WordPress 2017 Security Roundup: Shield, Sucuri, iThemes, WordFence

Paul Goodchild over in Belfast is an interesting chap who’s done some great work in security and in WordPress site management. We’re ManageWP customers and huge ManageWP fans (great new interface), due to the great development and enthusiastic support team. But if we were to look for an alternative, iControlWP would be at the top of the list. iControlWP’s existence probably pushed ManageWP to accelerate their improvements and simplify their pricing. We did consider switching both before the release of Orion (older ManageWP wasn’t nearly as pretty or reliable as the current Orion version: if you haven’t had a look for awhile, you should give ManageWP another chance)  and then briefly again at the time of the ManageWP GoDaddy acquisition as our clients had nothing but grief with GoDaddy hosting over the years. Fortunately ManageWP seems to run just as well as it did before the acquisition and the same people are in place. We in fact upgraded to the top package with built-in SEO and site performance reports for clients. 

Paul sent me a survey today (in round one yesterday when you clicked the link you actually got a message from SendBlue his email newsletter provider that the account of a malicious user had been closed: security and email is so hard these days even security publishers can’t get their links out) asking would “help you get on top of your WordPress security”.

As Paul’s done some great free work with WordPress Simple Firewall and we do a lot of work with locking down websites and keeping them secure, I answered his questions. It turns out Paul’s security survey is first rate and thought provoking. My answers were detailed so I decided to publish the best questions and answers here as a round up of the security situation on WordPress. I had some great conversations with Tony Perez of Sucuri while at WordCamp Europe in Paris so security has been top of mind for me for awhile. There’s a lot of (deliberate) misinformation in the WordPress ecosphere about security.

I used to really trust the people behind Shield but then Paul started to do weird stuff with WP Admin and sometimes acting fairly sleazy. I was surprised and disappointed. Easy to use is relative. All WP security plugins suck and try to do too much too aggressively, making a real mess, instead of encouraging better server side rules.

We use Sucuri but only the server side scan. The Sucuri plugin is a marketing nightmare which is why we no longer use it and no longer trust Sucuri as a vendor.

Bonus Explanation not included in my survey answer: basically Sucuri turned their free plugin into a 24 hour marketing machine which contacted clients and warned them their sites were not secure (for the pleasure of installing Sucuri on our client sites, our clients were bombarded with messages that we didn’t treat their site security seriously). Tony Perez at WordCamp Europe told me that this didn’t happen. I was there and too those email – it did. Tony exact words were that “we only contacted the site admin”. Well for many of our clients they were nominally the site admin as the client of course wanted to know about new members and to moderate new comments. We’ve never been betrayed as badly by any vendor as by Sucuri.

Not installing the $30/month Sucuri firewall will not get your site hacked if you follow some basic server setup rules or host with top tier managed WordPress hosts (WPEngine, Flywheel, SiteGround all come to mind). The $30/month punters are paying to Sucuri for their firewall would be far better spent on safer and better configured hosting.

We are still Sucuri clients. As bad as the Sucuri free plugin is (and it’s a nightmare) and as dishonest as their marketing practices are, Sucuri’s standalone serverside monitoring and post hack cleanup is good. For about $50/year per site, you enjoy a twice daily server side scan of your WordPress site’s files. If anything untoward gets picked up on their file scans, you get immediate notification (to your account, not to your client’s main admin email account, giving you time to react).  After that a usually great tech and support team will help you clean up your site and get back on your feet, in most cases, before Google or even a single visitor notices anything wrong.

Of course once you’ve cleaned up, it’s time to tell your client. The idea is not hide security issues but to deal with them discreetly and permanently. Post-hack is a very bad time: usually the hackers have left a backdoor or two back in (this is for sites which were not monitored before a hack occurred). Unlike most other security services, Sucuri doesn’t leave you wondering for months. What’s great about the Sucuri file scanning service is that if there is another break-in, you find out right away.

Causes have been insufficiently hardened installs (not us hosting, we were there to clean up), osCommerce, TimThumb, malicious ads, out of date themes (not out-of-date WordPress). After a hack, Sucuri would manually harden upload directory, setup-config.php and anything else which could be improved.

The file scanning service also tells you about vulnerable plugins (not simply out of date plugins as there’s a lot of reasons to run an older version of a plugin, not every plugin gets better, more compatible or more suitable for a client’s purpose in its evolution). The post-cleanup guides are clear and helpful.

Still Sucuri’s file scanner is not perfect. Half our tickets have been false alerts (poor user verification routines on multisite, unknown software, theme false positives, stats packages). They did miss some deeper hacks into themes and plugins the first time occasionally.

We’ve only needed the Sucuri cleanup service about five times in five years but almost every time has been an excellent experience in a real time of need. Those great agents have been Andrew A., Karen C., Robert Ottoni, Fernand Neto, David Dede, Ante, Yorman Arias, Rafael C., Roger E., Peter Gramantik and John W. and Andrey Z.. Less expert or helpful were Phil C., Guil Scadelai, Moe O. Sometime in 2016, Sucuri became obsessed with the upsell to their cloud proxy and less with helping find and solve the problem.

On the downside, you face very tedious and wrong non-stop advice to update to the latest version of WordPress all the time, although Andrey Z. did admit that he personally understands the difference:

Regarding the upgrade we normally suggest to stay at the latest patch level possible with the most fresh version of the software. But of course it is quite common advise and if you are using some customizations and know what you are doing you can ignore the alerts from the monitoring dashboard for the moment.

Sal Aigular gave a particularly poor and propaganda ladened answer on the updates question.

WordPress is 4.3.9 is NOT as secure as WordPress 4.7.3. On WordPress updates area accumulative, for instance WordPress 4.4 is more secure than 4.3.9, the major 4.x numbers are there to explain major functionalities that are added. For instance WordPress 4.7 included the REST API as part of the core, then 4.7.1 up to 4.7.3 have been updates to patch vulnerabilities available on older versions.

After we demonstrated empirically that those vulnerabilities don’t even exist in the 4.3.x family, Rodrigo promised to help make the out of date WordPress install optional for up-to-date security editions (the most recent security update). Roger E. took the disinformation from WordPress on the release archive page as gospel despite the clear recent security releases for WordPress on all versions back to 3.8.

This is an archive of every release we’ve done that we have a record of. None of these are safe to use, except the latest in the 4.7 series, which is actively maintained.

Those two false sentences are all it costs Matt Mullenweg to create hundreds of millions of dollars in unnecessary maintenance and update costs for WordPress small business users and ruined weekends for run-of-the-mill WordPress users fiddling with their own websites for no good reason, a single lying notice. Ironically at the time that Roger cited that sentence, the least secure version of WordPress was the latest 4.7.x version (up until 4.7.5 all of 4.7.x was highly vulnerable). Roger specifically cited 4.7.3 on 31.3.2017.

In Paris, I had the honour to meet the guy who keeps those old versions secure, the very entertaining Aaron D. Campbell. He told me, “It’s a huge amount of work keeping all the older versions of WordPress secure. We’d love to be able to at least drop 3.x.x versions.” Both Matt and Sucuri seem to suggest all of Aaron’s work is pointless. Au contraire, Aaron, your work is extremely important and deeply appreciated.

Even with our legacy plan, the business numbers should work for Sucuri as well. In exchange for our $1500 over five years, Sucuri has handled about five real episodes. We also provided them detailed enough bug reports to fix three scanning issues on their side. We have enough high value websites for which I’m happy to pay for twice daily file scanning capability. Yet Sucuri won’t even sell this package any more. You can only buy a $30/month per website overblown WAF firewall from Sucuri now. 

Due to Sucuri’s clumsy and aggressive upsells and blind parroting of the WordPress FUD on “latest update of most recent version”, we do not consider Sucuri honest security experts and consider dropping them as a vendor every year. It’s a pity as Sucuri were real pioneers at one point. On the other hand, on those rare occasions where you are worried that a high value site may be deeply compromised the scanning service and help from real experts like Andrey Z. is really worth its weight in gold.

I would feel much better about recommending Sucuri if:

1. Sucuri would make the free and paid plugin stop harassing clients and giving fake security notices (“You don’t have WAF, your site isn’t safe!” is not something Sucuri should be sending to WordPress agencies’ clients nor even WordPress end users, regardless of how profitable).
2. Sucuri would allow agencies to enable a preference across the account or even on a per site basis “consider latest security updated version safe”.

If Sucuri had real professional integrity, they would implement step two immediately. Getting the marketing people under control to stop scaring people with overblown and exaggerated alarmism is a tougher nut to crack. It’s been very profitable to Sucuri to raise false alarms.

All of us on WordPress are making our money by selling people far more update and maintenance services than they should really need. Update FUD is at the core of that. When will Matt Mullenweg start treating WordPress self-hosted users as adults and partners and not foolish marks to be fleeced?

Okay, back to the Shield security survey…incidentally Shield was the plugin with which we tried to replace Sucuri at one point when it was WordPress Simple Security. Then Paul changed the name and made Shield external service dependent, WordPress Simple Security had been freestanding. I’m starting to notice a pattern now with WordPress security providers.

What Sucuri does really well are the server side scans when things really go south. We have had some false positives lately which mean we have to be more careful when reaching out on a complex project (not to offend the other developers).

We don’t want a plugin which keeps nagging us to update WordPress. Older WordPress versions get regular security updates. Running on the latest WordPress on production sites is just stupid. What sane person would use beta software in production? The latest WordPress is perpetual beta, neither secure nor stable. In WordPress 4.7 and 4.7.1, the release included REST API turned on by default, no way to turn it off and vulnerable. In WordPress 4.8, the default text widget is broken by design.

Yes, I’d be interested in this. But I’d really, really like a simpler version of Shield which requires and pre-supposes some intelligent hosting setup, rather than an overdone jack of all trades trying to make up with preposterous options for a worst of all possible worlds hosting option. Presumably someone who cares enough to pay for and install a security plugin will not choose the world’s worst and least secure hosting and if on such hosting will move their sites. You could add some sanity checks for hosting on the other hand.

Paul I used to really admire your work until you read too many WordPress marketing stories and started to become too aggressive in the WP Admin space. You seemed to have started Simple Security and iControl out of a genuine urge to help. I’d suggest you put that in the forefront again and not employ as many cheap marketing tricks. That’s not to say you shouldn’t be out there and promoting your products. But ethically and carefully, taking into account the WordPress professional’s experience of your products. There’s no WordPress security product to like right now. Sucuri sold its plugin users down the river years ago. Nothing iThemes has ever touched works properly, whether Sync or BackupBuddy (great name though) or security. iThemes took the best WordPress security plugin and just made it less reliable and more annoying. WordFence is about as good as it gets but WordFence is too complex and overwrought as well. Feel free to get in touch if you’d really like to improve Shield and get back to Simpler Security.

End of my survey answers…

Think first about your users and second about getting rich. I know it’s hard to stay on the straight and narrow with counterexamples like Yoast. Taking your users for granted and treating them like marks has worked out awfully well for Yoast so far. The debacle of the release of version three where features were removed from the free plugin.

But we owe it to ourselves and the WordPress community to do better and provide a better example. If people like Yoast and Matt Mullenweg keep taking from the community while giving so little back in terms of real value (i.e. improved site or improved businesses), WordPress will eventually dissolve

It’s hard to see the well-meaning and good people at the center of Automattic and WordCamp and the top WordPress agencies for example inadvertently fail to do the good they want to do for the community. People come to mind like John Blackbourn, John Godley, Mark Jaquith and Alex King (RIP) who have selflessly given years of their lives to making WordPress better. The mix of FOSS and commerce at WordPress has become toxic and anti-productive.

A real world example: obvious security fixes should go into core WordPress, along with intrinsic security best practices. This would reduce by a factor of five the need for an external security solution. Unbelievably enough, the security mess at the core of WordPress is broken by design.

Looking forward

Pro-actively on our end we’ve built a community oriented plugin called BusinessPress (totally free and will be free forever) which helps with security in three different ways:

• BusinessPress allows you to run the latest security update for whatever version of WordPress you choose and not face constant WordPress update harassment. When you do decide to upgrade major versions, BusinessPress allows you to choose which major upgrade to which you’d like to update.
• BusinessPress allows you to disable obvious security vectors like XML-RPC or REST API if you are not using them (and most people are not). If you are using XML-RPC, BusinessPress makes it easy to hide and change your XML-RPC access point.
• BusinessPress seamlessly integrates with Fail2Ban allowing you to ban brute force login attacks at a server level (running Login Lockout plugins from WordPress does little to reduce the deleterious DDOS consequences of brute force attacks).

BusinessPress is not a security plugin and does not want to be one. BusinessPress is the place to fix obvious weaknesses in a lightweight way and to fix as many of the broken-by-design issues within WordPress. There’s still a place for a plugin which goes deeper to fix the security issues within WordPress with a lightweight touch.

To my mind, the first step would be for the plugin to assess the hosting situation and the specific WordPress installation to fix in a one-time way, these configuration and install issues. Enforcing sane configured hosting and safe installs would radically reduce the complexity of a WordPress security plugin.