How a team of "security researchers" is putting the WordPress community at risk

One of the basic truths of our world is that no one is perfect. Everyone makes mistakes, and this includes programmers. Every computer program or complex piece of web-based software is vulnerable to problems, but thankfully most of those issues are resolved without issue. Recently, though, a team of so-called “security researchers” has been reporting issues discovered in WordPress plugins publicly without allowing the developers to fix them first. What does this mean for you and how can you protect your website?

What makes someone a hacker?

One major distinction separates hackers and security researchers. Security researchers seek to discover vulnerabilities and help software makers fix them while hackers exploit vulnerabilities for nefarious reasons. Most large software companies work together with security researchers to find vulnerabilities in their software. For example, Apple even offers large bounties — between $25,000 and $200,000, depending on the type of issue — for finding vulnerabilities in the MacOS and iOS operating systems. Not every company offers bounties, but most of them have best practices. Security researches essentially perform the same types of actions as hackers to attempt to discover vulnerabilities, but the difference is that security researchers comply with software companies’ requests when reporting these issues.

WordPress also has best practices for reporting vulnerabilities in plugins. They request a security researcher to contact the plugin creator directly, and if unable to do so, email and the WordPress team will contact the plugin creator to ensure the issue gets patched.

The worst way to handle any vulnerability is to produce a complete proof of concept, as any hacker could reproduce the issue. When this happens, it’s known as a “zero-day” vulnerability, because the software creator has no time — zero days — to address it before it’s announced to the world. Generally, researchers will release their findings after the software creator has fixed the issue. At the very least, security researchers provide ample warning before publishing their findings — usually at least 30 days and often even longer for critical issues.

Last week’s Social Warfare plugin exploit

Last Thursday, a vulnerability in the the Social Warfare social sharing plugin was discovered. The plugin’s creator issued a patch less than two hours later and alerted their users, but in the mean time, hackers exploited the vulnerability, redirecting traffic from sites that use the plugin to pornographic sites.  This happened because the aforementioned self-proclaimed security researchers (we will not name them because we do not want to promote their work) published a zero-day proof of concept and hackers quickly took advantage.

At issue is the fact that the team claims to be security researchers, but they didn’t follow the WordPress protocol and instead published the vulnerability with no warning. To take things a step further, the company has threatened to continue to publish vulnerabilities they find because they want WordPress to allow them to publish them on the WordPress public forums. Their request has been denied for obvious reasons. The company also offers a $100/year subscription “service,” so it appears that the company’s desire is to use the WordPress forums to promote their paid service, and they’re willing to essentially blackmail them with zero-day exploit publications to get their way.

Are they actually security researchers — “good guys” helping the community — or are they hackers? It’s somewhat of a murky middle ground as they haven’t exploited anything themselves but provided hackers the resources to easily do so. They’re certainly not helping the community by publicly publishing zero-day vulnerabilities, and it wouldn’t be a stretch to consider the company a hacking organization because their activity aids hackers.

What does this mean for your site?

Unfortunately, it’s unlikely that this situation will be resolved any time soon. WordPress has taken a clear stance against allowing the company to publish zero-day exploits to their forum (and for good reason!), so it’s likely that this company will continue their behavior in a misguided, if not malicious, effort to promote themselves. With that in mind, what can you do to protect your site?

  1. Install a security plugin. We’ve mentioned this before in our 4 security tips article, but installing a security plugin is one of the best things you can do to protect your site from the majority of issues. WordFence and iThemes Security are popular choices.
  2. Use a web application firewall. If you want to go further, a web application firewall can protect your site against things like DDOS attacks and man-in-the-middle attacks. Cloudflare is the most popular choice, and Ninja Firewall offers a solution at the WordPress level.
  3. Use fewer plugins. We’ve discussed this issue specifically before in our article, How many plugins does your website need? As this article states, there’s not a hard number of plugins that is considered “too many,” but the more plugins you have on your site, the more possible flaws exist. Take extra caution with plugins that haven’t been updated in awhile, but understand that even plugins that are frequently updated can have issues. This is the case for the Social Warfare plugin in the most recent exploit — the company updates their plugin frequently and offers fast, responsive customer service. They simply made a mistake and the wrong people discovered it first.
  4. Most importantly, keep your website, themes, and plugins updated. The Social Warfare plugin had an update ready to go in a matter of hours, but any site that hasn’t been updated is still vulnerable. Make sure to keep every aspect of your website up to date so any potential issues are patched quickly. To learn more about how to keep your site up to date and change the settings for which aspects are updated automatically, see our article, How to enable WordPress automatic updates.

Despite this issue and the ongoing concern with a company currently dedicated to publishing zero-day exploits publicly, WordPress is still a secure platform. WordPress has many security researchers dedicated to helping the community, and most of the time, they’ll catch any potential issues first.