A few years ago, the WordPress team shifted how they thought about security: instead of supporting the software, they would support the users.
“The first lesson that we learned was that users are more important than software,” WordPress security team lead Aaron Campbell said at the DerbyCon conference in Louisville, Ky. earlier this month. The video of Campbell's presentation is available.
The WordPress team decided that keeping users secure went beyond fixing the bugs in the software and regularly releasing updates. Protecting users meant accommodating how they were using the software, too. As part of that responsibility, the WordPress team decided to keep supporting older versions of the software still being used, rather than sticking to an arbitrary end-of-life schedule and withholding security fixes in order to force users to upgrade to later versions, Campbell said. It wasn’t an easy decision, since it meant the team has to backport security fixes to make sure they apply to older WordPress versions.
“That sucks for us as a security team,” Campbell said. “But it's absolutely the best thing for our users.”
Essentially, we're working to try to wipe those versions from existence on the internet, and bring people forward.
As the most popular content management system—with a market share of 60 percent among all CMS platforms and installed on over 32 percent of all Internet sites—WordPress is a very attractive target because a single exploit can potentially compromise hundreds, if not thousands, of sites. Site owners aren’t always prompt about updating the core CMS software and the third-party plugins and themes they may be using. The Magecart team, the ones behind recent attacks on British Airways and e-commerce giants Newegg and Ticketmaster UK, have targeted online stores running the WooCommerce plugin for WordPress, according to security researcher Willem de Groot. Earlier this year, Check Point researchers uncovered a malvertising campaign that redirected traffic from 10,000 WordPress sites using outdated versions of the software.
“We are working on potential ways to try to shorten that up,” Campbell said, referring to the time it takes for users to move to newer branch versions and releases. “We don't want to do it by dropping support for older versions that people are still using.”
This mindset is unusual in the software world, as most developers set an end-of-life date and nag users into upgrading to later versions before the older version is retired. While a bulk of users eventually do upgrade, it rarely happens by the deadline, which means there is a window of time where the users don’t receive security fixes and are vulnerable.
It’s also a tremendous time commitment, especially since the bulk of the WordPress security team is made up of volunteers. If the volunteers can’t keep up with the work required to develop and test security fixes for older versions, a sizeable number of sites on the Internet could become vulnerable.
Securing users is way more complex than just securing software.
One of the ways the WordPress team addresses the difficulties of getting users to regularly update the software is by automatically rolling updates into existing installations. The platform introduced an auto-update mechanism with WordPress 3.7 in 2013, and it is turned on by default for all new installations. The auto-update won’t move users across new major releases (it won’t move 3.7 users to 3.8, for example), but it ensures that sites that haven’t manually disabled the auto-update mechanism are getting the security fixes.
“The only way to get users to upgrade and use the secure version is to do it for them, which is how we ended up with automatic updates,” Campbell said.
According to WordPress statistics, 65.8 percent of WordPress sites are on version 4.9 (the latest is version 5.2), and 29.8 percent of users are spread out between 4.0 and 4.8. While there are still users on the older 3.x (4.4 percent), auto-updates have helped keep the bulk of WordPress sites on newer versions, Campbell said.
“Essentially, we're working to try to wipe those versions from existence on the internet, and bring people forward,” Campbell said.
However, there is a limit to just how much can be auto-updated. Site owners get update reminders within the WordPress dashboard. They also see an alert if they are using an older version of PHP, which then paves the way to update the core WordPress, as well. Auto-updates don’t work with pre-3.7 releases (because the mechanism didn’t exist before 3.7), so there are about 2.4 percent of sites that WordPress can’t touch.
“It is not an easy problem to solve, but we're working on it,” Campbell said.
There was some discussion a year ago to automatically upgrade sites using 3.7 to 4.1, but the team ultimately decided against the move because it could cause users to lose trust in the system.
Even if nothing breaks, many users would find it a little unsettling about having their site’s backend dramatically changed without permission.
The other part of the security challenge is managing the vast ecosystem of third-party plugins that make it possible to do practically anything on WordPress. The team collaborates with authors of the most popular plugins in the repository to make sure the plugins follow secure coding practices and to share security updates in advance so that the patches can be tested against the plugins, Campbell said.
There appears to be a side benefit to this collaboration: developers copying the techniques used by these larger projects are indirectly adopting the best practices for their own plugins.
WordPress also collaborates with industry partners, such displaying inside the Google Search Console dashboard training materials on how to migrate to newer WordPress versions. It has partnerships with Cloudflare and GoDaddy to block malicious traffic on the network level before it can reach the sites running vulnerable code.
WordPress is also working on Tide, a project to calculate and display a five-star rating for each plugin, with Google, XWP, and other companies. The Tide score gives site owners an idea of the plugin's code quality and security, such as whether the code follows modern coding techniques.
“Securing users is way more complex than just securing software,” Campbell said.