04/25/2021

Get WordPress (and others) Off Your Network

Get WordPress (and others) Off Your Network

A few weeks ago The Hacker News had an article about how some recently discovered flaws in two popular WordPress plugins. These plugins are used by several million WordPress sites and either could be exploited to eventually gain remote code execution (RCE) on the servers. The article didn't say if the researchers did the "responsible disclosure" thing and notified the authors, giving them time to fix the problem. With software like this it hardly matters because WordPress sites are frequently left for months at a time without being updated by their owners. A little time on Shodan (tagline: The world's first search engine for Internet-connected devices.") and an attacker could easily find at least hundreds of ready targets well after the flaws have been patched. Let's talk about why that is.

Priorities Matter

Unless you are WordPress.org or maybe using WordPress as the CMS for your publishing empire then you're probably using it for a blog or some other marketing purpose tangential to what it is you "DO". If you have installed WordPress on your own hardware odds are that likely once everyone is happy with it, and the new has worn off, your attention is going to go back to what your company does and not to maintaining it like it should be. In my experience those things do not get patches along with regular maintenance.

I'm using a lot of "yous" here when I could just as easily use me. It's me. I do this. At Alertra we used to have servers for all kinds of things. We operated our own DNS, email, marketing, and support software along with others and we're not in the business of any of those things. They fell under "generic IT guy" jobs and we're too small a company to have anyone generic. We are experts at some things:

  • Tracking your website's uptime; and
  • Looking for vulnerabilities on your network.

But "generic IT" isn't it. These days all those functions are done by someone else. Sure they may be hacked one day, but they are not critical to our company, do not have any access to our company networks, and most important of all, don't have privileged information about our customers.

I'm picking on WordPress here because it's in the news and an easy target. But there are other products we use that fall into the same bucket: We need them, but they aren't our core competency.

Two Implementation Ideas

I have two ideas on how to handle these types of products/services. Our company needs them, but we don't have the time to maintain them properly and don't want the risk if they get p0wned.

The 1st, if you absolutely have to run them yourself, is to segregate them on their own network and use firewall rules to insure that no traffic goes between the quarantine network and the rest of your network that isn't explicitly authorized. That means a DENY ALL rule followed by only the ALLOWs you must have. A good rule would be that the quarantine network isn't allowed to initiate connections to the rest of the network at all.

My 2nd idea is that there are tons of application service providers offering WordPress hosting. If you just need it for your blog then its almost perfect. You can create a blog.mycomany.com domain name and link to it from your main page. That WordPress instance may eventually be hacked (if you install a few plugins the chances go significantly higher-only install the absolute minimum), but what will they have? The "data" on your blog was already public. Just make sure your writers don't reuse WordPress passwords anywhere else and hackers will have nothing else. This works for most any service like this. Keep it off your network if at all possible. Keep the amount and quality of data stored by those services to the minimum needed.

Making either of these implementation decisions will significantly limit your attack surface. Less attack surface the fewer ways the bad guys have into your network.

If you'd like someone to audit your network for security vulnerabilities...

Learn more about our internal or "assumed compromise" test today. Our certified pentesters will analyze your network to provide detailed analysis and reporting you can use to further secure your network.

We can also do an external review of your public facing assets. We have a special flat rate for this service. Fill out the contact form at the above link to get further information.

Author

Kirby Angell is the CTO of Alertra, Inc. and a certified pentester. In addition he has written several articles on Python programming for magazines back when that was a thing. He contributed a chapter to the 1st edition of "The Quick Python Book" published by Manning. He was one of the first 10 Microsoft Certified Solution Developers. Ah the 90s...he probably still has a "Members Only" jacket. He is certified to teach firearms classes in Oklahoma and holds a black belt in mixed martial arts.