down the attack vector?

~~~
snowwrestler
I came away with the same impression--they have no idea how it happened.

In their defense though, Wordpress by default lets site administrators
directly edit PHP template files through a browser textarea. That means a lot
of security is riding on user-set passwords.

Normally I'd say that could be mitigated by denying apache write access on the
core files. But doing so would break the ability for users to initiate core
updates via the web browser.

So if you can break/guess an admin password, you can upload arbitrary PHP code
which has full write access to the appplication files. There's not really any
way to secure that. I'm sure that's why Wordpress.com does not run individual
full instances of Wordpress--it's the world's largest multisite installation
of Wordpress and site owners can't touch the core files.

------
mendable
Possibly the most impressive thing is the disclosure they are hosting 30,000
sites.

At the lowest monthly plan cost of $29/mo/site thats a $10MM+ annual revenue
business created in just 2 years.

Good job!

~~~
patrickgzill
But some plans can have an unlimited number of sites, I think.

------
rdl
Ironically the security of Wordpress being so bad is why I'd use an outsourced
host in the first place. It is one of the pieces of software I hate to run,
and if I do, it goes on a dedicated vm.

------
iSloth
So the plan is leave this vector open (as it was never found) and just try to
secure the file system a bit more...

Surly that could leave the same vector open to none file system attacks, ie
MySQL?

~~~
drone
There's a good chance that if it's not a previously known vector, they've
contact the author of the component with some opportunity to fix it before
it's publicized and resulting in attacks from new parties.*

* I neither agree nor disagree with zero-day disclosure policies. I'm just noting the possibility that they could be aware of the vector and would rather not share that information yet, for various reasons.

~~~
dangrossman
If they knew the source of the attack and closed the hole, they'd want to have
said so. They don't need to say what the hole is or how they closed it to do
that much.

------
pbreit
I wonder if Cloudflare's free, 5 minute setup plan would have helped them?

~~~
snowwrestler
How would Cloudflare help if the site is already compromised?

~~~
pbreit
Referring to before.

