Checkmarx security report

If you’ve been reading WordPress news this week, then you know that the security firm Checkmarx, who specializes in a security code review product, released a report that claims that 10 of the top 50 WordPress plugins (or, “20% of the top 50”) were vulnerable to security exploits. The report has been picked up by some fairly notable places, including Slashdot, and unfortunately may contribute to the incorrect perception that WordPress is insecure.

As we’ve covered before, WordPress is secure.

As a leading managed WordPress hosting provider, WP Engine takes potential security issues very seriously. Our customers trust us to stay vigilant and to take proactive steps that keep their sites safe 24/7. Along with world-class security architecture, and partnering with Sucuri Security to constantly monitor your sites for suspicious activity, we are the only WordPress hosting provider to offer a security guarantee to all our customers.

When a potential security vulnerability is disclosed – publicly or privately – WP Engine takes steps to evaluate the vector, and takes appropriate steps to mitigate it as necessary.

We’ve taken appropriate and proactive steps to ensure the security of our customers.

In the interest of contributing to a security dialogue, we also want to walk through the claims made by Checkmarx, including whether they would affect WP Engine customers (or not). We also want to address the best practices for how security firms disclose vulnerabilities.

In this post, you’ll read about:

  1. Why WP Engine customers are in good hands

  2. What the report actually reveals about these plugins
  3. How members of the security community should properly disclose vulnerabilities like the ones alleged in the white paper.

Are the plugins vulnerable? Are you at risk?

While the report claims there are vulnerabilities, in reality, no specific vulnerability has been disclosed for any of the plugins in the report.

Rather, the firm has done a generic analysis of potential common vulnerabilities, and identified that about 10 plugins out of 24,000, “20% of the top 50 plugins”, might be vulnerable, according to Checkmarx’s standards.

WP Engine is currently looking into the claims of the report, including doing the simple task to backtrack and discover which plugins are potentially vulnerable, and then to evaluate the report’s claims. Although the plugin names were blacked out, enough identifying information remained to identify them.

We’re also taking steps internally, and with Sucuri Security, our security partner who helps our teams monitor all customer sites for security, to make sure we continue to stay ahead of security vectors.

To restate, at this time, the report has not disclosed actual vulnerabilities, only potential ones. We’ll go into that more in a moment.

How Your Sites are Secured at WP Engine

We have a page where we detail our extensive security and countermeasures for our customers. These measures include:

Disk Write Protection and limitations

By limiting what files and programs can actually write to the WP Filesystem, WP Engine makes it close to impossible for a theme or plugin that *does* have a vulnerability to have any effect on the site itself. Basically, disk write protection is like keeping all the doors and windows to your house locked. If no one can get into your house, they can’t do much damage.

Since we limit what can write to disk, we also log everything that does. This gives us a great forensic record to evaluate suspicious activity. Nothing that doesn’t have explicit disk write privileges, like generic PHP code for example, can affect the filesystem. And anything that might be suspicious is logged and evaluated.

Script Protection

Certain scripts are known for having vulnerabilities. Tim Thumb is one of the more famous examples of a script with a vulnerability that was exploited. Scripts like this with known vulnerabilities are blocked. Those with security patches available are updated automatically. And we also monitor for script patterns that are potentially malicious and block those too.

Disallowing of Certain plugins

We keep a close eye out on all the plugins our customers run, and through providing support for their sites, we sometimes run across plugins that have security vulnerabilities or aren’t scalable. As soon as these are discovered, we take steps to remove them from all customer sites for their protection. Then we take steps to privately disclose security issues with the plugin developers.

If there is a plugin with a vulnerability that has been disclosed by a reputable source, typically all of the managed WordPress hosting providers will be notified so that we can collaboratively take steps to protect all of our customers. We all work together on security for the sake of all our customers.

When we discover a plugin that has a vulnerability, we first take immediate steps to remove it from all WP Engine servers. Once we’ve established that our customers are secure, then we reach out privately to the plugin developers with recommendations on how to patch. Here is the complete list of disallowed plugins.

Understanding the Nature of the Report

Now onto the claims of the Checkmarx report.

Reporting a security vulnerability is a big deal. Security vulnerabilities, regardless of size, are sensitive issues for all involved, and can potentially affect the credibility of plugin and theme developers. In some ways, how a vulnerability is disclosed is as important as the patch that is suggested. We’ll elaborate on that in a moment.

Since a public report like this might come off as fairly damning to each of the plugins listed, it’s important to break it down and analyze exactly what claims are made.

It’s always good idea to check the reputation of the source. Doing a bit of research, we can see that Checkmarx is a security firm that has some credibility in the industry. However, to date, they have not shown much involvement in the WordPress community, or the open-source project.

This report looks to be their first step towards engaging WordPress as a whole.

Of course, we enthusiastically welcome new businesses who want to join the WordPress community, particularly those who share WP Engine’s passion for ensuring top security for every WordPress user.

Analyzing the Report

The next thing we want to look at is what type of report this actually is. In corporate marketing circles, this style of report is commonly referred to as a white paper. The report was widely distributed and advertised. Upon inspection, we can see that the report has been carefully crafted to introduce Checkmarx, and their products, to millions of WordPress users.

However, since it purports to be a security disclosure, from a reputable security firm with honest intentions to contribute to the already considerable security of WordPress, we also want to look at the methods Checkmarx employed to disclose the vulnerabilities. I talked with Dre Armeda of Sucuri Security to understand what is the best practice that the InfoSec community follows to disclose security vulnerabilities.

  1. The person or organization who finds the security vulnerability privately discloses it to the developers.

  2. The folks who found the bug recommend specific action needs to be taken and recommends a fix, should they have one.

  3. A timeframe is worked out for a patch to be released.

  4. Only after the patch is released is the vulnerability disclosed publicly. This prevents hackers from having an easy target to exploit. Namely, when a vulnerability is disclosed, within hours there will be automated processes written and deployed to exploit the vector. This is easily avoided by private disclosure.

In this instance, it’s not clear whether Checkmarx has contacted any of the plugin developers outside of the four they list in their report. Nor is it clear if they’ve made any attempts to contact the major WordPress hosts, like WP Engine, to address the concerns.

Rather that the report was created and released like a press release. The tactic plays on the reality that WordPress and its plugins have previously had security issues. However, as we’ve stated, if users stay up to date, use strong passwords, and host with WP Engine, they remain remarkably secure.

Even though the report makes an attempt to anonymize the names of the plugins, there is still enough identifying information for anyone to look in the repository and see which plugins are potentially vulnerable. The report narrows down how they are vulnerable, leaving breadcrumbs for hackers to follow.

Are Your Sites Secure?

To wrap up, if you’re hosted on WP Engine, your sites are in great hands. WP Engine is the leading secure WordPress hosting platform. We’re taking steps to identify any potential vulnerabilities that might have been called out in this report. If further action needs to be taken on behalf of the security of our customers, we will take it. We’ll also work closely with other hosting providers to ensure the continued security of all WordPress users, regardless of where they host.