WordPress has a terrific, safe, and ethical approach to security when it comes to plugins. Their process has been put in place to protect the integrity of their ecosystem, as well as protect its users from becoming targets when vulnerabilities are discovered.
It’s pretty straightforward–if WordPress detects any security risks in a plugin residing in the repository, the protocol is to:
- Remove the plugin from the repository temporarily to prevent further downloads
- Notify the developers of the plugin privately so they can make the necessary changes
- Review any changes made by the developer to ensure the threat has been fixed
- Restore the plugins repository listing
As such, many security professionals in the WordPress space have adopted a similar set of protocols when they discover plugin or theme vulnerabilities.
On March 21 an unnamed individual discovered a security vulnerability in Social Warfare that our team missed. Instead of going the ethical route of privately disclosing this vulnerability to the Warfare Plugins team, this individual publicly published the details of the vulnerability as well as a means in which to take advantage of this vulnerability on unsuspecting websites using Social Warfare.
Almost immediately hackers began exploiting the information published, attacking any website they could find using Social Warfare. The nature of the exploit allowed hackers to inject malicious script into a webpage and cause all traffic to the site to be redirected to anywhere they wanted.
This scenario is what’s known as a Zero-Day exploit—where a security vulnerability is found and taken advantage of before the developers of the software being exploited are made aware of it or given time to fix it.
In the spirit of transparency, and for a better view of the timeline of events on March 21, the following will show (in Eastern Standard Time) how quickly everything transpired.
02:30 PM (approx.) – An unnamed individual published the exploit for hackers to take advantage of. We don’t know the exact time of the release because the individual has hidden the publishing time. Attacks on unsuspecting websites begin almost immediately.
02:59 PM – WordPress discovers the publication of the vulnerability, removes Social Warfare from the WordPress.org repository, and emails our team about the issue.
03:07 PM – In a responsible, respectable way, WordFence publishes their discovery of the publication and vulnerability, giving no details about how to take advantage of the exploit.
03:43 PM – Every member of the Warfare Plugins team is brought up to speed, given tactical instructions, and begins taking action on the situation in each respective area: development, communications, and customer support.
04:21 PM – A notice saying that we are aware of exploit, along with instructions to disable the plugin until patched, was posted to Twitter as well as to our website.
05:37 PM – Warfare Plugins development team makes final code commits to patch the vulnerability and undo any malicious script injection that was causing sites to be redirected. Internal testing begins.
05:58 PM – After rigorous internal testing, and sending a patched version to WordPress for review, the new version of Social Warfare (3.5.3) is released.
06:04 PM – Email to all Social Warfare – Pro customers is sent with details of the vulnerability, and instructions on how to update immediately.
All-in-all the time from learning of the vulnerability to releasing a patch was approximately 3.25 hours.
Once this update was released, our development team didn’t stop working. They performed a full security sweep of the codebase and began fortifying the overall security of the plugin. No other vulnerabilities were discovered, but we did find a few spots where security could be tightened. Once this new set of updates was finished and thoroughly tested, Social Warfare 3.5.4 was released a few days later on March 25.
Where We Failed
As the team behind Social Warfare, we failed [on a few levels] and feel terrible. We can never express how incredibly sorry we are especially to our customers, our free users, and our fans.
This attack was not just an attack on our business but on the livelihoods of all of you.
Like us you all have families to support. When the attackers began taking advantage of our users, we see it as a personal attack on your families.
Our first failure was not discovering the vulnerability before anyone else. There is no excuse, we should have been better. To prevent this from happening, our development team has spent significant time researching and learning more about how to keep up with security advancements, and staying ahead of emerging hacking methodologies.
Our second failure was not seeing the email from WordPress.org sooner. It’s unfortunate that the email was sent to my inbox and I happened to be in San Diego speaking at a conference that day—unable to check my email. To prevent this from happening, the WordPress.org team has agreed to email multiple addresses in the event that something like this happens in the future, ensuring that if one person is away, another will be available.
Appreciating the Integrity of Reputable Professionals
We are incredibly grateful for the integrity and professionalism of two organizations who helped us tackle these attacks as quickly as we did.
For one, the WordPress.org plugin review team. Specifically Otto and Mika, who have both been instrumental in helping us address issues throughout our time in the WordPress repo.
And secondly, the team at WordFence. We’re incredibly impressed with their professionalism and their quick action when it comes to WordPress security. In the last year they’ve identified vulnerabilities in more than 15 popular WordPress plugins allowing users to take swift action in protecting their sites.
Even if you’re not a WordFence user, we highly recommend subscribing to their blog as they are the best in class for WordPress security news.
Lessons for WordPress Users
It’s abundantly clear that keeping your plugins updated regularly is no longer an option. Malicious third parties are continually looking for new ways to exploit WordPress sites for their own gain.
The person responsible for releasing the information attackers needed in our case has been doing so for a long time. A user named xorloop has documented this twisted vendetta which has resulted in the exploitation of hundreds of thousands of WordPress sites. It doesn’t take much research to discover the identity of the individual responsible and take legal action against him. Until someone does, however, he will continue his reign of digital terror on the WordPress community.
So please keep your websites updated, and as secure as possible.
Where We Go from Here
It can’t be said enough how deeply sorry we are for those of you who were targeted in this malicious attack. This has truly been one of the most challenging experiences in the nearly 5 years since we started.
We promise that we will only let this fuel our fire to become better. We will continue to fight for you, ensuring you not only have the best social sharing plugin around, but you have the safest social sharing plugin around.
Thank you to those of you who stood by us and were understanding in the events of what we’re calling Z-Day 2019. Many of you reached out, encouraging us, letting us know you understood what we were going through. We had many people commend us for our quick turn-around despite us feeling like it should have been faster.
To all of you who had our backs in this time, thank you! We treasure you.