To start this post on an optimistic note, I am going to go out on a limb and say that WordPress is one of the most amazing software projects I’ve seen in over 25 years of being in the software industry. With its success, however, WordPress has arrived at a stage in its life cycle that all software platforms eventually encounter which present the hard to solve problems of security and reliability. Not unlike other software platforms, WordPress’ success is dependent upon its weakest links which include hosting providers, theme designers, and plugins. And through the launch of one abstract website encouraging a sign-up for a beta, Automattic is positioning VaultPress as the simple answer to a bloggers security and reliability concerns.
The Problem Space
According to a 2009 SANS publication entitled Top Cyber Security Risks, over 60% of the total cyber attacks observed on the Internet were against web applications. Of the reported web application attacks, the attacks can be classified into two main categories: brute force password attacks and server side scripting/injection trickery. What does that mean? Basically, hackers are either using sophisticated programs to guess passwords and gain access to machines or they are injecting computer program strings into places that are meant to take normal input. For example, a comment form on a WordPress blog is meant to take human input such as, “I really like this post!”. However, hackers look for places like this in a system that they can actually submit a piece of PHP code, for example, that the system takes in like normal text but actually processes the computer instructions. This example is overly simplified and DOES NOT work for the WordPress comment system but it does help to clarify the point. The study also indicates that the number of vulnerabilities and attacks definitely target the applications more today than other elements such as network components. Last, the study clearly shows that the United States is the target for most of this activity. There is truly a need for something like VaultPress.
Why WordPress and Who’s The Real Culprit?
WordPress blogs don’t store social security numbers or highly sensitive nuclear formulas. . .they store copy. However, that copy is presented as a webpage that is eventually given a value by Google. This value is called page rank. In most cases, WordPress blogs are targeted to syphon their page rank and promote someone else’s online efforts to make money. If Google were not in the picture, it would not be nearly as attractive to hack a blog. As I’ve asked in many blog posts before, when is Google going to implement true control over things like 301 redirects within Webmaster tools so that blog owners can say, “Yes, I really want to repoint my corporate law blog to an online pharmacy and change my key content to words like ‘viagra’”?
Since this isn’t likely to happen, we’ll hope that VaultPress can provide relief from a different angle!
Will VaultPress Be The Right Solution?
The information available about VaultPress at this point is very vague so there is no telling the answer to this question. Still, Automattic’s business decision to enter this space is very appropriate!
Automattic is at the center of a huge focus of hackers which is content management web applications and due to their popularity as a platform the numbers are huge. They also have a significant installation base in the United States which is where the majority of this activity is taking place? Last, the developers at Automattic are bright. Still, writing programs to defend against cyber attacks and hacking is a very fine art that you can’t just wake up and say, “I think I’m going to become a security expert today!” With that said, Automattic is pretty tight lipped about their corporate moves and they very well could have hired some serious talent to work on this project. I know the US Department of Defense has hired some top talent to deal with this issue. . .and . . .they are still getting hacked to some extent.
Solution Spaces
Not knowing what VaultPress is, I can simply provide an overview of what Automattic could do that would be helpful to the blogging community:
- Provide an attack defense plugin that identifies mallicious attempts to access a blog and shuts them down. Akismet for security. (VaultPress)
- A certified WordPress platform program for ISPs and hosting providers that provide minimum requirements for operating system, Apache, PHP, and MySQL patches and configurations.
- A Plugin Developers kit which includes security best practices and exploit testers.
- A “one touch” backup solution for themes, configurations, plugins, and MySQL data.
- Scanning toolset similiar to WP-MalWatch that truly allows an average blogger to look deeper into their blog for evidence of hacks, etc and not require them to have UNIX shell skills.
It does amaze me that McAffee and Symantec have not gotten into this game! The WordPress market is huge and growing every day. But then again, Automattic has been built upon capitalizing on opportunities that the big boys just don’t pay attention to. When I get a glimpse at the Beta of VaultPress, I’ll post a thorough review. Until then, Automattic will just keep us guessing!
{ 2 comments… read them below or add one }
Hi,
WP-Malwatch located 2 .htaccess files on my WordPress site. Said I should only have 1. Told me to look in the html/stats & /_db_backups directories to examine them. Can’t locate these files or my directory. (Have GoDaddy hosting, & when I called the weren’t much help at all). WP-Malwatch also said to examine them. What would be looking for? The frustrating thing in all of this is the lack of support I get whenever it is needed. Can you help me,, Thank you, Ivory Burke
We are finding many plugins that use .HTACCESS files. Our next release, which will be out soon, will not only deal with this but provide value add in the situation. More to come. thanks for taking the time to provide us feedback.