While tens of billions of dollars are spent on security, a quick look at the news shows that it doesn’t appear to have much impact. That isn’t because more money needs to be spent, it’s that the money is largely going towards companies that don’t have much, if any, interest in actually improving security. When it comes to security solutions for WordPress, that unfortunately, but not surprisingly, is the case. When solutions are marketed as protecting against threats that are not happening and the developers seem to have no understanding of real threats, like the security of WordPress plugins, it follows that they are not going to help to improve security. By comparison, as part of our service we help to improve security for every WordPress website, while providing our customers additional benefits. Here is what we do to improve the security of plugins:

Notifying Developers of Unfixed Disclosed Vulnerabilities

When it comes to improving security of plugins, some things could be easily done by any company, but still are not done by anyone other than us. One of those things is to notify the developer of a plugin when an unfixed vulnerability has been publicly disclosed in their plugin. If the developer doesn’t know about a vulnerability they have no chance to fix it, so simply notifying them often leads to it being quickly be resolved.

In one instance of that, which we discussed on our blog, a vulnerability was added to another data source for plugin vulnerabilities used by many WordPress security services, but none of them notified the developer. If we were not around the vulnerability would likely still be in a plugin with 400,000+ active installs. Once we did notify the developer the vulnerability was fixed within days. For our customers the benefit here was being able to know they were vulnerable before it was fixed, having us available if they needed help dealing with the situation before it was fixed, and also knowing that the vulnerability has been fixed (while the other data source was never updated to list the vulnerability as being fixed).

In the past, we notified the Plugin Directory of unfixed disclosed vulnerabilities after giving the developer a chance to resolve it. That led to the plugins being removed from the directory until they were fixed, which protects those not already using the plugin. We have suspended doing that in part due to WordPress’ continued poor handling of warning people already using plugins in that type of situation.

Checking to Make Sure Vulnerabilities Are Fixed

To make sure our customers have accurate information on vulnerabilities in plugins they use or are looking to use when adding a new vulnerability to our data set, we check what versions of the plugin are vulnerable. Through that, we have often found that vulnerabilities have only been partially fixed or not fixed at all. That is a very big problem if the vulnerability is one that hackers would be interested in exploiting. Thankfully, we can usually quickly work with the developer of the plugin to get the vulnerability fully fixed.

Monitoring For Zero-Day Vulnerabilities

When it comes to the poor state of security, even we are even surprised sometimes. One thing that we didn’t expect as we started this service was to find that no security companies were monitoring for new zero-days vulnerabilities, which are vulnerabilities that are exploited before the developer is even aware of them, in WordPress plugins. Without doing that, services that claim to protect against websites being hacked are unlikely to be able to protect against those vulnerabilities. Through our work doing that, we have found and have helped to get many of those fixed, probably preventing many more websites from being hacked through those.

Proactive Monitoring of Serious Vulnerabilities

We monitor changes being made to plugins to try to spot vulnerabilities that are in plugins that are likely to be exploited. By doing that, we can help to protect our customers from more potential threats to their websites. When those vulnerabilities get fixed by the developers before hackers have had a chance to exploit them, that helps not just our customers, but everyone using them. If we had more customers, we could expand this to help get even more types of vulnerabilities fixed, which is something you can’t say about other WordPress security services.

We run plugins used by our customers through that monitoring on a weekly basis, so that even if the plugins haven’t been updated, we can catch vulnerabilities in them.

Tools to Help Identify More Vulnerabilities

We have developed tools that make it easier to identify vulnerabilities in WordPress plugins.

The first is a plugin that makes it easier to check if PHP object injection vulnerabilities, which are highly likely to be exploited, actually exist in plugins.

The second is a tool that does limited automated checks of WordPress plugins for various types of vulnerabilities and has already played a part in identifying fairly serious vulnerabilities in plugins.

The third is a tool to show what custom REST API routes are public on a website. While having publicly available routes isn’t a security issue on its own, custom routes from plugins might not be properly secured, as we found was the case with a plugin from Automattic’s WordPress VIP.