The Register is reporting about a new “Zero Day” vulnerability in WordPress installs that run TimThumb. LockerGnome wasn’t at risk, because we hate WordPress Plugins. That isn’t to say we are completely plugin free; it is hard to have a WordPress install without the SiteMap plugin. But other than that, we are pretty much plugin free.
Whenever we do work with plugins, we end up rewriting them. This doesn’t always make them more secure, but it does make them different. While people knock “security through obscurity,” you can’t be hacked via a bot that just tries known exploits over and over if your site runs a non-standard version of the software. So at least when we get hacked it will be by someone who genuinely hates us rather than someone who wants to sell herbal Viagra.
TimThumb is actually one of the plugins we actively avoid. Not because we knew it was faulty, but because we didn’t really want to read every line of code to find out it wasn’t.
In general, the things to look for in plugins to make sure you aren’t getting a bad one include:
Avoid anything that uses CURL to a domain you don’t trust; the same goes for FOPEN.
Don’t run anything that uses the “EVAL” function, as it executes code from strings, and this is an easy place for attacks.
Don’t run anything that auto updates. Despite the convenience, auto updating code can go from good to bad overnight. This puts you at risk.
Don’t run anything that adds or intercepts upload capabilities. (TimThumb, for example) Most things that just run and don’t take uploads — or “dial home” — can’t do things that are that bad. There are exceptions, but for the most part, if the plugin’s code lives in a little box, it can’t hurt you.
With WordPress, it’s not just plugins that can bite you. Lots of themes have a “Functions.php” that adds to WordPress functionality. This is a very common place for hackers to bury code that gives them a back door to your site. This is really a problem WordPress brings upon itself. WordPress doesn’t have themes or templates — it has APIs that people have built pages around. A theme would work more like a Mad Libs. Today is <date>. This is my post titled <title> <post>. But that isn’t how WordPress themes work; they are “do code.” Here is some stuff that doesn’t change “do more code” and in the middle of what seems like a perfectly benign bit of template can be something that says “if Amazon link, replace affiliate ID” or “add invisible link to porn site.”
I don’t even agree with Google’s Web master tools sending “update your WordPress” announcements. I like to know that my software won’t explode. Lots of people got tripped up on the 2.3.1 upgrade that required that all your posts be UTF8 or they showed random weird characters. That isn’t so great for SEO or user experience.
The really short version is: if you don’t read every line of code, you don’t know what is broken. If you don’t change a few bits here and there, you also are as vulnerable as everyone else.