We’ve touched the topic of site isolation in February on an episode covering server level security. A few days ago, Vladimir Smitka, a well known Czech security researcher in the WordPress ecosystem, released a teaser of his upcoming series where he evaluated the security of 10 popular WordPress hosting panels.
His objective was to “perform an unauthorized modification of one site on the server from another controlled site, essentially breaking site isolation.”. It’s a great reminder to why site isolation is important and why you should make sure to choose a hosting provider that does this properly.
Site isolation broken in 11 of our 12 cases
With “moderate” skills of system administration and security, it was possible to break the isolation with basic techniques that exploit well-known configuration vulnerabilities. The testing was done on the following services: Serveravatar, Enhance.com, InstaWP, xCloud.host, GridPane, Ploi, Cloudways, RunCloud, FlyWP, Cloudpanel, SpinupWP and Forge.
While some of the providers fixed the issues immediately, others have been investigating the issues for months and have not fixed them even today. Some of them straight up don’t care or call it “a feature, not a bug”.
A great insight from his research is that even though many hosts refer to Docker as a silver bullet to site isolation – the reality is that it does not automatically guarantee security.
Attitude towards security should not go unnoticed
This is something that we deal with in Patchstack on a daily basis. As the leading WordPress security intelligence provider, we process the largest amount of security reports affecting WordPress core, plugins and themes.
The worst and most time-consuming cases are mostly not the ones where a vulnerability is incredibly severe, but instead the ones where the developers’ attitude towards security is questionable. Some try to ignore the issues for as long as possible, then blame others and eventually censor & hide it from public.
This kind of attitude should not go unnoticed, even when the security issue is trivial and not severe. Taking quick action, making improvements and communicating transparently also shows how the provider would act when a more series issue is reported to them.
Practicing the process of security incident response through low severity issues should be seen as a great opportunity to build better processes and increase trust with the users. Failing to do so will eventually have a negative security impact for the end-users.
Conclusion
WordPress websites should always be isolated from each other. Unfortunately, even though many hosting companies claim to do so – poor configurations and vulnerabilities in the hosting environments are more common than one might think.
Make sure to read his full article here: https://smitka.me/2024/06/03/teaser-vladimir-vs-hosting-industry/
Join the Conversation!
There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!
Group Thread