Google Starts Serious Security Talks With the CMS Community

Last week, Chicago was the coldest place on earth! This was all over the news. The temperatures dropped to -30 degrees Celsius (-22 Fahrenheit) with a  wind chill of -50. I consider myself lucky to have been there to witness this rare polar vortex. However, I was in Chicago for a different event, one that didn’t make the news but was just as exciting -- the Google CMS Security Summit.

Close to thirty top security experts from Google, different CMS platforms, and hosting companies came together to discuss how to make the internet a safer place for everyone. I consider myself even luckier to have been a part of this discussion as a representative of SiteGround.

For two days, we talked with the representatives of WordPress, Drupal, Joomla!, PrestaShop, TYPO3, Squarespace, Symfony, Sucuri, Wordfence, and more. It was inspiring to see how organizations that are competitors when it comes to attracting the end user to their platforms, can actually be unified for the higher aim of making the internet safer.

We almost won the HTTPS battle, but the security war is never over

It is no surprise that Google organized the event considering their significant role in web security. An easy example is the positive impact the Let's Encrypt free SSL initiative, which is heavily supported by Google, had on encryption adoption. HTTPS usage has increased from 35% to over 90% according to Chrome stats:

The efforts of hosting companies like SiteGround that provide Let’s Encrypt SSLs to users also play a big role in the mass adoption of encryption. However, as good as a 90% adoption may seem, the above graph also shows something troubling. It took more than three years to achieve this goal. This is too much time! We, who gathered in Chicago, are on the front line of the security battle. Encryption is great, but it doesn't solve all the issues. Sites still get hacked. CMS platforms have suffered major security issues in recent years. Third-party plugins and themes are exploited every day. Vulnerabilities aren’t properly disclosed. The list goes on and on.

So, how do we protect as many sites as possible, as fast as possible?

During the event, the security community identified four main areas that need action.

1. Third-Party Components and Integrity Control

As a hosting company, we have seen first-hand that the majority of the security issues are caused by vulnerabilities introduced by add-on plugins, modules and themes that are not part of the core platform codebase.

In 2018, SiteGround wrote 250 new custom WAF rules addressing these issues. We are aware that not every hosting company has the resources to monitor security bulletins, analyze issues, compare patches, review code, and write WAF rules. The ultimate goal is not to fight similar  issues with firewall rules (after all, there are hundreds of thousands of plugins, modules, themes, and extensions for all the CMS platforms out there) but to prevent them from occurring in the first place.

We identified the following areas that need work to better protect websites:

  • Better code review procedures for plugins/themes
  • Implementation of static code analysis
  • Packages signing to improve the authenticity of the CMS/plugins/themes and their integrity
  • Security certification programs for extensions developers

2. Vulnerability Disclosures and Rewards

Two main issues were identified.

Although there is some consensus about the best practices for disclosing software vulnerabilities, there are actually no widely-accepted official standards.

Recently, the official working group that creates PHP standards (https://www.php-fig.org) has reopened their work on two documents with recommendations (PSR 9 and PSR 10) that aim to solve this problem. As soon as the final drafts are ready, the community will publish them. We hope that a big percentage of CMS platforms will adopt these standards. This way, the process by which issues are reported and fixed will be improved as well how the public is informed.

The second problem is that most of the platforms out there currently do not have bounty programs to reward people for responsibly disclosing security vulnerabilities. This has to change. However, since many of the open source CMS platforms operate as non-profit organizations, this will be hard to achieve.

3. Automatic Updates

When a security problem is found, it is essential to fix the code ASAP. However, not everyone has the same sense of urgency. This is an even bigger problem for the most popular CMS platforms like WordPress, Drupal, Joomla!, etc. with millions of sites on the internet?

The answer is automatic updates. Right now, WordPress is the only CMS which offers automatic updates. Here at SiteGround, we believe that the ultimate goal is to have every CMS and all its plugins and themes be automatically updated with each new release. Our experience with routine massive automatic updates for our WordPress and Joomla! users have shown that when automatic updates are enabled by default, the number of hacked sites is drastically reduced. The Google Chrome browser is also automatically updated. It is only a matter of time before this to becomes a major selling point for CMS platforms.

An idea was born in Chicago. The group will work on developing a standard for automatic updates. This way, developers of certain platforms will be able to come up with their own implementation, while remaining compliant with the standard.

4. Sharing Knowledge and Tools

Security is a process. It’s not a goal you reach once and then forget about it. Every process is improved by using the right tools for the job. Right now, shared tools are not something you see often. When it comes to security, companies use proprietary tools, outsource certain tasks to third-party companies, and do not share information with other organizations. To protect the web at scale, we need to work together. We need to share information and come up with open source tools that everyone can use and can contribute to.

There are two good examples of this coming from the WordPress and Joomla! communities. The Joomla! security team sends mod_security WAF rules to hosting companies when a new security release is available. Those rules are tested by the Joomla! security team and they can be instantly applied on servers to protect site owners. This way the site owners have a safe window to update their sites. The WordPress security team also closely works with hosts when security releases are available. They do a great job keeping 1/3 of the internet safe and updated. WordPress hosts also frequently share WAF rules to protect users.

The need for tools is obvious. We will see more and more tools emerging within the next couple of years.

I am really glad I went to Chicago last week. The event was just the beginning of something amazing.  After only a week, there is a shared 15-pages document full of ideas that are being actively discussed. A working group will soon be formed and action items are being set as I write this blog post. I can't share any more details, but I can say over the next few months, the security community will be very busy.

When I was in Chicago I saw the following on TV:

In extreme temperatures, it doesn’t take long to get hurt. This picture perfectly illustrates what happens to a website when it is unprotected for even very a short period of time. It will be hacked. SiteGround is committed to protecting all sites on our servers. For us, this is a basic right for every website owner. I am excited to be part of the community  making this happen.

Black Friday Promo!

Enterprise Cloud Solutions Architect

My challenging job is closely related to all kinds of Free and Open-Source Software products (some of my favorites are WordPress, Joomla!, Magento, Varnish and Apache mod_security). As a Web security and performance freak I am always hyper focused on solving all kinds of issues and improving our services.

7 Comments

  1. Reply February 15, 2019 / 18:46 Allyn MortonSiteGround Team

    This was a very informative article, greatly appreciated too.

  2. Reply February 20, 2019 / 00:14 Funashi MwambaSiteGround Team

    I have been impressed particularly with the free Lets Encrypt SSLs certificates. Well done on that service. And every now and then the security battle is been fought with improvements that keep us bloggers assured that the system will run as better.

  3. Reply February 20, 2019 / 14:19 RonSiteGround Team

    Good article. However, I take exception with the Automatic Updates being a good thing. Yes, most people are bad about doing updates, however, updates frequently break things, and having them on automatic means might site might be broken and i don't know it. Also, as happened with Chrome automatic update recently, it broke an browser extension I rely on and I had no idea why it stopped working. It took a little sleuthing and working with the extension creator to realize that the automatic Chrome browser update was the culprit.

    Generally, I agree that updates are important and necessary for security HOWEVER they can break things and leave you wondering what is wrong and what happened. Making them automatic is the issue I am trying to call attention to. In Siteground's favor is the fact that at they have a notification system that let's you know when one is imminent, so at least, IF you read your emails and aren't on vacation, you know. BETTER would be to set up a system to alert you that updates are available and let you do them on your own schedule. Maybe some kind of regular email should go out until the update takes place or something.

    Thanks for listening.

    • Reply February 27, 2019 / 03:25 Daniel KanchevSiteGround Team

      Hi, Ron.

      I am glad that you liked the article. You are right that sometimes automatic updates cause issues. This is definitely a problem and it is a hard one to solve. The truth is that the number of issues will probably never go down to zero. I think that it is more important to protect 99,99% of all website owners. The rest of the people need to be able to cancel automatic updates and update when they want to. This way experienced site administrators will be able to perform the upgrades on their own and the rest of the sites will be updated automatically. It is also very important to have backups. This is why our automatic system created backups of all sites before updates are applied.

  4. Reply March 10, 2019 / 14:47 IT Guru Solutions – JaySiteGround Team

    I've used Let's Encrypt on my reseller sites on SG......since it's inception.
    Encryption has always been KEY to securing clear text transmissions between a users browser or device, and someones site that we built. Even search strings, or logins, can be scraped or sniffed. Let's Encrypt, secures that - and that is a big deal!

    I am EXCITED to hear about Automatic Updates, but I have to add that the 3rd party templates, components etc MUST be included without any doubt into these standards, and made to adopt them, or be dropped from the CMS's respective directory or website (ie the JED). Even "paid for" or commercial extensions and templates, and especially those - no matter the publisher - must be included as well. Then - what and how would this be handled for a site, or multiple, that have a commercial 3rd party extension or otherwise, that has lapsed in their subscription? Those publishers, then do not give you "future releases" - so how would that be handled, except to bring the site owners attention to it to either renew it, or get rid of it with some other(s) option(s)?? This latter part re: to lapses - I see as a big deal too, because I see it all the time. Even happened on mine.....until I can **make the time** to research component x that's lapsed, to be replaced by component y.

    So with these - I would think that something like the Siteground Scanner - be also included for free vs for charge, and here's why: It is the product you have today, that pretty much does the above. It should go farther I think, and actually look at and analyze the CMS, version, etc. but also all 3rd party add ons, their status, and version - as compared to the latest available version, known vulnerabilities, and so on. Basically what I describe here is you all building something similar to any commercial vulnerability assessment tool, like Nessus for example, into your free scanning services - that already sends automated emails of breach attempts - but also out of date etc directly to the site owner/admin. Manage outward and upward kinda thing.

    Now when we we users (consumers) are "shopping" for add on's I think it would be very prudent to require *every* 3rd party developer to follow a required set of bullet points that must be used within their product offering web pages -- ie Automatic Updates through the (CMS) framework and similar, encryption support, automatic backup support - and whatever else is deemed to be what would be required for CONSISTENCY across the board. Some extension do today, and some don't follow this. ie some advertise their component is part of the Joomla or WordPress Automatic Update framework mechanism vs those that are not or they just forgot to include it in their extension texts. So a way to FORM it for them when registering, and making it a required field! 😉

    Further, as each set of standards are adopted, any extensions or add on's NOT fully compliant, should just automatically be removed from their respective CMS market or directory where users don't even SEE them (ie the Joomla Web Installer that comes from the JED - if Joomla adopts these standards - then extensions, templates, components not fully meeting those standards be simply removed or even ineligible for posting in the first place), and the JED or the WP extension directory would need to adopt a similar approach naturally, to vet these add on's on submission - similar to how Apple and now Google do in their App Stores for mobiles).

    Just some of my thoughts on this very important and exciting subject!

    • Reply March 11, 2019 / 06:04 Daniel KanchevSiteGround Team

      Thank you for the comment! I do agree that all CMS platforms need to make changes in order for the security to be improved. This is especially valid for the security of themes, plugins, extensions, etc. My advice is to get involved and contribute to your favorite CMS platforms. The Joomla! and WordPress projects have the following pages that you can check in order to find out how to contribute:

      https://volunteers.joomla.org/teams
      https://wordpress.org/support/article/contributing-to-wordpress/

  5. Reply March 31, 2019 / 02:49 Grahame MartinSiteGround Team

    Thank you for that, very enlightening!

Reply

* (Required)