Are Your WordPress Sites Really Isolated From Each Other?

I’ve touched the topic of site isolation in in an article covering server level security. Some time ago Vladimir Smitka, a well known Czech security researcher in the WordPress ecosystem, released a teaser of his upcoming series where he evaluated the security of 10 popular WordPress hosting panels.

His objective was to “perform an unauthorized modification of one site on the server from another controlled site, essentially breaking site isolation.”. It’s a great reminder of why site isolation is important and why you should make sure to choose a hosting provider that does this properly.

Site isolation broken in 11 of our 12 cases

With “moderate” skills in system administration and security, it was possible to break the isolation with basic techniques that exploit well-known configuration vulnerabilities.

The testing was done on the following services: Serveravatar, Enhance.com, InstaWP, xCloud.host, GridPane, Ploi, Cloudways, RunCloud, FlyWP, Cloudpanel, SpinupWP, and Forge.

While some of the providers fixed the issues immediately, others have been investigating the issues for months and have not fixed them even today. Some of them straight up don’t care or call it “a feature, not a bug”.

A great insight from his research is that even though many hosts refer to Docker as a silver bullet to site isolation, the reality is that it does not automatically guarantee security.

Attitude towards security should not go unnoticed

This is something that we deal with in Patchstack on a daily basis. As the leading WordPress security intelligence provider, we process the largest amount of security reports affecting WordPress core, plugins, and themes.

The worst and most time-consuming cases are mostly not the ones where a vulnerability is incredibly severe, but instead the ones where the developers’ attitude towards security is questionable. Some try to ignore the issues for as long as possible, then blame others and eventually censor & hide it from the public.

This kind of attitude should not go unnoticed, even when the security issue is trivial and not severe. Taking quick action, making improvements, and communicating transparently also shows how the provider would act when a more serious issue is reported to them.

Practicing the process of security incident response through low severity issues should be seen as a great opportunity to build better processes and increase trust with the users. Failing to do so will eventually have a negative security impact on the end-users.

Conclusion

WordPress websites should always be isolated from each other. Unfortunately, even though many hosting companies claim to do so, poor configurations and vulnerabilities in the hosting environments are more common than one might think.

Make sure to read his full article here: https://smitka.me/2024/06/03/teaser-vladimir-vs-hosting-industry/