In a episode on Do the Woo, we had Calvin Alkin chatting with hosts Carl and Kathy.
Kathy asked Calvin this question.
Calvin, I want to get back to why the plugin is, why that whole model doesn’t really work. Because of how PHP works. There might be some non-technical people who might not understand exactly how that model doesn’t work, and they might not be able to find time to read your research. But can you just give an overview of why that doesn’t,
What happens, I mean, I’ve seen the malware that’s done this, that’s like, oh, well, you can find everybody else’s malware, but you’re not going to find mine. And that hacker can modify those files. Can you explain why they can, why they get a site has an intrusion from, let’s say a SQL vulnerability, that SQL injection that does not have anything to do with anything happening in PHP, but they can still then get access to PHP files and modify them.
Why scanner plugins won’t work
So let’s start by at the point of through some means your site has been infected, so it doesn’t matter that infinite attack vectors, how that could have happened, but now your site has malware on it, and you also have a plugin that does malware scanning, maybe like using the WP chron periodically, or you can start it from the UI, whatever. But ultimately this scan, the malware scan runs in the same process, the PHP process and with the same privilege level as the malware.
So the most simplest and the most blunt hit with the hammer approach, the malware could just simply disable or delete your security plugin from the file system. This will be like the easiest to understand the first time the malware runs, it just deletes your security plugin. That’s the easiest after there aren’t any scans, but obviously you as a site administrator would realize that at some point, yeah, maybe not immediately, but maybe you’ll realize eventually that your security plugin is gone
So what they do is then because they can read the source code of the plugin, they can see how it works, and since they’re operating at the same privilege level, they’re both running inside of WordPress in the PHP process that powers WordPress, they can then alter the malware scanner in a way that maybe imagine this. They’re very complex operations going on to determine if a file is malware or not, and then the actual malware modifies that final result. It is displayed to you in the UI and just says, yeah, you’re all clean. Pretty much that’s how it works. They make the malware scanner lie to you.
They make the malware scanner tell you there’s no malware, but there actually is. And the way to do that depends on malware based on the malware scanner that you have. And obviously we didn’t disclose what we did there. We don’t want to make it easier for folks, but it’s pretty easy, to be honest, like 10 lines of quote maybe to do that. It’s not hard. So yeah, that’s the fundamental issue. The system that is potentially infected wants to monitor itself, and that doesn’t work. It has to be from somewhere higher up or someplace that is more privileged at the server level.
Plugins that have firewalls associated built into the plugin
So the firewall would be protection, not scanning. I mean, if you have hardware on your side, the firewall can be disabled in the very same manner. That’s also the, but at that point, you’re already infected. The firewall usually is there to prevent you from getting infected in the first place. There isn’t anything wrong in particular with plugin based firewalls. It’s more so that everything that you can do in a plugin with a firewall, you can do, for example, the Edge at CloudFlare or in the Nix firewall.
Yeah, just it’s heavy from a CIS admin perspective, especially in enterprise, right? We’re talking enterprise. So larger WooCommerce stores, larger sites, they need more PHP workers. They want their code to be more efficient so that the response time is faster and all those things. If every request has to be processed as a firewall request, it’s a lot of processing time dedicated to that. It’s not. Trivial in itself is a one serious reason to just not use super heavy security plugins like that is if they just do a lot and they put a lot of weight on your WordPress installation, which is a problem again for enterprise because they’re trying to be more performant, they’re trying to handle more sales, more everything, and you’re basically, it’s like having an ankle weight. You’re kind of dragging. Every request has this huge ankle weight that you’re dragging, and that serves not no purpose, but as we’re discussing the malware scanning doesn’t work. It’s more like security theater, right?
The malware scanning and some other things. Fundamentally, it’s impossible to perform that at the plugin level. And there are other things that are the same, but for example, the firewall, it is absolutely possible to write a secure firewall in a WebPress plugin. There’s nothing that makes it conceptually impossible, unlike the malware example. You can do that, whether the existing ones are secure, it’s a different topic, but it is theoretically possible. The thing is, it will not be performed because as Carl mentioned, at that point where the plugin based firewall runs, you already incur the majority of the cost of that request. You already went through the edge layer. Engine X ran, WordPress was booted, and then your firewall is hit. So it’s not performant. It’s possible to do it securely,
Or let’s go one step further to you’re trying to mitigate a DDoS. If your firewall’s, the actual PHP application, you ain’t mitigating anything, right? Your site’s blowing up either way. It’s all cool. You have a firewall, but you’re still getting hammered by hundreds of thousands of requests, your server’s not going to be able to handle it, and it’s not really designed for that either. You can do it on the same machine. I’ve done work with people that nonprofits where they can’t use American companies for security reasons, and so they can’t use CloudFlare or things like that. So you have to do a lot of the protection yourself at the machine level, but it’s not, you want those requests to be blocked. You can even overwhelm a Linux machine if you’re not careful, even with a DDoS. So that’s why it’s not efficient either, right? Part of the goal of a firewall is to prevent those DDoS attacks, and you basically are not doing that with a PV based firewall.
Leave a Reply