The WordPress security team’s biggest battle is not against hackers but its own users, millions of which continue to run sites on older versions of the CMS, and who regularly fail to apply updates to the CMS core, plugins, or themes.
Speaking at the DerbyCon cyber-security conference earlier this month, WordPress Security Team lead Aaron Campbell gave the public an insight into how the WordPress team has been addressing this issue for the past years.
He described this process as a shift of focus. He says the WordPress team decided a few years back that instead of keeping the software secure by patching bugs, they’d focus on keeping users secure, both through software and their actions.
“The first lesson that we learned was that users are more important than software,” Campbell said in front of a live audience.
“There were a couple of small things that focusing on users brought us some clarity on, and simplified a little bit,” he added.
The primary issue was with millions of users still using older versions of WordPress to power their sites. Those older versions were technically secure, but the users running those sites faced more risks than users running more recent versions.
Following long internal discussions, the WordPress team decided to support these older versions not on a fixed end-of-life scheduled, but because so many users were still using them.
This decision came with its drawbacks and the biggest was the need to backport recent security patches for older WordPress versions, some of which are now five years old.
Securing users is way more complex than just securing software.
— Aaron Campbell
“That sucks for us as a security team,” Campbell said regarding the patch backporting process. “It really does! But it’s absolutely the best thing for our users. And because that’s where we set the measure of success, that’s what we do.”
“We are working on potential ways to try to shorten that up, maybe support a year back, but we don’t want to do it by dropping support for older versions that people are still using,” he added.
“Instead, we’re working on figuring out ways to roll those versions forward automatically without breaking sites for people, and essentially we’re working to try to wipe those versions from existence on the internet, and bring people forward.
“It is not an easy problem to solve, but we’re working on it,” Campbell said.
One of the ways through which the WordPress team has been addressing the problem of older WordPress versions is through auto-updates, a mechanism introduced with WordPress 3.7, released in 2013.
Auto-updates is turned on by default for all new installations and has played the biggest role in keeping the bulk of the WordPress sitebase on the most recent branches, albeit a few percentiles remain on the older 3.x and 2.x releases.
For the rest of the users, Campbell says the WordPress team is focusing on user education and collaborations with the tech industry as a whole.
For example, the WordPress security team has been working with Google to display training materials inside the Google Search Console dashboard, to warn and help users migrate away from older versions of their sites.
The WordPress team has also created an alert that shows inside the WordPress dashboard itself. This alert appears when users are using an older version of PHP for their sites. The thinking is that by luring users into updating their PHP hosting environment, users will also look into updating WordPress itself.
But besides focusing on rolling WordPress users to recent branches, the WordPress team has also worked on raising the security of the entire ecosystem as a whole.
Campbell says the WordPress team has been collaborating with the authors of the most popular plugins on its Plugins repository. It’s been helping these plugins follow best coding practices.
This has yielded great results, Campbell said, as smaller plugins have now started to follow (or steal) the coding techniques used by these larger projects, and indirectly have raised the security of their own plugins.
In addition, the WordPress security team has also been working with Google, XWP, and a few other companies on a project called Tide that would show a five-star rating under each plugin.
Called a “Tide score,” this rating is meant to give users an indicator of the plugin’s code quality and security, and if that code respects modern coding techniques.
Campbell says the project’s name comes from the concept that “raising the waters everywhere lifts all ships.”
But besides a shift in focus from software to users, the WordPress security lead has also admitted that improvements were also needed inside the security team itself, which in recent years has been going through a modernization process.
One of the issues they addressed was of their internal tools. Campbell said that the use of outdated systems like mailing lists and IRC channels has led to many situations where outside researchers reported security flaws, but as discussions on how to fix the security bug progressed inside the internal mailing list, the outside researcher was being kept out of the loop.
These incidents resulted in security researchers concluding that the WordPress team does not care about security bugs, an opinion that sometimes ended up in news reports or angry social media rants.
Campbell said the WordPress team has gotten a lot better over time at handling bug reports by moving to more modern tools like Slack, Trac, or HackerOne, and by bringing in new people who were maybe not that good at fixing security flaws but were better at communicating with outside researchers.
WordPress is today’s largest website content management system, with a market share of nearly 60 percent among all CMSes, and currently installed on over 32 percent of all Internet sites, according to W3Techs.
Campbell’s full DerbyCon presentation is available below. The entire talk is worth a listen.