A number of large organisations, including an Investment Bank, are users of our software.
As a result we take security extremely seriously have gone far beyond the requirements of a typical WordPress plugin in order to further enhance the security of our software.
A number of the steps we have taken to enhance security are listed below.
Our plugin not only adheres to these general plugin guidelines but also to a far more stringent set of coding standards known as WordPress VIP coding standards. This ensure we are extra cautious of how we handle data coming into WordPress, and how that data is presented to the end user.
WordPress VIP has a much higher standard than that required for general plugin submission
Root Folder Listing
In order to prevent user error, when listing files and folders, we prevent you from listing the contents of your root folder by default.
To list the contents of your root folder you are require to both:
- enable the capability in the plugin settings
- explicitly add the "folder=root" attribute to your shortcode
In working with Amazon and Microsoft all customers benefit from the data centre and network architecture built to satisfy the requirements of the most security-sensitive organisations.
We have specifically decided to not work with the more consumer-grade storage providers such as Dropbox and Google Drive.
Organisations such as NASA, The Securities and Exchange Commission, GE, Pfizer, SAP, Shell and many more trust Amazon and Microsoft with their data.
These storage providers also meet the most stringent of security certifications including Cloud Security Alliance (CDC), FISMA, FIPS 140-2, PCI DSS, ISO, HIPAA and more.
All data for managed hosting clients is stored in Amazon S3, the industry-standard mechanism for storing and serving any number of files of any size, from 10 million icons to a million movies. More on AWS Security.
When a page is loaded a unique encrypted signing key is generated for all files on the page using the relevant SDK from Amazon or Microsoft. This allows your storage container (bucket or blob) to remain completely private and not publicly accessible in any way.
The unique keys that are generated can only be generated by the plugin and ensure that access is allowed to the file, for a limited amount of time. This signature expiry time is set at 20 minutes by default.
Here is a sample file link with the encrypted signature:
Further details on Azure Shared Access Signatures (SAS) can be found at https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1.
Resilience & Backups
Because Amazon S3 and Microsoft Azure are already redundant, it also solves the issue of backups. S3 automatically creates and stores copies of all S3 objects across multiple systems to protect against systems failure within a region.
Amazon S3 is designed for 99.999999999% (11 9's) of durability, and stores data for millions of applications for companies all around the world.
The S3 Standard storage class is designed for 99.99% availability. Similar Azure guarantees 99.99% availability for Read Access-Geo Redundant Storage (RA-GRS). This equates to 52 minutes of downtime in a 12 month period.
For more information on Azure see https://azure.microsoft.com/en-gb/services/storage/blobs/ and https://docs.microsoft.com/en-us/azure/storage/common/storage-redundancy.
Both Microsoft Azure and Amazon S3 enable encryption-at-rest as standard for files and folders stored on their storage platforms.
All data managed by WP Media is both encrypted at rest and in transit (using the HTTPS protocol).
Key management services from Microsoft and Amazon create and control encryption keys such that there is no additional overhead or complexity for customers.
API Key Security
Your API keys are stored encrypted in your WordPress database. The keys are encrypted using the unique cryptographic salts that are in your wp-config file.
These salts, or secret keys, are the same keys that WordPress itself adds to your password to secure your login information. This helps to ensure that your passwords are immune to brute-force attacks and similar hacks.
Storing your API keys in this way means that an attacker would require not only your WordPress SQL database and a method to extract the entry out of the database, but also the encryption algorithm from the salt in your wp-config file in order to decrypt the key.
Note: this enhanced level of security means that if you failover to a different WordPress server, or restore your WordPress instance to a different hosting provider, you need to re-save your API keys again as the salts would change.
Tamper protection means that display information such as folder names are encrypted using AES 256 CBC and SHA 256 encryption.
Tamper protection is in place for all major file manager functions such as new folder creation, list, rename, move and upload.
For file management functions a context attribute is used to know which folder is currently being viewed and ensure any actions (move, delete, rename etc) are performed in the current folder. This attribute ensures that an attacker cannot edit front-end html in order to change their current context. The current context is checked before all actions are performed and if it is not what the server is expecting, the user will receive an error and will be prevented from performing the action.
Secure URL Masking
Secure URL Masking (enabled by default) helps to reduce any potential attack surface by encrypting and obscuring the full paths and folder structure for your files. As a result, full file paths such as https://company.blob.core.windows.net/parent-folder/child-folder/filename.jpg cannot be seen when inspecting HTML code (e.g. with Chrome DevTools).
The entire URL is replaced with a random string and file extension such that all references to your backend folder structure are hidden, and users have no idea where in the file structure a file has come from. Paths to automatically generated thumbnails are still visible, however these are stored in wp-content (in WordPress) and so do not reveal anything about your cloud file structure.
All encrypted file paths get decrypted on-the-fly hence clicking the links still downloads files as expected.
Note: you may need to resave permalinks in WordPress for changes to these settings to take effect.
We use unique keys (known as nonces) to verify that requests to our software can only originate from your website.
Nonce is used for security purposes to protect against unexpected or duplicate requests that could cause undesired permanent or irreversible changes to the web site and particularly to its database. Specifically, a nonce is an one-time token generated by a web siteto identify future requests to that web site. https://codex.wordpress.org/Glossary#Nonce
The most important step in creating an efficient security layer is having a user permission system in place. WordPress provides this in the form of User Roles and Capabilities.
For added security we have added 2 custom capabilities - file manager and plugin manager. Only users with the plugin manager role are able to change plugin settings.