WordPress is secure, until you combine it with people

WordPress SOSSo yesterday a fellow named Jason Cospers at WPEngine, one of the higher-end hosting services for WordPress sites, put up a post on their corporate blog titled “WordPress Core Is Secure — Stop Telling People Otherwise”.

During the summer of 2009, WordPress took some knocks in the web publishing community for a series of security vectors that were exploited. The internet realized WordPress could become huge, and aimed some criticism and blog posts in the hopes of making sure WordPress would be secure enough for the crowds of end-users it was attracting…

WordPress core developers responded, and in the months that followed, collectively added patches and tightened up security across the board to make WordPress one of the most secure CMS’s on the internet. That was four years ago. An eternity in terms of technological innovation.

This is all correct. WordPress used to be an absolute horror show in terms of security (and code quality in general). But it has gotten steadily better over the last few years, and now the core downloadable WordPress software is pretty solid.

Cospers concludes from this history that WordPress has this security thing taken care of:

Looking at the evidence, it’s time to put the debate to rest. Maintaining security is an on-going process, and constant vigilance is essential. But, the core team has done an amazing job to ensure the security of WordPress, and will continue to do so as the platform continues to grow.

But, we’ve reached a point in the history of the internet where WordPress has earned a reputation for its security. It’s time to act like it.

This is the bit where he and I part company. While I agree with him that WordPress itself is pretty solid security-wise these days, I don’t think that says much about the security of WordPress sites at all. The reason has less to do with the quality of WordPress as a software product and more to do with a mismatch between the way it expects people to work and the way people actually work.

There’s two major ways, in my experience, that people don’t behave the way WordPress requires them to in order to keep their sites secure.

The first is: they don’t update the software. If you download WordPress today and set up a site on it, you’ll be pretty secure — today. But the Bad Hackers are always out there thinking up clever new ways to break into software; which is why pretty much any software connected to the public Internet requires periodic updates to close out new attacks as the Bad Hackers come up with them.[ref]Actually, there is one exception to this rule: qmail, a mail server written by Daniel J. Bernstein and designed explicitly for security. The version of qmail in current distribution today originally shipped in 1998; between now and then, exactly one (1) exploit has been found, and it’s not even clear if that one would work against an actual production deployment of qmail. But very, very few programs are engineered the way qmail was; suffice it to say that WordPress is not one of them.[/ref] WordPress is no exception to this rule.

Software that requires updates can either download and apply those updates automatically, or it can require a user to do that. WordPress takes the latter approach; it doesn’t update until you log in and tell it to. And many, many, many people simply never do that. They set up their WordPress site, get it looking the way they want, and then forget about it. Time passes, security updates come out, and those sites never receive them; they become more vulnerable each and every day.

The second is: they load up on plugins and themes. One of the big things that attracts people to the WordPress ecosystem is the huge number of free and low-cost third-party extensions available for it. The problem is that the code quality of these add-ons is nowhere near the code quality of WordPress itself.

Well, that’s not 100% accurate; there are some very well-written plugins and themes out there. But there are also a lot of them that are not so great. That’s not because the people who write them are evil, it’s just because it’s so easy to write a WordPress plugin or theme that lots of people without much programming experience do it every day. That opens up programming to lots of enthusiastic new people; but it also means those people frequently haven’t learned the hard lessons about security that more experienced programmers have, so they make lots of rookie mistakes.

None of that would matter much if WordPress did something to ensure that a flaw in a plugin or theme can’t compromise your whole site. But it really doesn’t. So all it takes is installing one bad plugin or theme to make all that work irrelevant.

But users don’t understand any of this. They just see free software that looks like it’s going to do something cool, so they plug it into their site without a second thought.

All of which is a (long-winded, I know) way of saying that WordPress suffers from a problem that many software products do: it expects its users to be something they are not.

Cospers demonstrates this further down in his post, saying “WordPress users must be responsible for their own security, maintain strong [p]asswords, and keep plugins and themes up to date, as well as WordPress itself.”

That’s certainly true, but here’s the catch: we know people don’t do this stuff. We know. We have years and years and years (decades!) of experience observing how non-technical people use software, and all of it tells us that normal people don’t do this kind of system-administrator stuff, no matter how important we tell them it is or how many times we repeat that message. They’re busy people, they have lots of stuff to worry about; updating WordPress is pretty far down the list. It becomes one of those “yeah, I’ll get to that one of these days” things that people never actually get around to, like going to the gym or eating more vegetables.

This mismatch sets users up for a kind of whiplash. We get them in the door by shouting “WordPress is easy! Anyone can run it! No tech expertise required!” And then when they don’t act the way professional systems administrators do, we shake our heads and say “what’s wrong with you? Don’t you have any tech expertise?”

I suppose one approach to solving this problem would be to shout at the users more loudly about the importance of updates and being judicious in what add-ons you install. But like I said above, that won’t work. Users don’t update software, and they don’t do code reviews before installing plugins, and there’s no evidence that they’re going to start if we shout at them loudly enough.

So what’s the alternative?

A wise person once told me that when your software doesn’t fit your user, it’s almost always easier to bend the software to fit the user rather than bend the user to fit the software. Shouting at people to Do The Right Thing is trying to bend the user to fit the software; to change themselves to make the software’s life easier. So what would it look like if WordPress took the other course? If it adjusted itself to fit the user as they actually are?

It might look something like this:

1. It would update itself. WordPress’ updater is a really smart, sophisticated piece of software. It makes updating WordPress easier than updating almost any other piece of software. But its fatal flaw is that it will never run until a user clicks a button telling it to run — a button that lots of users will never click. This is why consumer-oriented software in general has moved towards simply updating automatically. Google Chrome, for instance, famously updates itself completely silently; the user is never told the update even happened unless they ask.

The argument for not having WordPress update itself is that updates might break poorly-coded themes and plugins. But the alternative is having an ecosystem that is so tolerant of badly written add-ons that it leaves tons of sites insecure, which is just unacceptable.

If you’re really worried about breaking those add-ons, give the user a way to opt out of the automatic updates — preferably a way that requires a little technical knowledge to activate, like a flag in the configuration file. But the default should be to get the updates and be secure.

2. It would make installing plugins and themes harder. Wait, this is WordPress, right? The software that aims to be easy? Am I really arguing that it should make a commonly performed task harder?

Yes. Yes I am.

Currently installing plugins and themes is a single-click process — find something that looks cool, click, you’re running it. Which would be fine if you were protected from bugs in that software; but in this case, you’re not. So we’ve got a process that feels casual that actually really is not, which is asking for trouble.

A simple speed bump in the installation process would force users to think a little bit before installing new stuff, which might in turn get them to look a little more closely at what they’re installing before they install it. Just throw up a warning screen that tells people the security risks plugins and themes can introduce, and asks them to confirm that they want to proceed. Users with no technical experience won’t understand the text of the warning, but they have been trained by other software to recognize that warning messages mean they need to tread carefully. Those who have technical experience will be more able to evaluate the risks the specific plugin imposes.

I can hear plugin and theme authors howling now that such a speed bump would cut down the number of people who install their software. And they’re right! It totally would. But cutting down the number of plugin and theme installs is a feature, not a bug. Many of these things are installed incredibly casually, without any thought at all, and then never used or updated. But each one increases the attack surface your site presents to a potential hacker. Each one potentially makes you a bigger, riper target. You should be aware of that before you install them.

(Again, if you want to, let users opt out of this warning via a configuration flag or the like. But the default experience should be that you have to click through it.)

This post shouldn’t be taken as a slam on WordPress particularly; I use it for this site, and in my business, and I recommend it to people all the time. It really is a good piece of software. I’m writing it because this type of “our software would be secure if only our users weren’t idiots” mentality comes up in all sorts of different software projects, and it needs to be pushed back on.

A system that is only as secure as its user is diligent is insecure. WordPress is (or should be, anyway) better than that.

UPDATE (January 16, 2014): It’s worth noting that as of WordPress 3.7, the software can now update itself, removing my complaint #1 above. Good work, WordPress devs! This is a big step forward.



May 9, 2013
9:43 pm

Users will just click through that. They’re well-trained to do it with SSL errors and with that Windows version of gksudo.

What I find works well for at least avoiding automated attacks (which I believe is what the majority of the attacks that earned WP’s reputation for poor security were) is to set an htaccess password on the wp-admin/ directory.