Security Weekly

Are Your WordPress Sites Really Isolated From Each Other?

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 23

We’ve touched the topic of site isolation in February on an episode covering server level security. A few days ago, Vladimir Smitka, a well known Czech security researcher in the WordPress ecosystem, released a teaser of his upcoming series where he evaluated the security of 10 popular WordPress hosting panels.

His objective was to “perform an unauthorized modification of one site on the server from another controlled site, essentially breaking site isolation.”. It’s a great reminder to why site isolation is important and why you should make sure to choose a hosting provider that does this properly.

Site isolation broken in 11 of our 12 cases

With “moderate” skills of system administration and security, it was possible to break the isolation with basic techniques that exploit well-known configuration vulnerabilities. The testing was done on the following services: Serveravatar, Enhance.com, InstaWP, xCloud.host, GridPane, Ploi, Cloudways, RunCloud, FlyWP, Cloudpanel, SpinupWP and Forge.

While some of the providers fixed the issues immediately, others have been investigating the issues for months and have not fixed them even today. Some of them straight up don’t care or call it “a feature, not a bug”.

A great insight from his research is that even though many hosts refer to Docker as a silver bullet to site isolation – the reality is that it does not automatically guarantee security.

Attitude towards security should not go unnoticed

This is something that we deal with in Patchstack on a daily basis. As the leading WordPress security intelligence provider, we process the largest amount of security reports affecting WordPress core, plugins and themes.

The worst and most time-consuming cases are mostly not the ones where a vulnerability is incredibly severe, but instead the ones where the developers’ attitude towards security is questionable. Some try to ignore the issues for as long as possible, then blame others and eventually censor & hide it from public.

This kind of attitude should not go unnoticed, even when the security issue is trivial and not severe. Taking quick action, making improvements and communicating transparently also shows how the provider would act when a more series issue is reported to them.

Practicing the process of security incident response through low severity issues should be seen as a great opportunity to build better processes and increase trust with the users. Failing to do so will eventually have a negative security impact for the end-users.

Conclusion

WordPress websites should always be isolated from each other. Unfortunately, even though many hosting companies claim to do so – poor configurations and vulnerabilities in the hosting environments are more common than one might think.

Make sure to read his full article here: https://smitka.me/2024/06/03/teaser-vladimir-vs-hosting-industry/

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Care Plan Toolkit

Save time, boost profits, and confidently manage client websites with proven tools, tips, and resources.

Bento Toolkit

More from Security Weekly

Week 49

Increased Volume of Threats During Holidays

We are just a few days away from Christmas holidays and many people have already gone …

Week 48

What Will WordPress Security Look Like in 2025?

I was thinking wether to leave this as the last security weekly, but I recon that …

Week 47

Why Use Virtual Patching for WordPress Security?

Virtual patching is a security strategy that involves applying protective measures to the WordPress application without …