Stacking the odds in site owners’ favor

Patchstack's Oliver Sild on securing the WordPress ecosystem, one plugin vulnerability at a time

WordPress is the world’s most popular content management system, powering around 40% of all websites globally.

While the open source technology has helped millions of business owners, bloggers, and hobbyists to carve out their own online niche, WordPress security remains a key issue.

Over recent months, the developers of WordPress Core – the ‘foundational’ files that are required for the software to work – have doubled down on their efforts to protect site owners with the launch of several new features.

RELATED WordPress 5.8 update extends Site Health interface for developers

Now, as WordPress approaches its 20th anniversary, one company has joined the fray to help protect an even bigger attack surface: the WordPress plugin ecosystem.

Oliver Sild is an active member of the Estonian infosec community. He’s organized capture-the-flag competitions for the past few years and was recently involved in opening a physical hacker space in his hometown.

We spoke to Sild about WordPress security and how his new venture, Patchstack, has taken inspiration from the bug bounty business model to develop a new platform for securing WordPress plugins and the sites they run on.

What is Patchstack, and what are you aiming to achieve with this new venture?

Oliver Sild: Patchstack is building a community of cybersecurity researchers to help secure the WordPress ecosystem. WordPress is growing really quickly, and it has a very strong community of developers. At the same time, we believe it’s time for WordPress to not only have a strong community of developers, but also a strong community of [associated] security researchers as well.

RECOMMENDED Multiple vulnerabilities in WordPress plugin pose website remote code execution risk

What we’ve built is a gamification-based bug hunting platform, where researchers can find vulnerabilities in whatever WordPress plugin they choose. They report it to our Patchstack Red Team platform, and they receive a score based on the severity of the vulnerability, how many websites it affects, and so on.

All of the research that’s done on this platform is eventually going to be put on the Patchstack Database, an open and free vulnerability database for WordPress plugins. We also have a Software-as-a-Service [SaaS] application, the Patchstack App, which provides virtual patches or live patches for all those vulnerabilities that our community defines.

How does it work?

OS: Patchstack Red Team doesn’t pay out bounties per finding. If we were to do that then only the big commercial plugins like Yoast or Elementor would have the money to pay, right? We didn’t want that to happen, so we decided to completely remove the traditional bug hunting or bug bounty ‘way’ and replace it with a gamification-based leaderboard system.

After a researcher submits a vulnerability, we take the CVSS score of the vulnerability, multiply that by the number of active installations, give them a score and then at the end of the month we have a leaderboard of the top contributors to the WordPress security [community].

How do you decide which researchers get paid?

OS: Each month we have a prize pool, which has just started paying out. The prize pool for June was about €1,500. The researcher in first place received around $700, and payments reduce as you go down the leaderboard. In the past two months, over 430 new vulnerabilities have been reported to us.

There are more than 50,000 free WordPress plugins in the official store

Do you find it surprising that there aren’t more companies focused specifically on securing WordPress?

OS: There are numerous companies that provide security for WordPress sites, but a lot of them are mainly focused on the malware scanning side of things. WordPress users are not technical in most cases, and many don’t think about security before they’re hit [by an attack].

Read more of the latest infosec interviews

Currently, most of the service or security products are mainly approaching from the malware removal side of things, where someone already has a website and then they are looking for a security solution following an attack.

We are driving the completely opposite way; we decided that we are not even going to build a malware scanner as there are plenty of companies who are already doing that. We decided that we would take just one very specific issue in the WordPress ecosystem, and that’s plugin vulnerabilities and plugin security.

How important is plugin security when it comes to protecting WordPress sites and users?

OS: Earlier this year, we released a white paper for all the WordPress vulnerabilities disclosed in 2020. We analyzed every single vulnerability that was out there for WordPress, and 96.2% of all the vulnerabilities across the WordPress ecosystem were related to plugins.

If we can solve the plugin issue as a community, we would probably make WordPress way more secure than it is right now.

The launch of WordPress 5.5 last year included a new feature that auto-updates website plugins. What do you make of this development?

OS: Previously, it was only possible to enable auto-update for WordPress core. Although this can help improve the security of WordPress sites, when they released the new functionality that can auto-update all the plugins and themes as well, people started to write a lot of articles about how to turn this feature off.

Web developers are really worried because if someone is auto-updating their software, they don’t know what kind of code is shipped to the website, so this feature really didn’t solve everything.

WP Bug HuntPatchstack is hosting the 2021 WP Bug Hunt

How is Patchstack approaching coordinated disclosure? Do you have any safe harbor policies to help give researchers peace of mind before they start hacking?

OS: Things are a little different for us, compared to other vulnerability disclosure platforms, because all of the plugins from the WordPress repository are open source.

Our platform automatically pulls in all of the plugins, and this makes it very simple for the researchers to see which ones have more installations, which ones were updated recently, and then they can just look at the source code. Once they report a plugin vulnerability to Patchstack, we manage the triage process for them: we notify the plugin developer and make sure it’s going to be fixed.

We’re talking regularly with the WordPress plugin team, and Patchstack is authorized as an official CNA to directly assign CVE IDs to vulnerabilities reported to us.

How can security researchers join Patchstack Red Team?

OS: We are onboarding around one new researcher every week. Right now, we are hand-picking researchers from the 1,600 people who originally expressed interest in the project.

We are planning to allow researchers to sign up and start hacking in the future. For now, to get an invite and to get started, we invite people to participate in WordPress Bug Hunt 2021, where they can win Burp Suite licenses, PentesterLab licenses, Hak5 kits, and invitations to the Patchstack Red Team.

READ ON Offensive Security’s Ning Wang on training the next generation of infosec pros