Episode 509 Security With Tim Nash What To Do With These WordPress Vunerabilities
Show Summary
This podcast episode features a conversation between Rob Cairns and Tim Nash about recent WordPress plugin vulnerabilities. Tim, a WordPress security expert, discusses the challenges of managing numerous security alerts and the limitations of relying solely on automated vulnerability reports. He emphasizes the importance of proactive patching, a well-defined software stack, and the use of web application firewalls (WAFs) for robust website security. The discussion also highlights the risks associated with relying on free, often poorly configured, security plugins and the increasing speed at which vulnerabilities are exploited. Finally, they stress the importance of paying for professional security services to protect against these threats.
Show Transcript
Hey everybody, Rob Cairns here. Today I’m here with my good security friend, Mr. Tim Nash. Hey N. Hey Tim, how are you?
Hi. I’m doing all right. It’s uh we’re recording late in the evening. for me and so sort of mid-after afternoon for you.
But uh you’re getting you’re getting the very low energy, lowkey vibe for me this evening.
We’ll go for the chilled pack.
I should I should have sent you the coffee before we went to record that after. Right. You know,
I’ve got a cup of tea, which is probably a bad idea after like five o’clock. So, we can re-record this if you like at 3 in the morning when I’m up with the jitters.
Yeah, I get it. So, you know, we were we were talking before we went to record. And lately, we’ve seen this big influx of plug-in and theme security problems lately. Um, the solid WP list was well over 470 last week, give or take, which I believe is a record for them. Somebody at Solid can hit me over the head if I’m wrong, but I don’t think so. Um, Sukuri puts out a list and other things have happened. But before we jump into that, ironically, Our poor friend, Mr. Oliver Sid, over at Patch Stack, had an issue this morning. I don’t know if you saw it or not, but he a security company’s ex account managed to get hacked today. And I I feel for Oliver because you and I both know Oliver and uh I don’t wish that on anybody. But how did that happen? I wonder.
Well, I mean, this is the thing where you’re sort of like going you should never um make fun of somebody else’s ill will and Freder will get you every single time. Uh but yes, there’s something particularly ironic when security companies get hacked. Um and it’s just it’s it’s the nature of the beast. Everybody, you know, you can take all the steps in the world and if something is misconfigured somewhere on the lines, some sort of compliance steps haven’t been taken. From the little bit I saw, and I I really haven’t paid much attention to it other than seeing it and going, “Oh,
but from the little bit, it sounds like it doesn’t sound like it was any sort of like session hijacking or anything like that. This was a the password had been reset which implies the person had the password to start with. So they they were talking that maybe it was simjacking but uh I was under the impression that most of Patchak’s uh people who worked at PatchJack were actually based over in the EU. Maybe one of them’s in the and it’s not that it’s harder necessarily that much harder to Simjack in the EU and Europe than it is in the States, but uh the mechanisms are a little little different and the telecom’s processes are slightly more robust as I guess we could say. So it seems a bit more surprising that that would be the route in but of course it doesn’t mean that somebody wasn’t just wandering through New York the wrong time.
Yeah.
But yeah, what an unlucky win.
Yeah, I I would agree. And I’m not I’m not picking on Oliver. I um hashtags kind of my WordPress security one my WordPress security sources of trust. Um I think think his team does a really good job. It’s just that when this happens to a security company, people look at and say, well, you know, and they don’t understand the complexities that you and I and over understand what goes on, right? So,
yeah. And and again, they they from as an outsider, from what they’ve said, they’ve they took all the right steps.
Um and I mean, that’s something that they could take heart on. It also that makes you go, okay, well, if we take all the right steps in this still happens. I mean, I can I can totally see why some people go, “Well, why should I bother?”
Yeah.
Maybe that’s just a hint. Time to leave X for or extra or whatever we’re calling it this week.
Yeah. Depending on the flavor of the day. Um, so today I thought we’d jump into and talk about why we seeing recent vulnerabilities. And you and I were talking and you said you don’t spend a lot of time looking at security lists yourself. How?
So, There was a point in my life where I would every week there was like four or five lists who I would pay attention to and I would go through and I would pick out interesting uh vulnerabilities. I’d mark ones that I thought were important for my clients and I was like okay and over time I started using this doing this less and less. Now part of this is because I have well-trained clients who on the whole know that they should be keeping up to date ahead of these vulnerabilities. vulnerabilities that are appearing appearing on these reports in most cases should be patched and plugins released. So there are and um Solid AP is actually a good example of a company that does this quite well where they release how many have been patched versus unpatched. And if I’m going to look at a list, what I’m interested in is the unpatched list.
Of course,
I’m interested in the ones that have problems. But it’s worth remembering that the vast majority of vulnerabilities while they are vulnerabilities, they are also just bugs and are not actively necessarily being exploited and that they’re the risk and the risk to the clients varies dramatically. Uh and so when we see something saying there are 481 new vulnerabilities, quite often 400 of these will have been discovered by the same person and it will be the same bug that’s just replicated through all the plugins in one go.
We often see these big sweep statements and when you look start looking down in it and normally when we get what things like that what’s being patched is very minor. The other problem we have with the sort of vulnerability reports is they often rely on CVSS scores
which are a pile of they’re just pointless.
Yeah.
The the the the risk analysis that’s done not by the vulnerability researchers themselves. They’re doing the correct analysis according to our our our agreed standard. It’s just our agreed standard. when it comes to working with web applications sucks and it massively overemphasizes the fact that the issues can be done over a network and you’re like well duh it’s a website
of course it can be done over a network so but consequently it’s deemed much more of a risk than it would have been if it couldn’t been done over a network because it was a piece of software that was sat on your hard drives so um the combination of all of these things but the main one being that As long as my clients are are managing their patching patches well, most of the clients who cannot be in that scenario are using some sort of virtual patching system. Patch stack being an example where you can use one. Um means that the instantaneous aspects of it aren’t isn’t necessary. So I’m not nec we’re still being picking up and we’re still being alerted whenever there is a vulnerability for a given plug-in.
So again uh so against all my client sites, I know if the individual plugin is bit has a problem because I’ll get a separated alert away from these big lists
and from that I can then do a proper risk analysis on it and decide whether or not it is and that that analysis will either be okay this isn’t going to actually affect this client or or any of my other clients but it’s so it just go becomes a warning and we bin it uh and you’ll be amazed how many times I will not even mention it to a client even though it’s might be during the rounds and it might be doing the rounds and hitting the main use sources and it will still be like actually this risk is so low um that we’ve got the mitigations in place already. We’ve got the procedures in place to deal with this we don’t need to worry about it. Other times I’ll look at something and go oh
yeah our pants that’s not patched that’s a problem for us that particular scenario really affects this client here we need to go deal with that and that might be we’ll turn off the plugin that might mean we’ll put in rules uh we’ll modify their W or we’ll do something we’ll apply our own patches um and uh for that rather than quite often if I’m applying a patch and I’m I’m managing any part of that hosting we’ll use something called snuffle pagus which is a PHP module that allows us to in real time virtual patch
something without touching the codebase which is really useful tool but very very dangerous. So if you don’t know what you’re doing, please don’t install it because it can completely screw you up very quickly. But we’ll maybe if if it’s something like that, we can use snuff pages to change the way that the code works if we have to. But more often than not, we’ll just put in a a waffer all to prevent what’s going on. So with that in mind, these become fear-mongering tools.
Yeah, I to some degree I agree. The other thing you have to look And what I would say to any other agency out there, so if you’re a shop where you’re doing a lot of new builds, what I would suggest is get a a software stack. So if you use this contact form, use that contact form on all your sites. Use this, use this, use is, and then if your stack is as customized as possible, then at least you know if you’re dealing with this at A, you’re dealing with this at B, and you’re dealing with this at See where we see a lot of this stuff usually is with Elementor because of the way the codebase runs. So what happens with Elementor is you get one plugin that’s compromised and because they all use the same base code uh base and APIs and backend stuff. We end up with 50 of them pretty well compromised. I’m exaggerating but you get the idea, right? So um I think didn’t we see this year a couple years ago with Fremius. Didn’t our friends over at Fremius have a problem and we had like 400 plugins impacted like in one day or something?
Yeah. And and I mean the downside to the the approach of having a stack and sticking to it is a really good approach if you especially if you if you are a build shop.
Y
um I have a client who uh h they they’re close to a thousand sites um all built on a very similar build and that’s fantastic. It makes it very efficient. They can operate well. Obviously um when they suddenly to patch a thousand sites very quickly, their deployment servers go in overtime. And as long as you’ve got a good automation and deployment pipeline, not a problem. If you’re manually logging in to every one of your 500,000 sites to update,
oh, this is this this is going to feel horrible. And maybe all of a sudden you’re there going, why did I use this form? Why did I not why did I spread the risk?
Um,
and I guess there are pros and cons to that. But uh just as an example, I I’m I brought up the solid because we just mentioned it at the beginning uh vulnerability report and uh there appears to be about 10 elementorbased add-ons in this. I mean it’s not as you said there was 300 no 486 vulnerabilities
give or takes. Yeah.
Yeah. So they’re not quite at 10% but they are there are sort of like five 5% of All the plugins being discovered with vulnerabilities that week happened to have the word Elementor in their title. Now, that’s not Elementor the main plugin. That’s all the various add-ons and things for them,
which I think also shows the dominance of that of Elementor and its ecosystem as well.
Yeah, I wasn’t uh really picking on Elementor was just example be yours because because it’s it happens, right? And and we know this. Um
you talked about using um software firewalls. So we know patch stack, there’s word fence, there’s security, there’s a couple others. Do you have a preference?
Um none of them.
Okay.
I I mean I So having WordPress implement itself, a firewall inside the WordPress core itself is not ideal because you’re or B things shouldn’t defend themselves where possible. You really want this out to a dedicated application. Um most of the time I am if I’m configuring and managing things for a client um I will use a separated WFT and that’s a completely separated W appliance. Now that ultimately is a Linux box running a dedicated W software um and then that passes back through. Sometimes we will use patch virtual patching solution. Um especially for clients who uh maybe don’t have a very large budget. Uh patch that make or where especially if we have clients with very large budgets, legacy software pack stacks that we cannot bring into a good routine for maintenance and automation towards updates. Uh the sort of one where you wish them well, put them on patch to throw them in the corner and go, “Please don’t come back to us. La, we don’t know about you.” Isolated as far away from the rest of the world as possible. But generally, um, it really does depend on how what I’m what the end client’s using. That’s could be something like mods uh security. Uh, for my own personal stuff, I have uh for a couple of years now not used either Apache or Engine X. And so I have been using something called Caddyy as my h P server and Caddy has some amazing uh W security options. So, uh I use a module a caddy module for all of my own personal stuff. But, uh for clients, if we’re going down the engineext route um or indeed going down Apache, I tend to use a centralized appliance which will have ModSseack on it. Mods’s old and gets a lot of stick because it can be a bit slow, but it’s pretty efficient. The problem people always seem to have is that they don’t know how to use it properly and um they will rely on third party rules from I’m I I I seem to be on taking a grind at people but a a good example is uh within Plex you’ve got things like Immunifi 360 and its rules and they are trash they are just
they’re awful
you you will you will just block your users and it’s like what did you do you to use the website. How dare you? So there’s um but you can find really good rule sets and over time I think everybody every CIS admin and particularly if you’re security side of things you start customizing your own rule sets and these become your like little babies that you carry around and you take from client to client. And so I have my own customized rule set that is very much focused around what I think is important. Um and yeah it it works really well. The only thing it can’t do is because it’s because it hit your the the WAP is meant as a shield. It’s the it’s um the thing you throw in last. You want everything to be solid behind you
and everything and all it to be up to date and there to be no major problems. And then the W is the thing you throw in front of it as either an emergency because you don’t you haven’t got time to fix something or as a oh no, we didn’t notice that. So, we’re just going to have this shield that we’re going to fling in front of us. Consequently, more often than not, if it’s a WTF that’s not part of like the WordPress stack, it can’t get the feedback from the WordPress stack. So, it doesn’t actually know what the user was trying to do.
Yeah.
It just can see the URL and the payload and it has to guess. So, you do get false positives using them and it’s not as intuitive, but it does stop an awful lot of the basic attacks. Mind you, simply having your site up to date, we’ll stop even more. So,
we we Yeah, we’ve talked about that in in past shows. And the other thing we we really got to I got to stress here, small business owners, they always say nobody’s going to attack me because I’m small. And I would argue, yes, they’re going to attack you because small business owners, unless they pay somebody like Kim or pay somebody like me, they probably don’t keep their site up to date. So they become even a bigger target sometimes than big sites cuz what do attackers do is they go after small compromised sites and use small compromised sites to attack bigger sites. Right.
Well, it’s not even about size of the site. What they they’ll whenever a vulnerability comes out, someone will come out. We’re going to pick on Elementor today cuz clearly I I’ve got them in my head now. So let’s say there’s a vulnerability in Elementor which would be which has happened, but it’s generally, you know, we don’t want massive plugins like Elementor to have plug vulnerabilities that can easily be exploited. But let’s say that for the sake of argument, and there really isn’t, but let’s say for the sake of argument, Elementor announces a big vulnerability that allows a uh an unprivileged user, so that’s someone who’s not logged in, to be able to manipulate the URL of a website and get themselves be able to change the options DP options table.
A vulnerability that’s definitely happened many, many times over the years. Let’s but we’ll go and say this is with elemental. Well, what will happen next is someone will take that code and turn that into a an exploitable piece of code that can be then add it into scrapers and uh hacking tools and they’ll sell that and they won’t bother doing it themselves. They’ll just sell it on and then script kitties. So, these are the and when we say script kitties, we’re not talking about actual kids. We’re just talking about the next person, next line in the chain. It’s a big business, a a corporation where will now buy that and then they will load it into their tools and their tools will go along and they’ll just go from website to website to website looking to see if that vulnerability works.
They just and it it’s not quite phone directory level but it is almost start at a work our way down till we find one that works. And you can watch this if you uh if you manage a server where you might have multiple sites you can watch as it hops from from from site to site to site. Um, and as you do, you’ll see that they make the same exploits, the same attacks, and they’ll keep going through. They’ll rotate their IPs. Once they’ve once they’ve got onto one, they’ll start up their their script, their tools on that site, and that site will then start with looking for the vulnerabilities on other sites and so on and so on until it grows and grows the network out. And so, a vulnerability affecting something like Elemental, which would be millions of sites, can be suddenly on have taking control over lots of sites very very quickly. Um, but it’s not the size of your site that it cares about. You could be a million pound site. If that vulnerability was on that site, it will still get infected. Because the big thing for all small businesses to take away is no one’s hacking you. There isn’t like a person sitting there going, I’m going to hack Rob site. It’s not like that. It It’s a bot and it’s just processing through a list. You are an itm. on a list and it’s not you or not even you a an IP address and a domain name is an item on a list and that’s all they your site is to them and once your site is compromised all it is then is a resource
and about how much can we exploit this resource the only saving grace you might have as a small business is that you might be on really bad shared hosting and you’re not worth very much in terms of resources because your email’s blocking you your your uh server providers probably blocking your email. And ironically, the cheaper the hosting, normally the more
uh nasty the WF because they’re used to being compromised and they don’t want their servers compromised because there will be hundreds if not thousands of sites on them.
So, yeah, I I I don’t know what you can take from that other than if you’re going to be cheap, be really cheap.
Yeah. And and it’s funny because most of us who are to stay away from cheap hosting
for other reasons.
Oh yeah. Don’t I mean obviously from a any other perspective there is rubbish. And the the thing about a cheap hosting is that cheap hosting you get exactly what you pay for. Um and if you are hacked on a cheap host a host is not that cheap host is not going to help you. They’re going to lock your site down and then they’re going to say, “Hey, give us $500 and we’ll clean up the hack.” And what that really means they’ll just delete your WordPress install and then hand you back a a broken site and say, “There you go, I did it.” Um, so it really isn’t worth buying cheap hosting. But the ir the the other side of that is the irony that the cheaper the host, normally the better the W they’ve got installed because they care about their infrastructure far more than they care about their customers.
And that that’s saying a lot, but that’s, you know, another story. Um, so at the end of the day, you’re not a big and I can agree with you. You know, you got to be careful what you run with inside WordPress and that’s why you go that route. The other thing we know that doesn’t work well is malware scanners with inside WordPress. I think that’s the the biggest mistake going because why would you scan inside the infected or possibly infected area? Like that doesn’t make any sense either, does it?
No, I mean um And I we’ve picked on elemental. Let’s pick on Word Fence for a minute just
I like that idea
just just for the sake of it. So and I think it’s a testament to Word Fence’s uh ubiquit ubiquitous ubiquity anyway to how much how many sites have word fence installed that um malware now is written to turn off word fence.
Yep.
And it makes sense. I’m a bad actor. I arrive on your I look and see Word Fence. What do I do? I turn off Word Fence. I disable its access to its rules. I delete myself from the logs. I am not there anymore. If that is your line of defense and I have control of the line of defense,
you’re
I’ll just turn it off.
Yeah.
Now you don’t have one. And all of the plugins that do similar things have exactly the same problem. It’s an in a similar vein. People who use back backup plugins to back up WordPress. And you’re like, but but what if that apart from the whole resource usage that the backup plug-in will be making that request from the web server and the web server is almost certainly going to run out of resources at some point and the memory limits and all that stuff. Just the more practical thing of something backing up itself,
if you think about it for more than two seconds, doesn’t sound like a good idea. So that’s why you would use a third party backup tool, your own backup whether that’s a shell script, whether that’s a third party service or something. In a similar way, you don’t want to have your security being done inside WordPress because anything that has breached it and of course Word Fence is a good example where they have like a WTF that interacts and in theory you can like have the W act first. You can pre-append their URL. Uh very rarely do I see that implemented and one of the big problems Word Fence has is Word Fence is installed vast majority of places and not configured properly.
But then down to that, their documentation is appalling. So I don’t blame anybody because most people install it, activate it, and think, “I’ve done.” It’s like, “Well, you haven’t. You’ve done nothing.”
They’ll get a scan saying, “Oh, you’re clean.”
Most people do the plugin and push the activate the plug-in button and away they go. Right. And uh
my my favorite one was a client who told me they had Word Fence installed and they did. They just didn’t activated.
Oh, great.
That’s even better.
Well, they installed it. They were right. They they installed it. It just wasn’t active. But even if you do have it activated, you need to do go through the steps. If you are going to use their W um and you know, I’m never going to say don’t use something that’s there because I don’t want to be the person who said turn off your security plug-in and then they you get hacked. But if you are going to use Word Fence, you do need to do a couple of things. One of which is look at doing the pre-append. Now, you can do that either in your HD access If you’re on Apache or if you’re using EngineX with PHPFPM, you can get add that to your PHP FBM pool config. And it’s basically you can then call to waff.php which would be in the root of your site and that can then be used to pre uh before any any action any PHP script runs that file will run first and that will trigger their waffles which is useful. Couple of things to bear in mind. When Word Fence scans all its files, would you like to have a guess at which file it doesn’t scan the
PHP?
The W.PHP file
because it’s the one it can’t do because it because it’s part of that that W.PHP. There’s like a bit above it that says please add whatever configs or things you need to have running before we run here. So you could if you put your malware in in the WAT file, it won’t get detected.
Oh, wonderful. But um the other thing
nobody’s listen by the way nobody’s listening to this show right?
Yeah. It’s fine.
The other thing to bear in mind is that Word Fence releases their free rules like every 14 days.
Yes, they do.
Horse has already bolted well at we we we we’re when we’re talking about infections and we’re talking about these lists, we’re seeing um the time for exploitation. So the time between someone saying there’s a vulnerability and it being actually exploited is being reduced and
no question
we’re not talking 14 days anymore. We’re talking
hours.
Yeah. For a big for a big vulnerability certainly hours. So let’s go back to our our fake Elementor vulnerability that gets launched everybody. It gets announced pushed onto Word Fence. The the update’s been done and then you’re still going to get infected even though you had Word Fence installed. because you don’t have the current rule set. If you’re going to go down the Word Fence route, it’s a bit like paying your Apple tax. You do have to pay for the upgrade to the premium version if that’s the route you want to go. At which point, if you’re paying for this, and I think it’s worth emphasizing people probably should be paying for some sort of security.
Yeah.
Um I don’t think it I I now that could be through your managed host, that could be through your development partner,
but somewhere along the line, you should be paying somebody to look after your security. Um, and if you once you’re looking at the sort of like the Word Fence premium options and their response bits and pieces, this it suddenly opens up a more wider conversation of do I want to be with this people? Do I want to be with Patch Stack? Do I want to go to SolidW? Do I want to go to somebody like me, somebody like yourself?
Um,
what I what I should also tell you, SolidW’s back end is is Patchax. I don’t know if people know that or don’t know that, but it’s worth mentioning.
Yeah.
Uh and Patchax’s got some really good integrations now with a bunch of people. Um they they turn up in I think um quite a few of the managed hosts are now using patch stack and certainly using patchack to get the vulnerabilities not necessarily from the virtual patching. Uh solid WP’s firewall is actually just the virtual patching from patchack. I think I don’t think does anything else anymore.
It is It used to be something slightly different. So, but I think they’ve moved over relatively recently.
Yeah. Um, so that kind of covers it off. I think I think we’ve kind of given some people some hints and said like and really securities comes down to who do you trust, right? We all know that. And 480 I can look at lists like that and say, “Yeah, but I’m not using most of this stuff because I don’t trust all these people anyway. So it don’t matter. So we need to stop looking at always the big numbers and kind of drill it down and say really is this impacting me or is it not kind of thing.
I mean there were 486 plugins on this list.
Yep.
I am quite a long way be it still in the seas which but I’ve yet to find one that I actually know and I see oh some of the contact form seven.
What else? What else is new by the way? Uh but yeah, there’s and there was it’s important to emphasize that plugins have vulnerabilities for a range of reasons. Any plug-in can be caught out. Uh we’ve all written really crap code over in our lives. We will all continue to write really bad code. Some people will do it through uh just not knowing better and some people will do it out of sheer laziness.
The other thing we didn’t mention in our big thing through was that uh we’re going to see a lot more increase as people start to realize that they can use tooling not necessarily directly AI, but they are going to start realizing, hey, I can actually use automated tooling to find these vulnerabilities and report them. And as we’ve become more mature um in the way we handle security as a community and you have got these bug bounty schemes going by people like patchack, by people like Word Fence, you are going to see this lowhanging fruit appearing an awful lot. So I wouldn’t be terrified at big numbers. I
would encourage people to look at them though.
I wouldn’t I wouldn’t be either. And a good example if we go to the personal computing side is Windows. Microsoft patches vulnerabilities the first Tuesday of every month on patch Tuesday. And they’ve done this for years. And we know their cycles. And we know that if something really key comes up, they’ll issue that patch right away. And you don’t see the business world going away from Windows yet. Vulnerabilities are found every month and every day, right? So I think we
we have to be in that mindset. It is whether it’s apopical or not. There is a the tale that I always loved was this idea that patch patch Tuesdays happens and vulnerabilities come out on a Wednesday.
Yep. It’s true. Exactly. Exactly the point because the minute they’re disclosed and you’re not patched, away we go.
Yeah. No question.
Tim, do you have any workshops or anything coming up worth talking about?
I don’t at the moment. Um my the of this year has not gone quite as according to my plan as it’s going to be, but I am in the process. I did a user security workshop last year and I’m in the process of turning that into a much larger course um which will be launched into the f I was hoping to get it launched in the Q1 probably looking at Q2 now but if people are interested learning more about the user security side of WordPress um then if they go on my my site so timash.co Okay, visit uh go to the bottom or click newsletter at the top. Sign up to my newsletter and when I am ready, I will shout it from the rooftops.
I’m sure you will. And and we’ll shout it here too. Tim, thanks so much. Have yourself a wonderful day as always.
And you and to you too.
Thank you.