Handling plugin security: Interview with LiteSpeed Cache’s Hai Zheng

Published 20 November 2024
Table of Contents

Today we present an interview with Hai Zheng. Hai works at LiteSpeed Technologies and is a man who chases better code and products tirelessly, so before he knew it, he just happened to learn PHP, JS, CSS, React, NodeJS, Python, Go, MySQL, and ScyllaDB. 😉 He plays, researches, and designs products for fun.

Tell us a bit about LiteSpeed Cache. How does it differ from other caching plugins?

The LiteSpeed Cache plugin started as a way to connect WordPress sites with LiteSpeed’s server-side page cache. After v1.14, we started to gradually introduce other types of optimization features that are important for WordPress visitor experience: page optimization, image optimization, database optimization, in-memory cache (Redis/Memcached), browser cache, and CDN support for example.

Also, LiteSpeed Cache provides ESI (Edge Side Includes) support, which allows a user to punch holes in a cached page, and cache certain parts differently. This is great for personalized content like shopping carts.

I believe each plugin has its own advantages and target audience. For example, WP Rocket has good features and user-friendliness. On the LiteSpeed side, our server-side cache has an advantage over other plugins’ application-level cache: it is built into LiteSpeed servers. It’s similar to the way Apache works with Varnish cache, except with LiteSpeed it’s all built-in, and no proxy is required. Server-level cache is faster than rewrite-rule-based cache can ever be.

We aim for simple, good-quality code. That can mean more time in development, but it brings us a lower cost and easier maintenance.

Why do you think it got so popular?

I don’t have a clue, we never advertise. Just kidding of course 🙂

The truth is, there are several reasons:

  • We listen to user feedback and add requested features
  • We keep new releases coming fast
  • Potential users test it and can feel the difference right away
  • Word of mouth

Lately, there have been a few rather severe vulnerabilities found in the plugin. Why did they happen and what did you learn from them?

No matter how careful we try to be, and how much we consider the implications of all of our code, accidents and unforeseen situations can happen in the wild, especially as a project grows. With care, we can keep the impacts of any exploits to a minimum.

We’ve learned that attackers will take advantage of any minor unconsidered conditions that they can, so we need to keep an eye out for those situations.

In general, the impacts of most of the recent vulnerabilities have been minor, or have been simple to mitigate, because security is an important concern for us from the start. We test a lot before publishing any releases.

On the bright side, you handled them swiftly (one fix was ready the same day it got reported) and were transparent about what happened. Please share some information about your security-related procedures and how they changed lately.

The security reports provided by Patchstack are professionally written and make it easy for us to locate the problem. Our in-house developers write and maintain the plugin codebase. As a team, we understand the code thoroughly. We have a number of dedicated server environments for testing. So, we can be quick to act, quick to test, quick to release a patch, and quick to announce it to our users.

Other than plugin-side fixes, we can release patches for LiteSpeed Web Server to protect even those sites that are running old versions of the plugin.

Do you have any security tips for plugin developers?

  • Dry run before wet run. In the development stage, I require my team and myself to dry-run the code. This means we make sure we fully understand and control our code. We imagine and account for as many possible test cases as we can before we rush into testing.
  • Stay calm in an emergency. Find the most efficient way to minimize the impact. For us, this goes beyond just the plugin development team, and it means informing our partners, patching the web server code to block further hacking attempts, updating our control panel plugins to allow hosting companies to mass update the plugin, and announcing it in our social channels.
  • Keep communication with users transparent and open.
  • Keep learning new things. Learn the lesson that every vulnerability teaches, and apply it to future work.
  • Take ownership of the product, and treat users well. While our goal is to facilitate faster websites for our users, at the same time it can be really rewarding on a personal level. During the process, we build trust with our users, improve our own mindsets, and become better selves. I think the humanity of it all is important, and it impacts everything else, including security.

How do you feel about Patchstack’s mVDP? Do you think it’s valuable for plugin vendors?

Patchstack mVDP is a smart idea and a useful service. It allows plugins to enhance their security and provide a patch at the earliest possible time. I am glad to see that many other researchers have researched our codebase so deeply!

If you had unlimited power to change regarding WordPress` security – what would it be?

Add an AI model to the WP forum that reviews all plugin code and automatically provides improvement suggestions to all plugins. 😆

You can connect with Hai on LinkedIn.

The latest in Interview

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu