Calvin Alkan, a researcher in WordPress security, discusses the state of WordPress security plugins, including vulnerabilities in two-factor authentication implementation and the systemic issue of storing sensitive data in plain text. He also explores the lack of security measures and clear communication from vendors, the need for plugin requirements, and the importance of a layered approach to WordPress security.
01:23:18
forum Ask episode
web_stories AI Snips
view_agenda Chapters
auto_awesome Transcript
info_circle Episode notes
insights INSIGHT
2FA Secrets Stored Insecurely
Many popular WordPress two-factor authentication plugins stored secrets in plaintext, making them vulnerable if database reads were possible.
Storing two-factor secrets unencrypted allows attackers with database access to generate valid login codes and fully compromise sites.
insights INSIGHT
WordPress SQL Injection Risks
SQL injection vulnerabilities regularly appear in WordPress core and plugins, enabling attackers to read database contents.
Attackers reading encrypted secrets' plaintext storage enables full site takeover when combined with these other vulnerabilities.
volunteer_activism ADVICE
Follow Responsible Vulnerability Disclosure
Practice responsible disclosure by privately informing vendors of security issues and giving them time to fix before publicizing.
Typical disclosure gives vendors weeks or months to patch vulnerabilities to avoid malicious exploitation.
Get the Snipd Podcast app to discover more snips from this episode
his is first of four podcast episodes related to WordPress security.
For the first time ever, I feel like I need to add some context to the show notes so that you understand the context of what I'm doing here.
A little while ago there was some news in the WordPress space about the merits of using plugins for securing your WordPress website. Researchers (Calvin being one of them) had discovered ways in which the effectiveness of the plugins might be compromised. I'll leave the audio (and transcript) of the podcast to explain the technicalities here, but there were several posts on social media which amplified the issue, making it harder to gain an understanding of what happened, and when.
I decided to reach out to a number of people to get 'their side of the story'.
Also a first for this podcast, I set some ground rules for the interviews to take place:
Each participant (there are four in total, one per episode) was told who the other guests were
Each participant was told that their episode would not be published until all four recordings had taken place
Each participant was told that their episode would be published in a random order
What you're listening to today is the first of that random publishing schedule. The other three episodes will come out in the following weeks.
This was done to ensure that the guests did not have. a chance to listen to the other participants episode, and therefore had. a chance to 'better prepare'.
With hindsight, which was likely overkill as all the guests were very thoughtful and polite. They do in some cases mention rival products and describe areas where they think that errors were made in code and communication. That being said, there was no general sense of mud slinging that I detected.
The guests are (in random order):
Calvin Alkan - Snicco
Akshat Choudhary - Malcare
Dan Knauss - iThemes (now SolidWP)
Thomas J Raef - We Watch Your Website
I'm going to keep my commentary here to a minimum to avoid getting embroiled in the debate, but there's some additional information about what we cover in the show notes of the post.
WP Builds