Pressable: The Good, the Bad, and the Ugly
Tl;dr – There is much I like about Pressable. However, after initial difficulties in reaching someone, I asked them why they were sending (and possibly storing) clients’ WordPress install passwords in plaintext. No other managed WordPress host I know does this. It is also considered insecure by most IT security professionals. Pressable replied, “As I’m sure you can imagine this will be easy to fix. I’ll run it by our product team tomorrow to see if they have any preferred way to get this changed.” More than 90 days later, a reasonable and responsible disclosure period, Pressable continues to email plaintext WordPress login credentials in install welcome emails. Pressable is an Automattic company.
For more than 10 years, I’ve developed, hosted, and managed WordPress sites professionally for clients. Plus, I installed, developed, hosted, and managed countless WordPress sites in a non-professional capacity during the 5 years preceding my client work.
In a previous post – My first vulnerability submission(s) – I outlined a relatively simple vulnerability I found recently affecting two different managed WordPress providers. Because of responsible disclosure, I didn’t name the hosts nor disclose the same issue they both had. However, more than 90 days have now passed.
Let’s be clear, right off the bat …
OK, let’s begin …
Pressable: The Good
WordPress itself was released on May 27, 2003, by its founders, American developer Matt Mullenweg and English developer Mike Little, as a fork of b2/cafelog. Matt is considered by many to be the father of WordPress.
In 2005 Matt went on to form Automattic. In my opinion, he is best known for Automattic – after WordPress.org within IT circles – and I’d suggest this is because of WordPress.com and its VIP services for mega-brands and VIP clients.
Pressable was founded in 2010 and acquired by Automattic in 2016. Being part of Automattic, I think it’s reasonable to presume Pressable runs in Automattic’s data centers by now (four years post-acquisition), uses their DevOps, SOCs, and NOCs, architects, network engineers, sysadmins, database admins, security teams, WordPress-stack and stack experts, hardware, upstream providers, security, et al. Note: Their install confirmation transactional email notifications (i.e., “Your WordPress site is ready … ” emails) are “
mailed-by“, and “
wpdatacenter.com, so I think it’s safe to say they have been integrated, at least partially even if not fully. I hope they have; clearly, Automattic does WordPress very well; they have a direct lineage to its creation.
I like that Pressable is part of Automattic.
Essentially, it’s managed WordPress hosting made by WordPress.
I also like Pressable’s management dashboard (although not as much as others, which I’ll review in a further post). Pressable’s is simple, quick, and it’s easy to find stuff. But, for example, it lacks some of Pagely’s, Kinsta’s, and WP Engine’s functionality, but I’m sure (I hope) most of that will come, and maybe more besides.
Pressable: The Bad
I’m a security-focused techie in everything I do from an IT perspective. From the simple to the complex I attempt to secure my infrastructures as best I can with the resources I have available. But I’m a one-man company with a few excellent, reliable, and long-standing contractors. I do not have dedicated devops, security, or QA teams on payroll, nor the budgets of large-caps or unicorns.
The previously unnamed managed WordPress provider in my first post is Pressable. They are referred to as Number 1 in the post. You can read my Pressable vulnerability disclosure timeline of (trying to) notify Pressable and their responses.
Earlier today, I spun up a new WordPress install at Pressable. Bear in mind, it’s over four months since I emailed them asking why they email passwords in plaintext, and their reply that it would be an easy fix.
Below is the confirmation email of the new install spun-up earlier.
Of course, I immediately nixed the install.
I mentioned ‘simple’ above. IT security professionals have long accepted that passwords stored or emailed in plaintext are bad. Instead of me rambling on, check out:
” Emailing your password to you even without the website actually storing it on their servers can be just as bad. Email is not a secure medium. It was never designed to be one. It’s susceptible to Man In The Middle (MITM) attacks and a slew of other issues. “plaintextoffenders.com/about
I’m not just talking about an online forum for cats or a fine wine tasting club community (I’m sure I can think of better examples).
I’m referring to your web hosting account. More often than not, your business website. Just imagine if it was not only compromised, not only hacked, not only defaced, or taken down, or injected with malware, key loggers or backdoors, possibly payment information taken, or likely clients’ personally identifiable information stolen. You don’t need me or anyone to tell you the effect on your business reputation and your ability to keep trading.
And, as with every IT provider, marketing BS takes over when it comes to them telling us all how (ahem) “we take your security very seriously“; “security is our primary focus“; “we use military-grade encryption“… yadda, yadda, yadda. Worthless, bullshit marketing crap.
Check the websites of SolarWinds, FireEye, Yahoo, Equifax, Marriott, River City Media, Target, and many more the day before they announced their mega-hacks. They would have had a variation of the same messages above. 24 hours later, it becomes public they’ve been hacked; your details, credit card, funds, or as a least worst case you can’t use their website, which may be a bank. They then spin out more marketing crap and offer you meaningless credit protection for a year. This is all aimed at simultaneously wowing, bemusing, and disenfranchising the masses.
Oh, and Pressable’s similar message is below “At Pressable, security is our number one priority“. Clearly, it is not.
They say “At Pressable, security is our number one priority.“
Yet they email business-critical passwords in plaintext, and, after being alerted to it and advising it will be an easy fix, four months later, it is not fixed.
If security is their number one priority, a) the issue would not have existed post-acquisition, b) or it would have been resolved shortly after being reported, or c) it would not still exist after four months after Pressable being made aware.
Utter BS. But, of course they are not alone in the purge on our intelligence.
They email passwords in plaintext. We know that.
Are they stored in plaintext, or not encrypted and/or hashed correctly at rest somewhere else?
Pressable: The Ugly
I’m mentioned the good; I stand by that.
I outlined the bad; I stand by that, too.
And I hope the issue gets resolved, as I’d like to be a customer.
The ugly part is best summarized by bullet points:
- It took two days via chat to get an initial response from anyone
- I was told four different people would call me – they didn’t
- I asked if they ran a bug bounty – was told no
- Was then told there was a bug bounty – registered for program – domain in question not in scope
- Next day was asked how I was getting on submitting to bug bounty – repeated, domain not in scope
- Finally, Head of Dept. emailed me, advised he agreed it is a vulnerability, should be an easy fix, and he’ll start the ball rolling the next day
- Follow up email to him Oct 19, no reply
- 4 months from alerting them to it, vulnerability persists
That’s the ugly part. Particularly for an Automattic company.
Therefore, I shall post this blog, and maybe tweet a link to it, possibly @’ing Automattic, Matt, Pressable, and plntxtoffenders.
Why am I making a fuss about this? I’m (steadily) spinning out the client sites I manage in my general, broad, IT services company to a full service, stand-alone WordPress-only focussed company, dedicated to serving small businesses with gold-standard WordPress hosting, management, maintenance, availability, performance, optimization, and security.
While on a rant(ish), Pressable’s status page leaves a lot to be desired. They fell into the same trap WP Engine did, and used a standard WordPress theme and used the blog component for status updates. Well, they are a WordPress shop, so why not?
It didn’t work for WP Engine and Pressable has yet to learn the lesson. Either, develop a bespoke WP theme dedicated to the full functional needs of a status page, or do what nearly everyone else who has considered it, use the right tool for the job – StatusPage.io.
The last comment on my previous post (for now). I have yet to name the second host. They fixed the issue in very short order. That inspired a lot of confidence in me, I’ll blog about them more, later when I have the chance.
And, finally, comments are open and I genuinely welcome any comments from Pressable, Automattic, and or Matt.
Thanks for reading.