As of the beginning of 2019, WordPress powers 33% of the top ten million websites, confirming it as the most popular and widely used blogging and CMS platform again. Such popularity attracts a lot of attention, and application security software companies which typically focus on security solutions for custom web applications are now also interested in WordPress, and developing security solutions for WordPress sites.
One software development company that is showing a lot of interest in WordPress, which have also developed a free security tool to help WordPress site owners is High-Tech Bridge. And today we are interviewing Ekaterina Khrustaleva, the Chief Operating Officer of High-Tech Bridge to talk about HTB’s interest in WordPress and how they are helping site owners build more secure websites.
Can you please introduce yourself and High-Tech Bridge?
My name is Ekaterina Khrustaleva, I am the COO of High-Tech Bridge. During my studies at Harvard and Oxford universities, I have learned a great deal about technology, however, my daily tasks lay in international business growth and strategic alliances.
High-Tech Bridge is a global provider of web and mobile Application Security Testing (AST) services. Our major product is a SaaS platform called ImmuniWeb® AI that brings penetration testing of web and mobile applications to the next level, leveraging capabilities of Machine Learning to accelerate testing and considerably reduce required human time.
Why do web applications, WordPress and others, remain the weakest link in corporate cybersecurity?
Web applications are being used more than ever before, and everywhere. They are used for simple hobby and small shop sites, and to conduct complex tasks such as online banking, administering clusters of servers, navigating satellites, trains and planes.
What previously required mainframes and thin-clients, today is delivered via web and mobile apps compatible with any device. So, the demand for web applications has grown exponentially, hence they have also become the main point of attack.
Moreover, most of the web applications are still either custom made and written from scratch, or have a considerable degree of code customization thus being susceptible to a great variety of security flaws and attacks.
Last but not least, very few organizations currently have an up to date and comprehensive inventory of their web assets. Consequently, forgotten and thus unmaintained and vulnerable applications and APIs proliferate in the Internet. In fact we have developed ImmuniWeb® Discovery, a non-intrusive online discovery service that helps businesses gain absolute visibility of their web assets including domain names, SSL certificates and unprotected cloud storage (e.g. AWS S3 buckets).
You focus on scalable corporate AST products that leverage AI/ML enhanced with manual testing. However, you do have an interest in WordPress because it is often mentioned on your blog. What triggers this interest?
WordPress is the most widely used content management system in world and a lot of our clients are using it. It is a very powerful platform with thousands of plugins and themes that are developed by third-party companies and volunteers.
Obviously, with such variety of third-party software there are no guarantees that every developer follows best security practices and performs security assessment of the code they publish. As a result, we often discover previously unknown vulnerabilities in WordPress plugins or themes – the so-called zero-days.
Many web security professionals are not fans of WordPress. They see it as a very insecure application. What is your opinion on this and why?
WordPress by itself is a very secure platform. The core developers do their best to maintain a proper level of security and are very transparent regarding security patches.
However, because it is so easy to use, many who do not have any previous experience in maintaining websites use it to setup a website. And usually these websites have one of the below three major problems that usually lead to website compromise:
- Outdated software – the majority of breaches occur due to usage of vulnerable version of WordPress or its plugins
- Insecure / default configuration – often users do not follow security recommendations when deploying the website. This can lead to website breach.
- Weak or reused passwords – weak passwords are one of the main issues WordPress sites get hacked, hence why site admins should enforce strong password policies on WordPress sites.
As you have just highlighted, the biggest problem with WordPress is that many sites run outdated plugins, themes and core. WordPress has done a lot to improve the situation, yet it is still a big issue. What are your recommendations to remediate the situation?
WordPress has a built-in functionality to alert users when there is a new version of WordPress or plugin available and even to automatically install those updates.
The bottom line is that website owners have to take the responsibility to install patches. The lack of responsibility is the major reason why there are so many outdated websites and problems in the WordPress ecosystem.
WordPress or not, what is the future of web application security? Are there any new emerging technologies that you think might disrupt the industry?
I would not say “disrupt the industry” but rather enhance it. For example, we use various Machine Learning technologies for crawling, fuzzing and validating security flaws along with human penetration testers for every security test. Fast development of AI and its further evolution into Strong AI in the far future may one day change or even eliminate the process of penetration testing.
According to W3Tech WordPress is the platform of choice of 33% of sites on the web. Are you planning of developing solutions to help WordPress site owners? If yes, what should we expect from you?
The solutions that we currently have and we are about to launch are suitable for every web application, including WordPress.
In a couple of weeks, we plan to make publicly available a new version our free Website Security Test. The new functionality will allow users to check if their CMS or plugins are up to date and if they have any known security issues.
The Website Security Test will cover the 50 most popular content management systems and their plugins. And the best part is that it will be completely free, so everybody can use it to check how secure their website is.
What are your recommendations for WordPress users who want to make sure their site is secure? Any top tips or recommended tools?
I would suggest following general industry recommendations:
- Keep your software up to date, regularly monitor that your WordPress and all its components are up2date.
- Use a Web Application Firewall to protect your website from common web attacks
- Disable access to administrative area from public networks and configure built-in WordPress security features
- Use strong passwords and 2FA authentication, when possible
- Perform vulnerable assessment / penetration testing of your website after major changes in code.
- Install and configure an always-on SSL
You’ve reviewed the code of quite a few plugins. As a security professional, what is the top most common mistake WordPress developers do that renders their plugins and themes vulnerable?
I would say it is the lack of proper sanitization of user-supplied input. Virtually all XSS and SQL injections, as well as many other flaws mentioned in the OWASP Top 10 list, are caused by unfiltered usage of a parameter received from an external user.
There are some other more exotic (for WordPress) attack vectors like arbitrary file upload or RCE via LFI/RFI, however, they are less frequent.
Thank you very much for participating in this interview. Is there anything else you’d like to add as a closing note?
Thank you for your time and opportunity. I would like to encourage website owners to pay more attention to security in general. In reality, only some minor effort is required to avoid a major security disaster.
Stay secure and up to date.