Who’s Right? Network Solutions Or Matt

I haven’t had the time to write about much WordPress news lately but after reading the post published on the WordPress developer blog regarding Network Solutions, it might have been for the best.

There have been a number of WordPress based sites hosted on Network Solutions that have had their databases compromised but overall, the issue was not directly targeted at the company. There has also been an ongoing discussion in the WordPress Tavern forums regarding all of the information surrounding the attacks. I’ve been keeping an eye on my feedreader to view the thoughts and opinions of many different websites all following and reporting on the story and if you didn’t know any better, you’d think there was a major exploit in WordPress 2.9.2. As Matt points to in the dev blog post, many websites reported this as a WordPress security issue.

However, Matt’s response is a direct conflict with what Network Solutions has stated. First, Matt’s response.

WordPress, like all other web applications, must store database connection info in clear text. Encrypting credentials doesn’t matter because the keys have to be stored where the web server can read them in order to decrypt the data. If a malicious user has access to the file system — like they appeared to have in this case — it is trivial to obtain the keys and decrypt the information. When you leave the keys to the door in the lock, does it help to lock the door?

What Network Solutions has stated:

Although this issue is not with our hosting servers, we can help you clean this issue up and restore your site to a previous backup. However, this may not guarantee that the issue will not occur again. We are working with the WordPress community and affected Network Solutions customers to help determine which WordPress theme or plugin that may be causing this issue and we will update this post as we learn more.

We continue to look out for our customers and our security team is reviewing logs to determine which WordPress instance or plugin may need to be fixed. We have also been working with experts in the WordPress community on this issue.

It will be interesting to see if anyone from Network Solutions will come out and vouch for it being a permissions issue that caused all of the problems. Until then, we won’t know for sure if that was the case. Andrew Nacin who is also one of the core developers of WordPress has requested that a proper explanation be given that sets the record straight.

There are two posts in the Tavern forum thread that I wanted to bring to light here that might help others when it comes to directory and file permissions.

ChipBennett – So, I’m not experienced with administrating shared server environments. Wouldn’t setting wp-config to 0640 prevent this attack, even if all else were held equal? (Apparently, only WordPress installs for which wp-config.php was 755 were getting compromised.)

Otto – 640 or 750 indeed prevents this.

The reason WP doesn’t check for that is two-fold:

1. On a standard server with a basic and straightforward configuration, The site will fail with 640/750 on wp-config, because Apache won’t have rights to read the file. For 640/750 servers, you must be running suPHP for it to work. suPHP lets Apache run with the user credentials. Many, many hosts don’t run with suPHP.

2. On a single-site box (dedicated), you don’t need to worry about other users reading your files, since hopefully you have no other users. So requiring esoteric configurations makes that setup harder.

Basically, shared hosts *NEED* to run suPHP in order to be secure. suPHP prevents webapp attacks from moving outside their personal sandbox, and it allows users to set xx0 file permissions to eliminate other users on the box from reading their files.

But, suPHP is not the default configuration, so unless the host knows their stuff, they don’t do that sort of thing.

I’m also going to link to the following articles as they contain some great information regarding WordPress sites being hacked and how to harden the software.

Top 5 WordPress Security Tips You Most Likely Don’t Follow

There is an aside to this entire series of events. While Network Solutions was doing an admirable thing keeping their customers updated via a public blog, other agencies picked up on the news and considering it’s a blog for a known webhosting company, took their facts for face value. This was like a bad wildfire that kept spreading until the official WordPress development blog post was published today, putting a damper on those flames. I was very close to writing about the security issues being reported and if I did, I would have linked to the relevant articles and I probably would have added fuel to the fire. I wonder if Network Solutions should have kept their customers updated in a different method than one that was so public. Also, none of the articles that I read concerning these security events quoted Mark Jaquith or Matt Mullenweg confirming that there was a specific issue related to the WordPress software. Mark did give a rule of thumb to Network Solutions regarding permissions.

“the most restrictive permissions that still work.” File permissions vary from server setup to server setup, Generally, “644″ is recommended for wp-config.php. For public_html, it is usually 755.

Let’s keep an eye on the Network Solutions blog to see what they say.


33 responses to “Who’s Right? Network Solutions Or Matt”

  1. As good practice, setting the proper file permissions sounds good, but on poorly configured shared servers, it seems that file permissions offer little to no protection. On the related thread, someone pointed out that on some hosts all users belong to the same group (thereby making “group readable” and “readable by everyone” the same thing.)

    Shared hosts bear the responsibility of segregating users, leaving file permissions for users of the same site (ie. multiple ftp users of http://www.example.com). Users of http://www.mysite.com shouldn’t be able to see files of http://www.example.com or vice-versa if properly configured. These are server settings that make the concern about file permissions mute.

    The alternative (that shouldn’t be considered) is to make WordPress simply not run on servers without very specific settings… And I’m sure there’s no reasonable way WordPress can determine those settings.

    The most that can be done is to recommend users set the proper settings on wp-config after it is created (WP has to create the file because again on some servers WP would lake privilege to edit the file unless it created it), perhaps also downloading, deleting and uploading the file to (hopefully) assume ownership from the “php”/”web” user, and pray that other users of the shared environment don’t share the same group privileges.

    There’s really no way around having a properly set up server.

    Tho if you don’t have multiple ftp users, and you do have suPHP (PHP running as your user credentials, you can set permissions to 700 and 600 to disallow groups and everyone else.

  2. Network Solutions’ post cast some vague aspersions at WordPress:

    “We continue to look out for our customers and our security team is reviewing logs to determine which WordPress instance or plugin may need to be fixed. We have also been working with experts in the WordPress community on this issue.”

    So, without specifying exactly what the supposed problem with WordPress is, they have squarely pointed the finger at WordPress or some WordPress plugin. To back up their spin, they claim to be “working with experts in the WordPress community”.

    Yeah. Sure.

    Here’s the deal:

    1. If you use shared hosting, any shared hosting, you are not only at the mercy of other people’s decisions, always a bad idea, you are also ALWAYS going to be fighting a losing battle against the company’s two main imperatives: to stick as many people as possible onto one server and to pay as little as possible for server admins who know how to monitor what happens on that server.

    2. Companies like Network Solutions, to whom hosting is merely a ludicrously profitable sideline that they stumbled upon accidentally in the wake of their ludicrous good luck in being handed the monopoly on domains, do not give a merry damn about the well-being of their hosting customers. As large corporations they do, however, know, deep in their DNA, that when a problem crops up, it is ALWAYS a smart idea to shift the blame elsewhere. So, despite the fact that this specific problem only affects their customers, they blame WordPress, which is used, without this specific problem, by pretty much every other host in the world.

    So, Jeffro, you’re going to ask who might be right in this particular spat, Network Solutions or Matt?


  3. of course this is network solutions fault, upload a simple php terminal script and snoop around /data you can cat pretty much any wp-config you can find. This was actually found ~6 months ago by netsol techs, and reported to upper mgmt. This issue is not limited to wordpress either. same goes for any type of CMS, joomla, drupal, whatever.
    Also, i would like to add that using this method, file permissions DO NOT MATTER…. I repeat file perms DO NOT MATTER AT ALL, the only files you cannot get into are ones that are owned by root.

  4. @Viper007Bond But in a shared hosting environment like Network Solutions offers, you’re probably not in the “properly configured environment” that you think you’re in.

    It’s important to remember there are at least hundreds of other users on a shared machine, and Network Solutions still does not appear to have gotten their databases working as well as some of the more proxy-style hosts, like 1and1. 1and1 may have the worst technical support, but their MySQL is locked down properly. Network Solutions has released blog statements, support responses, etc., over the past year or two saying things such as “our database performance isn’t where we’d like it to be.”

    Also, on another opinionated note, I really love the WordPress dashboard — pretty darn intuitive, the editor is clean and easy, image inserts are top notch, etc — but the WordPress security has proved it’s not up to par with other big CMS systems like Drupal. I really look forward to the coming years where WordPress is locked down properly “out of the box” and Drupal’s editing system is as easy to use as WordPress.

  5. @donnacha | WordSkill – I know you have a big hate stick for shared webhosts, but it’s not like some of the problems you mention do not effect other types of hosting services as well that don’t require overselling and such. I mean, what if I moved WPTavern to a VPS and I continued to experience problems? What would be the argument then? Purchase my own server equipment and then have it co-located?

    I understand the risks involved with shared hosting but in reality, my two years with AnHosting were pretty much trouble free. I had a great experience with them. Now I’m on HostGator and so far, so good. I don’t think you can accurately have a blanket statement that all shared webhosting providers are bad. Many are bad but not all of them.

  6. @Charlie…the WordPress security has proved it’s not up to par with other big CMS systems like Drupal.

    As I pointed out in my comments on the ZDNet story, this was not a WordPress-specific problem — the attacker could have targetted Drupal’s settings.php file just as easily. Drupal stores the database connection credentials in plaintext, as well. Just like almost every web application out there.

    As Matt pointed out on the dev blog, the web server has to be able to get the database connection credentials from somewhere. Anybody who is able to run web code in the same sandbox as you is going to be able to sniff that information somehow. The solution to this problem has everything to do with how the web server and OS are configured, and pretty much nothing to do with WordPress itself.

    In a shared hosting environment, the hosting provider must do everything possible to isolate users from each other, and prevent one user from gaining access to another user’s files, no matter what avenue they might try to go through. Typically, this is done through ‘chroot’ or ‘jailed’ environments.

  7. Honestly, this kind of article bugs me because it does more to fan the flames of WordPress controversy than actually look for core issues. It’s not about the technical underpinnings of what’s happening, though it appears to be. It’s really a bit of cheap armchair gamesmanship by taking superficial press releases and setting them up in a brawl.

    I don’t even think it’s done with intentional malice, it’s just the same kind of thing as you get from any sports commentator show where the talking about the drama of the game is the focus rather than the actual playing of the game.

    A good article would be to actually understand and describe what a good security architecture of a shared host is, and how Network Solutions and WordPress need to be configured to meet that goal and where the actual failings happened. Interview the parties, asking probing questions of what the architecture is and why, rather than just bickering over some press releases (both of which are bad PR, IMO). Of course, to do that requires actually knowing what the best practices are so that the right questions can even be asked.

  8. @Jeffro

    I know you have a big hate stick for shared webhosts ….

    Jeff, I think that it is unfair and, if you don’t mind my being blunt, self-deceptive of you to write off what I am saying as some sort of personal vendetta that I have against shared hosting, just because you have made a financial decision to build your business upon a shared environment.

    My “big hate stick” is for ANY product that deliberately gives customers a false impression about what they are actually buying and, yeah, shared hosting is a fundamentally scammy, high-profit industry designed to harvest people who either don’t care or don’t understand what they’re getting.

    … but it’s not like some of the problems you mention do not effect other types of hosting services as well

    Actually, the key problem I identified was that being at the mercy of other people’s decisions is always a bad idea and, yes, the main advantage of a dedicated server or, to a lesser extent, a VPS is that you have more control over your security, you can do the simple things that need to be done and know that responsibility for it isn’t being outsourced to some clueless, underpaid kid who knows that no-one is ever going to check his work or, if problems do crop up, knows he can blame it on WordPress.

    I understand the risks involved with shared hosting but in reality, my two years with AnHosting were pretty much trouble free. I had a great experience with them. Now I’m on HostGator and so far, so good.

    Weren’t you down for quite a few days recently? Actually, didn’t you have a couple of longish outages over the last couple of months? I’m not keeping track, I just remember getting quite a few 404s when trying to visit your site. Keeping a WordPress site up and running shouldn’t be rocket science, I would not describe prolonged outages as being “pretty much trouble free” or “a great experience”. I’m just saying.

    I don’t think you can accurately have a blanket statement that all shared webhosting providers are bad. Many are bad but not all of them.

    I did not say that all shared providers are bad, you are completely misrepresenting what I said. Despite the entire concept of shared hosting being shaky, I am sure that some companies do a better job than others or, at least, are luckier than others, in the same way that some time-share apartments are prettier than others.

    What I said was that being at the mercy of other people’s decisions is always a bad idea, even if you get lucky and disaster doesn’t strike immediately. The point is that you can be rolling along nicely for quite a while but, unless you have done the security checks yourself (and, seriously, that is nowhere near as hard as it sounds), you will never know quite when your hard work and reputation might get flushed.

    My “big hate stick” for shared hosting has including me saying that it is fine for the 99% of WordPress sites for whom downtime is not a big deal. I even suggested a rule of thumb: if you consider your site to be important and regularly invest time and energy into it, if you are trying to build community around what you do, then, yes, sure, uptime becomes important and needlessly relying upon someone else to keep your server secure is a dumb way to save money but, again, far fewer than 1% of WordPress sites fall into that category.

    What I’m saying is fairly measured and essentially correct, you shouldn’t be taking it personally.

  9. After working on several Network Solutions hosted WordPress blogs I refuse to work on any more. It has been a while since I have had the frustrating pleasure of dealing with Network Solutions and can’t remember the exact issues I encountered but do recall a vow to myself not to work on any more. I suggest finding hosting elsewhere for a WP site.

  10. @donnacha | WordSkill – I’m not taking anything personally, it’s just that whenever a discussion pops up regarding webhosting, I always remember you showing up and bashing the entire idea of shared hosting. This has lead me to believe that you don’t like the idea or business practice at all, even if there are a few companies doing things the right way. So perhaps that is an assumption and not the truth for which I apologize for.

    The Tavern site was only down thanks to a DDoS attack that apparently, my shared webhosting provider didn’t seem to involved to help me with. After two years, I thought they would have helped me in a more personal way. Oh well, I packed my bags and moved.

    yes, the main advantage of a dedicated server or, to a lesser extent, a VPS is that you have more control over your security, you can do the simple things that need to be done and know that responsibility for it isn’t being outsourced to some clueless, underpaid kid who knows that no-one is ever going to check his work or, if problems do crop up, knows he can blame it on WordPress.

    That underpaid clueless kid would most likely be me and I wouldn’t know half of what that kid would know. My business is not in managing a server whether it’s a VPS or a dedicated box. I don’t have time for all that and so I would need for something like that to be managed. Managed costs money and yet, if I’m serious about the Tavern being a source of income, I would invest the cash into something like that but as I feel and see it, the site is not ready to make that kind of move both financially and overall, resource usage wise.

    I wholeheartedly agree with you regarding the chain syndrome where the more links in the chain, the more of a chance of encountering issues. The less links the better. But right now, shared webhosting fits the Tavern community quite nicely and has not yet reached the stage to move on to something bigger and better. That’s why I’ll continue to use shared hosting until I feel the time is right. The other stuff that comes with shared webhosting is just part of the package and stuff I’ll just have to deal with.

    To be honest, I don’t think I’d be any better off security wise doing everything myself versus shared hosting. I’d probably be in much worst shape with some sort of terrorist group continuously defacing my page lol

  11. Fair enough, I do bash shared hosting, but only because, in the course of my work, I come across so many companies who either don’t know how to make the jump to more reliable hosting or simply don’t know that they should, that it would fix a lot of problems, ranging from uptime to speed to security.

    In the case of this post, which you titled so provocatively, I felt it was directly relevant to point out the intrinsically scum-baggish nature of the shared hosting industry because they are the ones throwing mud here, not Matt. Unfortunately, because so many sites derive income from shared hosting affiliate links, the pitfalls of shared hosting don’t get much attention but, again, it is directly relevant to the subject of your post.

    That underpaid clueless kid would most likely be me and I wouldn’t know half of what that kid would know.

    Believe it or not, keeping a server secure isn’t so much about what you know, it is about whether or not you care and, let’s face it, no-one is ever going to care as much about your site as you yourself. These days, keeping a server secure is just so much easier, so much less arcane than even a couple of years ago – the improvements in WHM/CPanel and the quality of tutorials online puts running a server at much the same level as being proficient with WordPress i.e. understanding how to fix basic problems and knowing where to look for answers when you don’t have them yourself.

    Despite the “Joe Everyman” persona you adopt to help make WordPress more accessible to your readers and listeners, it is clear that you are one smart cookie, running a server would be a snap for you, not at all the time-consuming nightmare you imagine.

    In fact, I’ve often wondered if, at some point, you were going to parlay the reputation you’ve built up into some sort of WordPress-related business. I remember, a while ago, you expressed your frustration of having to juggle your website and podcast commitments with your real-world job, you even flirted with the idea of charging for access to your forum. Your current fascination with the premium end of things suggests that you are at least thinking about getting your hands dirty with PHP, getting some sort of product out there.

    Have you considered, though, that offering WordPress hosting would be a much quicker route? I mean, you would have to sit down and learn a few things but, I know from listening to you discuss WordPress, you’ve got a sharp grasp of detail, you could get up to speed with WHM/CPanel in just a few days and, with a good server company behind you to handle anything non-WHM, you would be all set.

    Seriously, when it comes to WordPress, you already know more than the vast majority of hosting companies out there. For instance, there is one company that I’m sure we’ve all noticed, they market themselves as specifically WordPress hosting, but they actually know incredibly little, all their installations of WordPress are just regular, non-modified Fantastico installs, with all the baggage and security problems that entails.

    You, on the other hand, know pretty much all there is to know about WordPress – you might not know how to write a plugin, but you know all the ins-and-outs that it is important to know, you are already wired into the ongoing evolution, the ups and downs of WordPress, it’s something that you obviously have a great interest in – the vast majority of human beings do not. If I didn’t already know how to manage my WordPress installations, you are precisely the sort of person I would want to pay to do it for me. What you already know is more valuable than you think.

    I hope you don’t find it presumptuous of me to suggest that, I just think it would be a good match for your existing interests, you’ve already got a great platform from which to promote such a service and it would be in the interests of the WordPress community as a whole to see you establish a way to get well paid for the valuable role you play as communicator.

  12. The average WordPress user has no clue what a file permission is. This probably makes up more than 90% of WP users. They start looking for a hosting provider and find companies like Network Solutions or Go Daddy who are advertising special “WordPress” labeled packages with easy 1 click install. If Network Solutions’ script installs WordPress or any other script then leaves the config file with insecure permissions set then that is a Net Sol problem.

    Fantastico Deluxe leaves the config file at 755 and I am sure there are tons of hosts out there who are not running suPHP and advertising Fantastico as a feature for easy WP installs. Most users don’t even think twice about this.

    So my conclusion is that WordPress should probably do a better job of educating average users and Hosting providers who offer 1 click installs better have the install script and the shared server environment securely configured.

  13. Perhaps the WordPress Foundation could offer hosts “Got a Clue” certification and a directory listing, based upon whether the environment they provide meets certain minimum standards of security and sanity.

    In return for a small donation to the foundation, a foundation volunteer could carry out some basic checks and, in instances in which the environment is not up to spec, they could give the host guidance on what they need to improve.

    I’m not saying that such a scheme would be easy to institute but it would do a lot to improve the experience that regular users have with WordPress.

  14. @Viper007Bond – It is certainly not the responsibility of WordPress, but it most definitely is to WordPress’ advantage to do so. It would circumvent a lot of the initial, ignorant finger-pointing at WordPress – and the attendant hyperventilating in the press about alleged WordPress “security vulnerabilities”.

  15. WordPress needs to be more proactive. It’s a fine product but it’s obvious hackers are now targeting this platfom and some strict security is going to need to be implemented. Personally at this point I would pay a couple hundred dollars for a WordPress Software Package that included some kind of WordPress designed built in Firewall and Anti Virus and patch-update package. Open source is great but it does have a lot of disadvantages in some ways.

  16. @Steven

    All that security is going to do little good for anyone who has both nefarious intent and access inside the server, especially if that server is mis-configured (as with the Network Solutions hack).

    WordPress, out of the box, is pretty darn secure. There are other things that can be done to harden a WordPress install, but they are hard to build in or to automate during/after install, because they are things that are outside the control of the application.

    Other things (.htaccess rules that block web access to wp-config, wp- files and folders, etc.) could be implemented (e.g. in the same way that pretty permalink .htaccess rules are added), provided that servers are configured properly.

    Some things, though, just require an awareness and understanding that running one’s own web server and web applications requires a certain level of knowledge and effort to safeguard against attacks.

  17. @Dougal Campbell I was actually thinking more about the way that WordPress or Drupal allow permissions on directories, etc. For example, you cannot install or update modules remotely in Drupal as you can in WordPress — Drupal requires SSH or FTP access to do this. Certainly the problem of having to store the database credentials in plain text is universal (to a large extent, at least) and has a certain catch 22 aspect about it… There are some interesting solutions to this, as you and others have pointed out.

    I had a terrible experience with a very large hosting company, that I feel it would be unethical to name, in which I got a new shared hosting account and after connecting via SSH (FTP did not do this) I was able to change dir’s lower and lower — I could get to the / of the server. Although I could not view most files and could not modify much outside of the shared_hosts directory (or w/e it was really called), I could still view the directories of nearly all of the websites on this server and could definitely modify users who has poor permissions on their directories. I was also able to view nearly all wp-config files, for example, and see their db info. I filed a complaint and was ignored multiple times. Eventually I demanded a refund — and I got it — but they seemed to completely ignore this huge vulnerability.

  18. @Martin -It could be a host or version issue. Because right before I made that comment I also did a fresh install with Fantastico Deluxe just to see the results. I also checked some other installs that were done with the same results. This is on a host with a good security record and SuExec configured.

  19. I had the unfortunate experience of using Network Solutions for hosting. It wasn’t my choice. I came into a project that was already underway. We had a Drupal site hosted there. It was terrible. The server would hang for hours at a time. Support was clueless, they would get around to the ticket around 20 hours after submission, usually just closed it without comment, some responses said there was something wrong with our Drupal install (finger pointing their best skill). This went on for more than a week. Moved the site to another host and never had downtime since. I demanded a refund and eventually got it.

    In my experience Network Solutions is incompetent as a hosting service. I’m not surprised at they tried to blame this issue on WordPress.

  20. I’m a relative newcomer to the world of decent website building. I’ve been involved computers for a long time but mostly as a consultant dealing with speech recognition.

    I just spent the last 2-1/2 days trying to get , first, a MySQL database set up and then installing WordPress on a new website that a painfully slow developer had been unable to complete.

    What an education! Thank you folks for having enough detail in your replies to guide me in the right direction. Still don’t have WordPress implemented and probably won’t until I’ve dumped my Network Solutions shared hosting and found a local ISP who’s hosting setup conforms to the suggested security guidelines that the experts on this forum have outlined.

    Thanks again and consider me the newbie who is being educated.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.