Spectre and Meltdown Explained & How it Can Effect WordPress

New hardware bugs have been reported which affects processors designed by Intel, AMD and ARM. This flaw was reported by Google’s Project Zero and is already being termed as one of the worst CPU bugs ever found. So, what does ‘spectre and meltdown explained’ mean exactly?

Named as ‘Meltdown’ and ‘Spectre’, these vulnerabilities allow malicious programs to read data from other programs. These issue affects everyone who uses any modern computing device. You might be a WordPress site owner or a casual browser of websites, this issue can harm you. For example, you have a browser tab accessing a malicious site, this tab can access data from the password manager installed on the browser or cookies from other tabs. Similarly, if you have a WordPress site hosted with webhosts that have multiple sites sharing same hardware, your site is susceptible to data theft. This means irrespective of whether you are on shared or managed hosting, you are in equally bad situation.

Am I affected as a Website owner?

As of now, most certainly, you are already affected by the bug. The data theft can include passwords, ssl keys, and other sensitive information.

What should I do as a WordPress site owner?

There are four popular ways of hosting a WordPress site:

Shared Hosting – GoDaddy, Bluehost, SiteGround etc.

On shared hosting, there are many sites running alongside many others in very close proximity on a server. These servers have a certain level of protection ensuring the safety of one site from another. This wall between sites is sufficient under normal operation but can be breached. Since all website instances are running on the same machine, this vulnerability can allow a malicious site to illegally access to data of other sites.

The webhosts, in this case, are responsible for deploying the patches to the underlying system. You should follow up with your webhosts to ensure that they have a plan for this.

Managed WordPress Hosting – WP Engine, Pantheon, etc

Managed WordPress hosting is traditionally considered a better and more secure option than shared hosting. Most of the popular Managed WordPress Hosting providers host the sites on the big cloud platforms such as AWS, Digital Ocean, Google cloud etc. Managed hosting dramatically reduces the risk of one site being able to afflict another site on the same server, however, this case is different as Meltdown and Spectre are hardware bugs. If you are hosted on a dedicated container, multiple containers might be running on the same machine. This puts you on same risk as a site hosted on shared hosting.

Many cloud platforms have already fixed their underlying platforms. Some others have also laid out a plan for the same too. The managed webhosts will also need to apply patches to their own systems too.

Cloud Hosting – Digital Ocean, AWS etc

A few of us run our sites by directly renting virtual servers from cloud hosting platforms. These cloud platforms allow multiple customers to share a physical server. The customer can install their own operating system and then manage the entire stack on top of this giving them complete flexibility. However since the underlying server is common, it is possible for a bad actor to exploit this vulnerability.

As mentioned in previous sections, the major cloud services are quickly patching their platforms. However since you are responsible for maintaining your own virtual server, you should update your OS as soon as possible.

Dedicated servers

Hosting of privately owned and maintained server is not a popular option given its complexity and cost. However if you happen to do so, you are at minimal risk from this bug, though we would still advice to keep your OS updated.

Can I know if my site is under attack?

Unfortunately it’s unlikely to know if you are getting attacked. These are hardware bugs that can lead to data theft without leaving any traces in traditional log files. The attack is independent of the operating system, and it does not rely on any software vulnerabilities (wordpress core, plugin/themes). These bugs work on personal computers, mobile devices and in the cloud. Depending on the hosting provider’s infrastructure, it might be possible to steal data from you and your visitors.

How can I fix it?

Sadly there is not much you can do at the moment. This bug affects almost everyone. Operating System vendors have already started rolling out fixes but these are stopgap patches and costs performance. Meltdown patch is supposed to take 5 to 30% toll on CPU performance, whereas Spectre is not likely to be fixed any time soon.

Whom should I contact for help?

Major hosting companies have already started deploying patches. As a site owner check with your hosting provider about the status of their system. Ask them to deploy fixes immediately if they haven’t already. Check with them what these fixes mean to you as an end user. Will it affect the site performance? Will these effects be visible to your end users?

But what are these attacks anyway?

Project Zero revealed the bug as:

We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.

The above statement summarises the exploits made by Meltdown and Spectre. They are example of side-channel attack.

Currently it’s difficult to predict the damage caused by these bugs. Many major companies like Amazon, Google and AMD have released statements assuring their users their latest software versions are safe. Many other giants like Apple have not commented yet. Watchout this space for more updates.

Hope this clarifies most of your doubts.