Security Weekly

Are Your WordPress Sites Really Isolated From Each Other?

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 23

We’ve touched the topic of site isolation in February on an episode covering server level security. A few days ago, Vladimir Smitka, a well known Czech security researcher in the WordPress ecosystem, released a teaser of his upcoming series where he evaluated the security of 10 popular WordPress hosting panels.

His objective was to “perform an unauthorized modification of one site on the server from another controlled site, essentially breaking site isolation.”. It’s a great reminder to why site isolation is important and why you should make sure to choose a hosting provider that does this properly.

Site isolation broken in 11 of our 12 cases

With “moderate” skills of system administration and security, it was possible to break the isolation with basic techniques that exploit well-known configuration vulnerabilities. The testing was done on the following services: Serveravatar, Enhance.com, InstaWP, xCloud.host, GridPane, Ploi, Cloudways, RunCloud, FlyWP, Cloudpanel, SpinupWP and Forge.

While some of the providers fixed the issues immediately, others have been investigating the issues for months and have not fixed them even today. Some of them straight up don’t care or call it “a feature, not a bug”.

A great insight from his research is that even though many hosts refer to Docker as a silver bullet to site isolation – the reality is that it does not automatically guarantee security.

Attitude towards security should not go unnoticed

This is something that we deal with in Patchstack on a daily basis. As the leading WordPress security intelligence provider, we process the largest amount of security reports affecting WordPress core, plugins and themes.

The worst and most time-consuming cases are mostly not the ones where a vulnerability is incredibly severe, but instead the ones where the developers’ attitude towards security is questionable. Some try to ignore the issues for as long as possible, then blame others and eventually censor & hide it from public.

This kind of attitude should not go unnoticed, even when the security issue is trivial and not severe. Taking quick action, making improvements and communicating transparently also shows how the provider would act when a more series issue is reported to them.

Practicing the process of security incident response through low severity issues should be seen as a great opportunity to build better processes and increase trust with the users. Failing to do so will eventually have a negative security impact for the end-users.

Conclusion

WordPress websites should always be isolated from each other. Unfortunately, even though many hosting companies claim to do so – poor configurations and vulnerabilities in the hosting environments are more common than one might think.

Make sure to read his full article here: https://smitka.me/2024/06/03/teaser-vladimir-vs-hosting-industry/

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Come Join Us!

Join the #1 WordPress Community and dive into conversations covering every aspect of running an agency!

Kyle Van Deusen

Community Manager

More from Security Weekly

Week 25

Getting Started with Access Management (Password Managers)

One of the most basic security related question I’m constantly being asked is “What password manager …

Week 24

How to Deal with Incoming Security Reports

Sometimes developers and security researchers find bugs accidentally or when intentionally testing software security. If they …

Week 22

How to Make the WordPress Development Process Safer

In the recent weeks, we’ve talked a lot about what to avoid when building websites. This …