Tuesday, May 27, 2014

WordPress: unsafe at any speed

EFF technologist (and creator/maintainer of cool privacy tools), Yan Zhu noticed that WordPress still does not secure their session cookie, meaning users at the local Starbucks can have their accounts hijacked.

I first popularized this problem in 2007 at BlackHat with my Hamster/Ferret tools, hijacking an audience member's GMail account (I probably shouldn't have done that -- but the demo was otherwise not working). Eric Butler then released a much easier tool called Firesheep which really got the ball rolling: my tool was for hackers, but Firesheep made it so anybody could exploit the bug.

Google quickly fixed their servers over the next two years. Yes, relative to everyone else, this was "quick" -- it took everyone else much longer. Today, it's considered standard that when you log into a website, the entire session must be encrypted with HTTPS.

But not so WordPress -- apparently they haven't even started working on solving the problem. It's been 7 years since this has been in the news, and they still haven't thought of dealing with it.

But, this isn't even the worst problem. On WordPress.com, their login screen is served via HTTP. Cookie hijacking only gives the hacker the current session, but not your password or ability to make major changes. Unencrypted login forms allow a local hacker (sitting next to you at Starbucks) to steal your password as you login. Since you are probably a dufus and use the same/related password for all your other accounts, this means the hacker can steal everything.

As it turns out, this may not even be the worst problem. The standard WordPress configuration is built on the LAMP (Linux-Apache-MySQL-PHP) system, which has been obsolete for more than a decade. The problem with LAMP is that it doesn't scale.

The result is that once you start writing a lot of blogposts on your WordPress blogs, SEO bots (search engine optimization robots) will start spidering your blog, downloading a copy of all the posts and comments. This frequently overloads your server, taking down your blog. People just learn to live with it, with friends occasionally complaining that they can't get to the blog.

I know several people who've had this problem, and have partially solved the problem with CloudFlare. This gets rid of most, though still not all, scalability issues.

The upshot is this: WordPress is fundamentally broken in every way something can be broken. There's no way to secure it. There's no way to make it fast enough without spending a lot of money. If you are starting a new project, do not under any circumstances use WordPress. If you are stuck with WordPress, well, then, it sucks to be you, I know of no way to help you.


EJ said...

What's your definition of scalable? Nothing about "lamp" that causes it to be inadequate to host a Wordpress site that is write rarely read often.

scriptjunkie said...

Oh come on now, I use the client SSL authentication addon at scriptjunkie.us, which makes it invulnerable to those attacks you mentioned as well as many others and is certainly better than just about any other authentication mechanism there. The caching addons and options ensure the pages only get generated once when changed and are then kept in static file caches and make using CDN's easy. You're acting like the junk that is wordpress.com represents the failings of the wordpress software, which is really ignorant.

Backrow said...

Mr Graham makes another post that he will have to apologize for/take back/walk back in a few days.

Seriously Rob, this post is just disinformation and advertising for CloudFlare.

Zac said...


FML: "invulnerable"

thanks, I needed a good laugh.

Brian Carnell said...

@scriptjunkie Yes, you *can* add plugins, etc to WordPress to enforcce SSL authentication, but it's insane that in 2014 that this requires such extra steps.

Same thing with limiting login attempts...you can setup WordPress to lockout an IP address if a user tries to say log in on "admin" with password guesses, but again you have to add a plugin or other script.

So what, right? Except those plugins get a lot less attention than the WordPress core itself.

It's just irresponsible that WordPress spends more time constantly changing the admin theme but ignores very basic security features.

Unknown said...

There's an solution: varnish! varnish stands before apache and caches all the data.

Heath Trivett said...

What's your definition of scalable? Nothing about "lamp" that causes it to be inadequate to host a Wordpress site that is write rarely read often.!