Learn more about WordPress core software security in this free white paper. You can also download it in PDF format.
Обобщение
This document is an analysis and explanation of the WordPress core software development and its related security processes, as well as an examination of the inherent security built directly into the software. Decision makers evaluating WordPress as a content management system or web application framework should use this document in their analysis and decision-making, and for developers to refer to it to familiarize themselves with the security components and best practices of the software.
The information in this document is up-to-date for the latest stable release of the software, WordPress 4.7 at time of publication, but should be considered relevant also to the most recent versions of the software as backwards compatibility is a strong focus for the WordPress development team. Specific security measures and changes will be noted as they have been added to the core software in specific releases. It is strongly encouraged to always be running the latest stable version of WordPress to ensure the most secure experience possible.
Съдържание
WordPress is a dynamic open-source content management system which is used to power millions of websites, web applications, and blogs. It currently powers more than 34% of the top 10 million websites on the Internet. WordPress’ usability, extensibility, and mature development community make it a popular and secure choice for websites of all sizes.
Since its inception in 2003, WordPress has undergone continual hardening so its core software can address and mitigate common security threats, including the Top 10 list identified by The Open Web Application Security Project (OWASP) as common security vulnerabilities, which are discussed in this document.
The WordPress Security Team, in collaboration with the WordPress Core Leadership Team and backed by the WordPress global community, works to identify and resolve security issues in the core software available for distribution and installation at WordPress.org, as well as recommending and documenting security best practices for third-party plugin and theme authors.
Site developers and administrators should pay particular attention to the correct use of core APIs and underlying server configuration which have been the source of common vulnerabilities, as well as ensuring all users employ strong passwords to access WordPress.
За WordPress
WordPress is a free and open source content management system (CMS). It is the most widely-used CMS software in the world and it powers more than 34% of the top 10 million websites1, giving it an estimated 60% market share of all sites using a CMS.
WordPress is licensed under the General Public License (GPLv2 or later) which provides four core freedoms, and can be considered as the WordPress “bill of rights”:
- Свободата да ползвате програмата за всякакви цели.
- Свободата да разучавате как работи програмата и да я променяте, за да работи както пожелаете.
- Свободата да разпространявате.
- The freedom to distribute copies of your modified versions to others.
Основните разработчици на WordPress
The WordPress project is a meritocracy, run by a core leadership team, and led by its co-creator and lead developer, Matt Mullenweg. The team governs all aspects of the project, including core development, WordPress.org, and community initiatives.
The Core Leadership Team consists of Matt Mullenweg, five lead developers, and more than a dozen core developers with permanent commit access. These developers have final authority on technical decisions, and lead architecture discussions and implementation efforts.
WordPress has a number of contributing developers. Some of these are former or current committers, and some are likely future committers. These contributing developers are trusted and veteran contributors to WordPress who have earned a great deal of respect among their peers. As needed, WordPress also has guest committers, individuals who are granted commit access, sometimes for a specific component, on a temporary or trial basis.
Разработчиците на ядрото, както и всички останали, допринасящи към него, са тези, които задвижват развитието на WordPress. За всяка версия стотици програмисти допринасят с код, като всички те са доброволци.
Как излизат нови версии на WordPress
Всеки цикъл за разработка нова версия на WordPress се води от един или повече разработчици на ядрото на платформата. Един цикъл обичайно отнема около 4 месеца от първата среща за определяне на обхвата на работата до пускането на новата версия.
Всяка версия на WordPress се създава на следния принцип2:
- Фаза 1: Планиране и подбор на водещите разработчици. Това се случва в чат стаята #core в Slack. Водещият разработката на следващата версия на WordPress дискутира планираните функционалности, като всички, допринасящи за платформата, също биват въвлечени в дискусията. Водещият за съответната версия избира водещите разработчици за всяка от функционалностите.
- Фаза 2: Разработката започва. Водещите разработчици събират екипа и започват работа по възложените им функционалности. Планират се редовни онлайн срещи, за да се гарантира постоянният прогрес на разработката.
- Фаза 3: Бета. Бета версиите биват пускани, a бета-тестърите започват да търсят и докладват проблеми, когато попаднат на такива. Повече не се допускат промени в кода, свързани с подобрения, както и искания за нови функционалности. Авторите на разширения и теми от трети страни са поканени да изпробват кода си върху наближаващата нова версия.
- Фаза 4: Кандидат за пускане. От този момент нататък се забранява въвеждането на нови превеждаеми низове. Работата се фокусира върху отстраняване на проблеми.
- Фаза 5: Пускане. WordPress версията е пусната за свободно сваляне и обновяване от административния панел на сайтовете.
Номериране на версиите и версии с кръпки в сигурността
Основна версия на WordPress се диктува от първите две числа. Например 3.5 е основна версия, както и 3.6, 3.7 и 4.0. Не съществува „WordPress 3“ или „WordPress 4“, а всяка основна версия се определя от номерацията: „WordPress 3.9“.
Major releases may add new user features and developer APIs. Though typically in the software world, a “major” version means you can break backwards compatibility, WordPress strives to never break backwards compatibility. Backwards compatibility is one of the project’s most important philosophies, with the aim of making updates much easier on users and developers alike.
A minor WordPress version is dictated by the third sequence. Version 3.5.1 is a minor release, as is 3.4.23. A minor release is reserved for fixing security vulnerabilities and addressing critical bugs only. Since new versions of WordPress are released so frequently — the aim is every 4-5 months for a major release, and minor releases happen as needed — there is only a need for major and minor releases.
Съвместимост на старите версии
The WordPress project has a strong commitment to backwards compatibility. This commitment means that themes, plugins, and custom code continues to function when WordPress core software is updated, encouraging site owners to keep their WordPress version updated to the latest secure release.
WordPress и сигурността
Екипът за сигурност на WordPress
The WordPress Security Team is made up of approximately 50 experts including lead developers and security researchers — about half are employees of Automattic (makers of WordPress.com, the earliest and largest WordPress hosting platform on the web), and a number work in the web security field. The team consults with well-known and trusted security researchers and hosting companies3.
The WordPress Security Team often collaborates with other security teams to address issues in common dependencies, such as resolving the vulnerability in the PHP XML parser, used by the XML-RPC API that ships with WordPress, in WordPress 3.9.24. This vulnerability resolution was a result of a joint effort by both WordPress and Drupal security teams.
Рискове за сигурността на WordPress, процес и история
The WordPress Security Team believes in Responsible Disclosure by alerting the security team immediately of any potential vulnerabilities. Potential security vulnerabilities can be signaled to the Security Team via the WordPress HackerOne5. The Security Team communicates amongst itself via a private Slack channel, and works on a walled-off, private Trac for tracking, testing, and fixing bugs and security problems.
Each security report is acknowledged upon receipt, and the team works to verify the vulnerability and determine its severity. If confirmed, the security team then plans for a patch to fix the problem which can be committed to an upcoming release of the WordPress software or it can be pushed as an immediate security release, depending on the severity of the issue.
For an immediate security release, an advisory is published by the Security Team to the WordPress.org News site6 announcing the release and detailing the changes. Credit for the responsible disclosure of a vulnerability is given in the advisory to encourage and reinforce continued responsible reporting in the future.
Administrators of the WordPress software see a notification on their site dashboard to upgrade when a new release is available, and following the manual upgrade users are redirected to the About WordPress screen which details the changes. If administrators have automatic background updates enabled, they will receive an email after an upgrade has been completed.
Automatic Background Updates for Security Releases
Starting with version 3.7, WordPress introduced automated background updates for all minor releases7, such as 3.7.1 and 3.7.2. The WordPress Security Team can identify, fix, and push out automated security enhancements for WordPress without the site owner needing to do anything on their end, and the security update will install automatically.
When a security update is pushed for the current stable release of WordPress, the core team will also push security updates for all the releases that are capable of background updates (since WordPress 3.7), so these older but still recent versions of WordPress will receive security enhancements.
Individual site owners can opt to remove automatic background updates through a simple change in their configuration file, but keeping the functionality is strongly recommended by the core team, as well as running the latest stable release of WordPress.
2013 OWASP Top 10
The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP Top 10 list8 focuses on identifying the most serious application security risks for a broad array of organizations. The Top 10 items are selected and prioritized in combination with consensus estimates of exploitability, detectability, and impact estimates.
The following sections discuss the APIs, resources, and policies that WordPress uses to strengthen the core software and 3rd party plugins and themes against these potential risks.
A1 - Инжецкия
There is a set of functions and APIs available in WordPress to assist developers in making sure unauthorized code cannot be injected, and help them validate and sanitize data. Best practices and documentation are available9 on how to use these APIs to protect, validate, or sanitize input and output data in HTML, URLs, HTTP headers, and when interacting with the database and filesystem. Administrators can also further restrict the types of file which can be uploaded via filters.
A2 - Неработещи автентикация и управление на сесиите
WordPress core software manages user accounts and authentication and details such as the user ID, name, and password are managed on the server-side, as well as the authentication cookies. Passwords are protected in the database using standard salting and stretching techniques. Existing sessions are destroyed upon logout for versions of WordPress after 4.0.
A3 - Cross Site Scripting (XSS)
WordPress provides a range of functions which can help ensure that user-supplied data is safe10. Trusted users, that is administrators and editors on a single WordPress installation, and network administrators only in WordPress Multisite, can post unfiltered HTML or JavaScript as they need to, such as inside a post or page. Untrusted users and user-submitted content is filtered by default to remove dangerous entities, using the KSES library through the wp_kses
function.
As an example, the WordPress core team noticed before the release of WordPress 2.3 that the function the_search_query()
was being misused by most theme authors, who were not escaping the function’s output for use in HTML. In a very rare case of slightly breaking backward compatibility, the function’s output was changed in WordPress 2.3 to be pre-escaped.
А4 - Несигурни директни препратки към обекти
WordPress often provides direct object reference, such as unique numeric identifiers of user accounts or content available in the URL or form fields. While these identifiers disclose direct system information, WordPress’ rich permissions and access control system prevent unauthorized requests.
А5 - Лоша конфигурация на сигурността
The majority of the WordPress security configuration operations are limited to a single authorized administrator. Default settings for WordPress are continually evaluated at the core team level, and the WordPress core team provides documentation and best practices to tighten security for server configuration for running a WordPress site11.
А6 - Излагане на чувствителни данни
WordPress user account passwords are salted and hashed based on the Portable PHP Password Hashing Framework12. WordPress’ permission system is used to control access to private information such an registered users’ PII, commenters’ email addresses, privately published content, etc. In WordPress 3.7, a password strength meter was included in the core software providing additional information to users setting their passwords and hints on increasing strength. WordPress also has an optional configuration setting for requiring HTTPS.
А7 - Липса на проверка за достъпа на функция
WordPress checks for proper authorization and permissions for any function level access requests prior to the action being executed. Access or visualization of administrative URLs, menus, and pages without proper authentication is tightly integrated with the authentication system to prevent access from unauthorized users.
A8 - Cross Site Request Forgery (CSRF)
WordPress uses cryptographic tokens, called nonces13, to validate intent of action requests from authorized users to protect against potential CSRF threats. WordPress provides an API for the generation of these tokens to create and verify unique and temporary tokens, and the token is limited to a specific user, a specific action, a specific object, and a specific time period, which can be added to forms and URLs as needed. Additionally, all nonces are invalidated upon logout.
A9 - Използване на компоненти с известни уязвимости
The WordPress core team closely monitors the few included libraries and frameworks WordPress integrates with for core functionality. In the past the core team has made contributions to several third-party components to make them more secure, such as the update to fix a cross-site vulnerability in TinyMCE in WordPress 3.5.214.
If necessary, the core team may decide to fork or replace critical external components, such as when the SWFUpload library was officially replaced by the Plupload library in 3.5.2, and a secure fork of SWFUpload was made available by the security team<15 for those plugins who continued to use SWFUpload in the short-term.
A10 - Невалидирани пренасочвания и препращания
WordPress’ internal access control and authentication system will protect against attempts to direct users to unwanted destinations or automatic redirects. This functionality is also made available to plugin developers via an API, wp_safe_redirect()
16.
Още рискове за сигурността
XXE (XML eXternal Entity) processing attacks
When processing XML, WordPress disables the loading of custom XML entities to prevent both External Entity and Entity Expansion attacks. Beyond PHP’s core functionality, WordPress does not provide additional secure XML processing API for plugin authors.
SSRF (фалшификация на заявките от страна на сървъра) атаки
HTTP заявки, направени от WordPress, се филтрират, за да предотвратят достъп до loopback и лични IP адреси. Също така, достъпът е позволен само за определени HTTP портове.
Сигурност на WordPress темите и разширенията
Темата по подразбиране
WordPress requires a theme to be enabled to render content visible on the frontend. The default theme which ships with core WordPress (currently "Twenty Nineteen") has been vigorously reviewed and tested for security reasons by both the team of theme developers plus the core development team.
The default theme can serve as a starting point for custom theme development, and site developers can create a child theme which includes some customization but falls back on the default theme for most functionality and security. The default theme can be easily removed by an administrator if not needed.
Директории с теми и разширения на WordPress.org
There are approximately 50 000+ plugins and 5 000+ themes listed on the WordPress.org site. These themes and plugins are submitted for inclusion and are manually reviewed by volunteers before making them available on the repository.
Inclusion of plugins and themes in the repository is not a guarantee that they are free from security vulnerabilities. Guidelines are provided for plugin authors to consult prior to submission for inclusion in the repository17, and extensive documentation about how to do WordPress theme development18 is provided on the WordPress.org site.
Each plugin and theme has the ability to be continually developed by the plugin or theme owner, and any subsequent fixes or feature development can be uploaded to the repository and made available to users with that plugin or theme installed with a description of that change. Site administrators are notified of plugins which need to be updated via their administration dashboard.
When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.
Екипът за преглед на теми
The Theme Review Team is a group of volunteers, led by key and established members of the WordPress community, who review and approve themes submitted to be included in the official WordPress Theme directory. The Theme Review Team maintains the official Theme Review Guidelines19, the Theme Unit Test Datas20, and the Theme Check Plugins21, and attempts to engage and educate the WordPress Theme developer community regarding development best practices. Inclusion in the group is moderated by core committers of the WordPress development team.
Ролята на доставчика на хостинг за сигурността на WordPress
WordPress can be installed on a multitude of platforms. Though WordPress core software provides many provisions for operating a secure web application, which were covered in this document, the configuration of the operating system and the underlying web server hosting the software is equally important to keep the WordPress applications secure.
За WordPress.com и сигурността на WordPress
WordPress.com is the largest WordPress installation in the world, and is owned and managed by Automattic, Inc., which was founded by Matt Mullenweg, the WordPress project co-creator. WordPress.com runs on the core WordPress software, and has its own security processes, risks, and solutions22. This document refers to security regarding the self-hosted, downloadable open source WordPress software available from WordPress.org and installable on any server in the world.
Съдържание
WordPress API-та на ядрото
The WordPress Core Application Programming Interface (API) is comprised of several individual APIs23, each one covering the functions involved in, and use of, a given set of functionality. Together, these form the project interface which allows plugins and themes to interact with, alter, and extend WordPress core functionality safely and securely.
While each WordPress API provides best practices and standardized ways to interact with and extend WordPress core software, the following WordPress APIs are the most pertinent to enforcing and hardening WordPress security:
Database API
The Database API24, added in WordPress 0.71, provides the correct method for accessing data as named values which are stored in the database layer.
Filesystem API
The Filesystem API25, added in WordPress 2.626, was originally created for WordPress’ own automatic updates feature. The Filesystem API abstracts out the functionality needed for reading and writing local files to the filesystem to be done securely, on a variety of host types.
It does this through the WP_Filesystem_Base
class, and several subclasses which implement different ways of connecting to the local filesystem, depending on individual host support. Any theme or plugin that needs to write files locally should do so using the WP_Filesystem family of classes.
HTTP API
HTTP API27, добавен към WordPress 2.728 и допълнително разширен в WordPress 2.8, стандартизира HTTP заявките за WordPress. Този API управлява бисквитките, кодирането и декодирането в gzip (при HTTP 1.1) и други имплементации на протокола HTTP. API стандартизира заявките, тества всеки метод преди изпращане и използва подходящия метод за изпълнение на заявката в зависимост от конфигурацията на сървъра.
API за права и текущи потребители
API29 за права и текущи потребители представлява набор от функции, които помагат за проверяване на правата на текущия потребител да извърши заявена задача или операция. Дава и допълнителна защита срещу неоторизирани потребители, като не им позволява да получават достъп до функции, за които нямат права или да ги изпълняват.
Лиценз на съдържанието на бялата книга
Текстът в този документ (с изключение на логото и запазената марка на WordPress) е под лиценз CC0 1.0 Universal (CC0 1.0) Public Domain Dedication. Можете да копирате, модифицирате, разпространявате и представяте публично настоящия обект на авторско право, дори и с комерсиална цел, без да искате разрешение от автора.
Специални благодарности за авторите на бялата книга за сигурност на Drupal - един от източниците ни на вдъхновение.
Допълнителни материали за четене
- Новини за WordPress https://wordpress.org/news/
- Обновявания за сигурността на WordPress https://wordpress.org/news/category/security/
- Ресурси за разработчици на WordPress https://developer.wordpress.org/
Автор Sara Rosso
С приноса на Barry Abrahamson, Michael Adams, Jon Cave, Helen Hou-Sandí, Dion Hulse, Mo Jangda, Paul Maiorana
Версия 1.0, март 2015
Бележки
- [1] https://w3techs.com/, as of March 2017
- [2] https://make.wordpress.org/core/handbook/about/release-cycle/
- [3] Andrew Nacin, WordPress lead developer, https://vip.wordpress.com/security
- [4] https://wordpress.org/news/2014/08/wordpress-3-9-2/
- [5] https://codex.wordpress.org/Security_FAQ
- [6] https://wordpress.org/news/
- [7] https://wordpress.org/news/2013/10/basie/
- [8] https://www.owasp.org/index.php/Top_10_2013-Top_10
- [9] https://developer.wordpress.org/plugins/security/
- [10] https://codex.wordpress.org/Data_Validation#HTML.2FXML
- [11] https://codex.wordpress.org/Hardening_WordPress
- [12] http://www.openwall.com/phpass/
- [13] https://developer.wordpress.org/plugins/security/nonces/
- [14] https://wordpress.org/news/2013/06/wordpress-3-5-2/
- [15] https://make.wordpress.org/core/2013/06/21/secure-swfupload/
- [16] https://developer.wordpress.org/reference/functions/wp_safe_redirect/
- [17] https://wordpress.org/plugins/about/guidelines/
- [18] https://developer.wordpress.org/themes/getting-started/
- [19] https://codex.wordpress.org/Theme_Review
- [20] https://codex.wordpress.org/Theme_Unit_Test
- [21] https://wordpress.org/plugins/theme-check/
- [22] https://automattic.com/security/
- [23] https://codex.wordpress.org/WordPress_APIs
- [24] https://codex.wordpress.org/Database_API
- [25] https://codex.wordpress.org/Filesystem_API
- [26] https://codex.wordpress.org/Version_2.6
- [27] https://codex.wordpress.org/HTTP_API
- [28] https://codex.wordpress.org/Version_2.7
- [29] https://codex.wordpress.org/Function_Reference/current_user_can