Naked Security Naked Security

WordPress takes aim at ancient versions of its software

If you’re running a very old version of WordPress on your website, the project’s staff would like a word with you.

If you’re running a very old version of WordPress on your website, the project’s staff would like a word with you. The people responsible for producing the open source content management system want to wipe your code from the face of the earth.

Don’t take it personally. WordPress just wants you to upgrade to a newer version of its free software to improve security. Aaron Campbell, full-time leader of the WordPress open source security team, explained all during a talk at the DerbyCon security conference early in October.

Campbell explained that while WordPress is busier fixing security holes in its software than ever before, all that will be for nothing if it doesn’t fix arguably the biggest security problem of all: the users that install the free software but don’t upgrade it.

WordPress is by far the most popular website CMS (Content Management System) on the planet, meaning that people of all kinds use it. That includes not only people in charge of enterprise IT, but also solopreneurs and individuals who just want to blog on their own sites. That creates a really patchy update picture.

When the project releases new, more secure versions of its software, it can’t rely on all users to diligently install it. Campbell:

The only way to get users to upgrade and use the secure version is to do it for them, which is how we ended up with automatic updates.

In 2013, it switched its code to automatically check for new security and minor updates and install them automatically, with the release of WordPress 3.7. That doesn’t mean it will automatically update itself with new major releases (like moving from 3.7 to 3.8, for example). Users still do that manually. But it does mean that they at least get security patches, as long as they don’t manually switch the feature off.

WordPress tests its security patches with all versions of the software back to 3.7 so that even the latest security fixes make it to those sites. Coding and testing for five years of WordPress versions is a lot of work.

As more security fixes come out, the work involved in backporting to every release from 3.7 onwards increases. Coping with those back versions is a problem for a security team composed almost entirely of volunteers. While the project’s own figures reveal that two thirds of all sites running WordPress are on the latest version, 4.9, there are still a lot of older versions out there. It needs to get more people using more recent versions of WordPress. But how? Says Campbell:

We don’t want to do it by dropping support for older versions that people are still using.

Some have suggested automatically upgrading all 3.7 versions to 4.1, but that’s contentious; having your software updated without your consent might create trust issues. Campbell continues:

We’re working on figuring out ways to roll those versions forward automatically without breaking sites for people, and essentially we’re working to try and wipe those versions from existence on the internet and bring people forward.

If you’re about to post in the comments section suggesting that WordPress mind its own business, consider this: According to web technology survey company W3Techs.com, the 15 year-old project is the most popular content management system by far, used by about 30% of all websites.

With a third of the world’s websites running on this voluntarily-maintained open source project, the discussion becomes about more than just the sovereignty of your own website. It becomes about the security of the web itself. Some 4.2% of WordPress-enabled websites run pre-4.0 versions of WordPress. If the project runs out of resources to backport fixes to those versions and they get compromised, that’s not just a localised infection – that’s an epidemic.

What else has the organisation been doing to protect its users while it grapples with that problem? One measure involves choking off malicious traffic that can exploit its software before it even reaches vulnerable code. It has built relationships with third party infrastructure providers like Cloudflare and GoDaddy to block traffic exploiting vulnerabilities at the network level.

Another big focus is plugin developers. One big problem for WordPress is that attacks often come via vulnerabilities in popular third-party plugins. WordPress is an open framework that people can develop extra functionality for, and sites are littered with third-party code that augments the content management system’s core functions.

Backporting changes to old software risks breaking installed plugins, so the project works with some of the larger plugin vendors to have them test patches with their code in advance. It also uses those relationships to help highlight problems in code that could lead to security vulnerabilities, which it finds in part by automatically scanning code in the plugin directory.

One fact presents a big challenge to WordPress as it tries to wipe out that old software: 2.4% of WordPress sites are still using pre-3.7 releases, meaning that it can’t auto-update them at all. That’s something that can only be countered by user education and outreach efforts, which is something it’s also pursuing.

In the meantime, as the WordPress’s popularity increases, the magnitude of these challenges will only grow.