When your entire livelihood is online, security is always on your mind. Every day, a new company falls prey to a malicious attack. Sometimes it’s due to a vulnerability in a plugin, other times a weak password is the culprit. The way it happens doesn’t matter, it’s the aftermath that people remember.
There’s a segment of people out there who are afraid to use WordPress because of attacks that occurred years ago. Though things move quickly, the internet rarely forgets. But are these fears justified? The answer is a resounding no.
Since 2008, WordPress has made tremendous strides to ensure that the core software is as secure as possible. With continuous updates and diligent security reporters, there hasn’t been a major breach in some time. A huge part of this has been due to the efforts of the WordPress security team, and more specifically, Security Czar, Aaron Campbell.
Since taking over the project, Campbell has made huge progress in making it easier to report and squash bugs.
Recently the WordPress security team announced that they are now using HackerOne, a platform for finding and reporting bugs. By using the tools provided by HackerOne to identify potential problems, the WordPress Security team can focus instead on fixing anything that should arise.
These programs put the focus on keeping WordPress as secure as possible. While attacks may still happen, they will be fixed faster.
“We show how important security is to us by bringing our reporting process to where the hackers (security researchers) are. By allowing hackers to report issues to us using tools that they’re already familiar with or already use, we make it easier on them,” Campbell said.
The partnership is going to make it even easier for reporters to get problems fixed faster. According to Campbell, “we hope to improve on our communication with reporters. We’ve already integrated HackerOne with our private security Slack channel, which allows all of us to see important messages and makes it easier for anyone to pick up a ticket and correspond with a reporter.”
This will also save time responding to common bugs that don’t need immediate attention. However, this doesn’t mean that the team no longer needs help in identifying and disclosing vulnerabilities. In fact, reporters can now win a bug bounty for finding problems.
The bounties are a huge leap forward in encouraging people to disclose security bugs in a responsible way.
“We want to encourage people to report issues to us responsibly, which means bringing it to us first, in a non-public arena, and not disclosing to anyone else until the fix has been rolled out to users. Bounties let us encourage this behavior by rewarding people for doing it right and for helping us keep WordPress secure,” Campbell said.
Campbell’s WordPress story begins like many others. He began using the CMS in 2004 and took on clients in 2007. After a problem arose, Campbell decided to try his hand at fixing it within WordPress itself.
“The next day found me on IRC learning about Trac, coding standards, how to generate a diff to create a patch, and what the process looked like. Mark Jaquith was one of the people that helped walk me through it all, and committed the patch into WordPress when it was ready,” Campbell said.
From there he was hooked. “It was an extremely small fix, but the feeling of giving back to help others that used the software – well – it resonated with me,” Campbell said. The patch was submitted in WordPress 2.3 and he’s committed to every update since.
The larger his client base grew, the more he got involved with WordPress security. When the role of Security Czar became available, Campbell saw it as the perfect way to continue to help improve the CMS.
The security team will continue to make sure the CMS is as secure as possible. Because the WordPress platform is so full-featured, there are always more hurdles to jump when dealing with security.
“I’d like to see the WordPress security team help with the security of those plugins and themes as well. The ultimate goal is to keep all WordPress users as secure as possible and protecting their whole site, rather than just one part of it, would be a big win,” Campbell said.
Not only are Campbell and the team making WordPress more secure for users, they are also trying to bring more people to the CMS. Improving the reputation of WordPress will bring in more users and continue to increase the already huge power of the platform.
“New features are fantastic and important, but so are security and stability. As a project, when we get all three of those right, we make the web a better place,” Campbell said.