Zhońće wjace wo wěstoće jadroweje softwary WordPress w tutej darmotnej běłej knize. Móžeće ju tež w PDF-formaće sćahnyć.

Přehlad

Tutón dokument je analyza a rozjasnjenje wuwiwća jadroweje softwary WordPress a jeho přisłušnych wěstotnych procesow kaž tež rozjasnjenje přepytowanje inherentneje wěstoty, kotraž je direktnje zatwarjena w softwarje. Rozsudźerjo, kotřiž WordPress jako system rjadowanja wobsaha abo wobłukowy system webnałoženjow wuhódnoćeja, měli tutón dokument w swojej analyzy a rozsudźowanju wužiwać, a wuwiwarjo měli so na njón poćahować, zo bychu so z wěstotnymi komponentami a najlěpšimi wašnjemi postupowanja softwary zeznali.

Informacije w tutym dokumenće su aktualne za najnowšu stabilnu wersiju softwary, za čas wozjewjenja WordPress 4.7, měli so wšak tež zza nowše wersije softwary jako relewantne wobhladuja, dokelž wróćokompatibelnosć je mócny fokus za wuwiwarski team WordPress. Wěste wěstotny naprawy a změny so registruja, dokelž su so we wěstych wersijach jadrowej softwarje přidali. Doporučuje so doraznje, přeco najnowšu stabilnu wersiju WordPress wužiwać, zo by so najlěpša wěstota zawěsćiła.

Krótke zjeće

WordPress je dynamiski system rjadowanja wobsaha wotewrjeneho žórła, kotryž so wužiwa, zo by miliony websydłow, webnałoženjow a blogow pohonił. Pohonja tuchwilu wjace hač 34 % najwyšich 10 milionow webstronow w interneće. Wužiwajomnosć, rozšěrjomnosć a nazhonjene wuwiwanske zhromadźenstwo WordPress činja jón k woblubowanej a wěstej wólbje za websydła wšěch wulkosćow.

Wot jeho spočatka w lěće 2003, je WordPress stajne skrućenje přeběžał, zo by móhła jeho jadrowa software ze hustymi wěstotnymi wohroženjemi wobchadźeć a je znješkódnić, inkluziwnje lisćinu najstrašnišich, kotrež su so wot projekta Open Web Application Security (OWASP) jako huste wěstotne dźěry identifikowali, kotrež so w tutym dokumenće diskutuja.

Wěstotny team WordPress dźěła, w zhromadnym dźěle z jadrowym nawodnym teamom WordPress a zepěrany wot globalneho zhromadźenstwa WordPress, zo by wěstotne problemy w jadrowej softwarje identifikował a rozrisał, kotraž je za rozšěrjowanje a instalowanje na WordPress.org k dispoziciji, a poruča a dokumentuje najlěpše wěstotne postupjenja za třećich awtorow tykačow a drastow.

Sydłowi wuwiwarjo a administratorojo měli na korektne wužiwanje jadrowych API a serwerowu konfiguraciju, na kotruž so zepěra, wosebitu kedźbnosć złožić, kotrež su hižo žórło za huste wěstnote dźěry byli a zawěsćić, zo wšitcy wužiwarjo mócne hesła za přistup na WordPress wužiwaja.

Přehlad wo WordPress

WordPress je swobodny system rjadowanja wobsaha (CMS) wotewrjeneho žórła. Je najdale rozšěrjena CMS-softwara w swěće a pohonja wjace hač 34 % najwyšich 10 milionow websydłow¹, kotryž ma trochowany wičny podźěl 60 % wšěch sydłow, kotrež CMS wužiwaja.

WordPress podleži licency General Public License (GPLv2 abo pozdźiša), kotraž skići štyri hłowne swobody, kotrež dadźa so jako „wustawu“ WordPress wobhladować:

1. Swoboda, program za kóždy zaměr wužiwać.
2. Swoboda studować, kak program funguje, a jón změnić, zo by to činił, štož chceće.
3. Swoboda dale rozdźělić.
4. Swoboda, kopije wašich změnjenych wersijow na druhich rozdźělić.

Jadrowy nawodny team WordPress

Projekt WordPress je meritokratija, pohonjena wot jadroweho nawodneho teama a nawjedowana wot jeho sobuzałožerja a nawodneho wuwiwarja Matt Mullenweg. Team wšě aspekty projekta wodźi, inkluziwnje jadrowe wuwiće, WordPress.org a iniciatiwy zhromadźenstwa.

Jadrowy nawodny team wobsteji z Matta Mullenwega, pjeć nawodnych wuwiwarjow a wjace hač dwanatki jadrowych wuwiwarjow ze stajnym pisanskim přistupom. Tući wuwiwarjo maja kónčnu awtoritu při techniskich rozsudach a nawjeduja architekturne diskusije a implementowanske prócowanja.

WordPress ma wjele sobuskutkowacych wuwiwarjow. Někotři z tutych su prjedawši abo tuchwilni zapodawarjo a někotři z nich su přichodni zapodawarjo. Tući sobuskutkowacy wuwiwarjo su dowěry hódni a starosłuženi sobuskutkowarjo WordPress, kotřiž su sej wjele respekta mjez swojimi zasłužił. Jeli trjeba, ma WordPress tež hóstni zapodawarjo, jednotliwe wosoby, kotřiž maja zapodawanski přistup, druhdy za wěstu komponentu, na nachwilnej abo pospytowej bazy.

Jadrowi a sobuskutkowacy wuwiwarjo hłownje wuwiwanje WordPress nawjeduja. Za kóždu wersiju sta wuwiwarjow kod k WordPress přinošuja. Tući jadrowi sobskutkowarjo su dobrowólnicy, kotřiž na někajke wašnje k jadrowej kodowej bazy přinošuja.

Wozjewjenski cyklus WordPress

Kóždy wozjewjenski cyklus WordPress so wot jednoho jadroweho wuwiwarja abo wjacorych jadrowych wuwiwarjow WordPress nawjeduje. Wozjewjenski cyklus zwjetša na 4 měsacy traje, wot prěnjeho sondowanskeho zetkanja do starta wersije.

Wozjewjenski cyklus slědowacemu mustrej slěduje²:

• Faza 1: Team planowanje a zawěsćenje nawjeduje. To so w bjesadowym rumje #core na Slack wotměwa. Wozjewjenski nawodnistwo funkcije za přichodnu wersiju WordPress diskutuja. Sobuskutkowarjo WordPress so do tuteje diskusije zapřijimaja. Wozjewjenske nawodnistwo teamowych nawodow za kóždu z funkcijow postaja.
• Faza 2: Wuwiwanske dźěło so započina. Teamowi nawodźa teamy zestajeja a dźěłaja na jim připokazanych funkcijach. Prawidłowne bjesady so planuja, zo bychu zawěsćili, zo wuwiwanje dale pokročuje.
• Faza 3: Beta. Betawersije so wozjewjeja, a proša betatestowarjow, zmylki zdźělić. Wot tuteje fazy so hižo žane změny za nowe polěpšenja abo próstwy wo funkcije njepřewjedu. Awtorojo tykačow a drastow třećich so pozbudźeja, swój kod z přichodnymi změnami WordPress testować.
• Faza 4: Wozjewjenski kandidat. Wot tutoho časa so znamješkowe rjećazki za přełožowanje zamjerznu. Dźěłaja jenož na regresijach a blokowacych problemach.
• Faza 5: Start. Wersija WordPress so startuje a staja so w administratorowej desce WordPress za aktualizacije k dispoziciji.

Wersijowe čisłowanje a wěstotne wozjewjenja

Hłowna wersija WordPress so přez prěnjej dwě sekwency postaja. 3.5 je na přikład hłowna wersija, a 3.6., 3.7 abo 4.0 tež. Njeje „WordPress 3“ abo „WordPress 4“ a kóžda hłowna wersija so přez swoje čisłowanje woznamjenja, na př. „WordPress 3.9“

Hłowne wersije móža nowe wužiwarske funkcije a wuwiwarske API přidać. Hačrunjež je typiske w softwarowym swěće, zo „hłowna“ wersija móže wróćokompatibiltu złamać, prócuje so WordPress, zo so wróćokompatibilitu njezłama. Wróćokompatibilita je jedna z najwažnišich filozofijow, z cilom, aktualizacije za wužiwarjow kaž tež za wuwiwarjow w samsnej měrje wosnadnić.

Mała wersja WordPress so přez třeću sekwencu postaja. Wersija 3.5.1 je mała wersija, kaž tež 3.4.2³. Mała wersija je jenož za wotstronjenje wěstotnych dźěrow a porjedźenje kritiskich zmylkow wuměnjena. Dokelž so nowe wersije WordPress tak husto wozjewjeja – cil je kóžde 4-5 měsacow za hłownu wersiju, a małe wersije so wozjewjeja, je-li trjeba – su jenož hłowne a małe wersije trěbne.

Wersijowa wróćokompatibelnosć

Projekt WordPress je wróćokompatibelnosći jara zawjazany. Tutón zawjazk woznamjenja, zo drasty, tykače a swójski kod dale funguja, hdyž so jadrowa softwara WordPress aktualizuje. Wobsedźerjo websydłow so namołweja, swoju wersiju WordPress na najnowšu wěstu wersiju aktualizować.

WordPress a wěstota

Wěstotny team WordPress

Wěstotny team WordPress z někak 50 ekspertow wobsteji, mjez nimi nawodni wuwiwarjo a wěstotni slědźerjo – někak połojca su přistajeni Auttomatic (zhotowjer WordPress.com, najstarša a najwjetša hospodowaca platforma we webje) a wjele z nich dźěła na polu webwěstoty. Team ze znatymi a dowěry hódnymi wěstotnymi slědźerjemi a hospodowacymi předewzaćemi radu składuje³.

Wěstotny team WordPress husto z druhimi wěstotnymi teamami hromadźe dźěła, zo by problemy w zhromadnych wotwisnosćach rozrisał, na přikład słaby dypk w parserje PHP XML, kotryž so přez API XML-RPC wužiwa, kotryž so z WordPress we WordPress 3.9.2⁴ dodawa. Tute rozrisanje słabeho dypka je wuslědk zhromadneje prócy wěstotneju teamow WordPress a Drupal.

Wěstotne rizika, proces a historija WordPress

The WordPress Security Team believes in Responsible Disclosure by alerting the security team immediately of any potential vulnerabilities. Potential security vulnerabilities can be signaled to the Security Team via the WordPress HackerOne⁵. The Security Team communicates amongst itself via a private Slack channel, and works on a walled-off, private Trac for tracking, testing, and fixing bugs and security problems.

Each security report is acknowledged upon receipt, and the team works to verify the vulnerability and determine its severity. If confirmed, the security team then plans for a patch to fix the problem which can be committed to an upcoming release of the WordPress software or it can be pushed as an immediate security release, depending on the severity of the issue.

For an immediate security release, an advisory is published by the Security Team to the WordPress.org News site⁶ announcing the release and detailing the changes. Credit for the responsible disclosure of a vulnerability is given in the advisory to encourage and reinforce continued responsible reporting in the future.

Administrators of the WordPress software see a notification on their site dashboard to upgrade when a new release is available, and following the manual upgrade users are redirected to the About WordPress screen which details the changes. If administrators have automatic background updates enabled, they will receive an email after an upgrade has been completed.

Awtomatiske pozadkowe aktualizacije za wěstotne wozjewjenja

Starting with version 3.7, WordPress introduced automated background updates for all minor releases⁷, such as 3.7.1 and 3.7.2. The WordPress Security Team can identify, fix, and push out automated security enhancements for WordPress without the site owner needing to do anything on their end, and the security update will install automatically.

When a security update is pushed for the current stable release of WordPress, the core team will also push security updates for all the releases that are capable of background updates (since WordPress 3.7), so these older but still recent versions of WordPress will receive security enhancements.

Individual site owners can opt to remove automatic background updates through a simple change in their configuration file, but keeping the functionality is strongly recommended by the core team, as well as running the latest stable release of WordPress.

2013 OWASP Top 10

The Open Web Application Security Project (OWASP) is an online community dedicated to web application security. The OWASP Top 10 list⁸ focuses on identifying the most serious application security risks for a broad array of organizations. The Top 10 items are selected and prioritized in combination with consensus estimates of exploitability, detectability, and impact estimates.

The following sections discuss the APIs, resources, and policies that WordPress uses to strengthen the core software and 3rd party plugins and themes against these potential risks.

A1 - Injekcija

There is a set of functions and APIs available in WordPress to assist developers in making sure unauthorized code cannot be injected, and help them validate and sanitize data. Best practices and documentation are available⁹ on how to use these APIs to protect, validate, or sanitize input and output data in HTML, URLs, HTTP headers, and when interacting with the database and filesystem. Administrators can also further restrict the types of file which can be uploaded via filters.

A2 - Zmylki w awtentifikaciji a posedźenskim rjadowanju

WordPress core software manages user accounts and authentication and details such as the user ID, name, and password are managed on the server-side, as well as the authentication cookies. Passwords are protected in the database using standard salting and stretching techniques. Existing sessions are destroyed upon logout for versions of WordPress after 4.0.

A3 - Cross Site Scripting (XSS)

WordPress provides a range of functions which can help ensure that user-supplied data is safe¹⁰. Trusted users, that is administrators and editors on a single WordPress installation, and network administrators only in WordPress Multisite, can post unfiltered HTML or JavaScript as they need to, such as inside a post or page. Untrusted users and user-submitted content is filtered by default to remove dangerous entities, using the KSES library through the wp_kses function.

As an example, the WordPress core team noticed before the release of WordPress 2.3 that the function the_search_query() was being misused by most theme authors, who were not escaping the function’s output for use in HTML. In a very rare case of slightly breaking backward compatibility, the function’s output was changed in WordPress 2.3 to be pre-escaped.

A4 - Njewěsta direktna objektowa referenca

WordPress often provides direct object reference, such as unique numeric identifiers of user accounts or content available in the URL or form fields. While these identifiers disclose direct system information, WordPress’ rich permissions and access control system prevent unauthorized requests.

A5 - Wopačna wěstotna konfiguracija

The majority of the WordPress security configuration operations are limited to a single authorized administrator. Default settings for WordPress are continually evaluated at the core team level, and the WordPress core team provides documentation and best practices to tighten security for server configuration for running a WordPress site¹¹.

A6 - Wotkrywanje sensitiwnych datow

WordPress user account passwords are salted and hashed based on the Portable PHP Password Hashing Framework¹². WordPress’ permission system is used to control access to private information such an registered users’ PII, commenters’ email addresses, privately published content, etc. In WordPress 3.7, a password strength meter was included in the core software providing additional information to users setting their passwords and hints on increasing strength. WordPress also has an optional configuration setting for requiring HTTPS.

A7 - Falowaca přistupna kontrola na funkciskich runinach

WordPress checks for proper authorization and permissions for any function level access requests prior to the action being executed. Access or visualization of administrative URLs, menus, and pages without proper authentication is tightly integrated with the authentication system to prevent access from unauthorized users.

A8 - Cross Site Request Forgery (CSRF)

WordPress uses cryptographic tokens, called nonces¹³, to validate intent of action requests from authorized users to protect against potential CSRF threats. WordPress provides an API for the generation of these tokens to create and verify unique and temporary tokens, and the token is limited to a specific user, a specific action, a specific object, and a specific time period, which can be added to forms and URLs as needed. Additionally, all nonces are invalidated upon logout.

A9 - Wužiwanje komponentow ze znatymi zranitosćemi

The WordPress core team closely monitors the few included libraries and frameworks WordPress integrates with for core functionality. In the past the core team has made contributions to several third-party components to make them more secure, such as the update to fix a cross-site vulnerability in TinyMCE in WordPress 3.5.2¹⁴.

If necessary, the core team may decide to fork or replace critical external components, such as when the SWFUpload library was officially replaced by the Plupload library in 3.5.2, and a secure fork of SWFUpload was made available by the security team<¹⁵ for those plugins who continued to use SWFUpload in the short-term.

A10 - Njepřepruwowane dalesposrědkowanja

WordPress’ internal access control and authentication system will protect against attempts to direct users to unwanted destinations or automatic redirects. This functionality is also made available to plugin developers via an API, wp_safe_redirect()¹⁶.

Dalše wěstotne rizika a wobmyslenja

Předźěłowanske nadpady XXE (XML eXternal Entity)

When processing XML, WordPress disables the loading of custom XML entities to prevent both External Entity and Entity Expansion attacks. Beyond PHP’s core functionality, WordPress does not provide additional secure XML processing API for plugin authors.

Nadpady SSRF (Server Side Request Forgery)

HTTP-naprašowanja, kotrež so přez WordPress wudawaja, so filtruja, zo bychu přistupej na loopback a priwatne adresy zadźěwali. Nimo toho je přistup jenož za wěste standardne HTTP-porty dowoleny.

Tykačowa a drastowa wěstota WordPress

Standardna drasta

WordPress requires a theme to be enabled to render content visible on the frontend. The default theme which ships with core WordPress (currently "Twenty Nineteen") has been vigorously reviewed and tested for security reasons by both the team of theme developers plus the core development team.

The default theme can serve as a starting point for custom theme development, and site developers can create a child theme which includes some customization but falls back on the default theme for most functionality and security. The default theme can be easily removed by an administrator if not needed.

Repozitorije drastow a tykačow na WordPress.org

There are approximately 50.000+ plugins and 5.000+ themes listed on the WordPress.org site. These themes and plugins are submitted for inclusion and are manually reviewed by volunteers before making them available on the repository.

Inclusion of plugins and themes in the repository is not a guarantee that they are free from security vulnerabilities. Guidelines are provided for plugin authors to consult prior to submission for inclusion in the repository¹⁷, and extensive documentation about how to do WordPress theme development¹⁸ is provided on the WordPress.org site.

Each plugin and theme has the ability to be continually developed by the plugin or theme owner, and any subsequent fixes or feature development can be uploaded to the repository and made available to users with that plugin or theme installed with a description of that change. Site administrators are notified of plugins which need to be updated via their administration dashboard.

When a plugin vulnerability is discovered by the WordPress Security Team, they contact the plugin author and work together to fix and release a secure version of the plugin. If there is a lack of response from the plugin author or if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.

Drastowy kontrolny team

The Theme Review Team is a group of volunteers, led by key and established members of the WordPress community, who review and approve themes submitted to be included in the official WordPress Theme directory. The Theme Review Team maintains the official Theme Review Guidelines¹⁹, the Theme Unit Test Datas²⁰, and the Theme Check Plugins²¹, and attempts to engage and educate the WordPress Theme developer community regarding development best practices. Inclusion in the group is moderated by core committers of the WordPress development team.

Róla hostoweho poskićowarja we wěstoće WordPress

WordPress can be installed on a multitude of platforms. Though WordPress core software provides many provisions for operating a secure web application, which were covered in this document, the configuration of the operating system and the underlying web server hosting the software is equally important to keep the WordPress applications secure.

Pokazka na WordPress.com a wěstotu WordPress

WordPress.com is the largest WordPress installation in the world, and is owned and managed by Automattic, Inc., which was founded by Matt Mullenweg, the WordPress project co-creator. WordPress.com runs on the core WordPress software, and has its own security processes, risks, and solutions²². This document refers to security regarding the self-hosted, downloadable open source WordPress software available from WordPress.org and installable on any server in the world.

Přiwěšk

Hłowne API WordPress

The WordPress Core Application Programming Interface (API) is comprised of several individual APIs²³, each one covering the functions involved in, and use of, a given set of functionality. Together, these form the project interface which allows plugins and themes to interact with, alter, and extend WordPress core functionality safely and securely.

While each WordPress API provides best practices and standardized ways to interact with and extend WordPress core software, the following WordPress APIs are the most pertinent to enforcing and hardening WordPress security:

API datoweje banki

API datoweje banki²⁴, kotryž je so w WordPress 0.71 přidał, staja korektnu metodu za přistup na daty jako pomjenowane hódnota k dispoziciji, kotrež so we woršće datoweje banki składuja.

API datajoweho systema

The Filesystem API²⁵, added in WordPress 2.6²⁶, was originally created for WordPress’ own automatic updates feature. The Filesystem API abstracts out the functionality needed for reading and writing local files to the filesystem to be done securely, on a variety of host types.

It does this through the WP_Filesystem_Base class, and several subclasses which implement different ways of connecting to the local filesystem, depending on individual host support. Any theme or plugin that needs to write files locally should do so using the WP_Filesystem family of classes.

HTTP-API

The HTTP API²⁷, added in WordPress 2.7²⁸ and extended further in WordPress 2.8, standardizes the HTTP requests for WordPress. The API handles cookies, gzip encoding and decoding, chunk decoding (if HTTP 1.1), and various other HTTP protocol implementations. The API standardizes requests, tests each method prior to sending, and, based on your server configuration, uses the appropriate method to make the request.

Prawa a aktualny wužiwarski API

The permissions and current user API²⁹ is a set of functions which will help verify the current user’s permissions and authority to perform any task or operation being requested, and can protect further against unauthorized users accessing or performing functions beyond their permitted capabilities.

Licenca wobsaha běłeje knihi

The text in this document (not including the WordPress logo or trademark) is licensed under CC0 1.0 Universal (CC0 1.0) Public Domain Dedication. You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

A special thank you to Drupal’s security white paper, which provided some inspiration.

Přidatne informacije

• Nowinki WordPress https://wordpress.org/news/
• Wěstotne wersije WordPress https://wordpress.org/news/category/security/
• Wuwiwarske resursy WordPress https://developer.wordpress.org/

spisany wot Sara Rosso

Přinoški wot Barry Abrahamson, Michael Adams, Jon Cave, Helen Hou-Sandí, Dion Hulse, Mo Jangda, Paul Maiorana

Wersija 1.0 měrc 2015

Nóžki

• [1] https://w3techs.com/, as of March 2017
• [2] https://make.wordpress.org/core/handbook/about/release-cycle/
• [3] Andrew Nacin, WordPress lead developer, https://vip.wordpress.com/security
• [4] https://wordpress.org/news/2014/08/wordpress-3-9-2/
• [5] https://codex.wordpress.org/Security_FAQ
• [6] https://wordpress.org/news/
• [7] https://wordpress.org/news/2013/10/basie/
• [8] https://www.owasp.org/index.php/Top_10_2013-Top_10
• [9] https://developer.wordpress.org/plugins/security/
• [10] https://codex.wordpress.org/Data_Validation#HTML.2FXML
• [11] https://codex.wordpress.org/Hardening_WordPress
• [12] http://www.openwall.com/phpass/
• [13] https://developer.wordpress.org/plugins/security/nonces/
• [14] https://wordpress.org/news/2013/06/wordpress-3-5-2/
• [15] https://make.wordpress.org/core/2013/06/21/secure-swfupload/
• [16] https://developer.wordpress.org/reference/functions/wp_safe_redirect/
• [17] https://wordpress.org/plugins/about/guidelines/
• [18] https://developer.wordpress.org/themes/getting-started/
• [19] https://codex.wordpress.org/Theme_Review
• [20] https://codex.wordpress.org/Theme_Unit_Test
• [21] https://wordpress.org/plugins/theme-check/
• [22] https://automattic.com/security/
• [23] https://codex.wordpress.org/WordPress_APIs
• [24] https://codex.wordpress.org/Database_API
• [25] https://codex.wordpress.org/Filesystem_API
• [26] https://codex.wordpress.org/Version_2.6
• [27] https://codex.wordpress.org/HTTP_API
• [28] https://codex.wordpress.org/Version_2.7
• [29] https://codex.wordpress.org/Function_Reference/current_user_can