Registrars' Association publishes security.txt plugin for WordPress

Defined in RFC 9116, the security.txt protocol offers a straightforward mechanism for organisations to publish their vulnerability disclosure policies and contacts details. The system involves the publication of a file called security.txt on the organisation's website, written in a specially developed text format that is readable by both machines and people. Security investigators and white-hat (ethical) hackers can refer to a site's 'security.txt' file to find out what the organisation's disclosure policy is, and who they should approach if they come across a security issue. That in turn helps the recipient of the detection report – a company from which files have been stolen and offered for sale on the dark web, for example – to promptly take action to prevent or mitigate harm. If the new system is widely adopted, the availability of security information in a clear and accessible form may also be expected to encourage reporting and thus reduce the number of incidents.

Signing and reminders

The RA's new security.txt plugin is not the first of its kind. However, earlier plugins required knowledge of the open standard, and one of them saved the 'security.txt' file in the wrong place. The RA plugin makes use of previously provided contact information, and enables a website operator to add a 'security.txt' file to their site without being familiar with the standard. Providing that the user has enabled GnuPG, the plugin can also sign the newly created file. Finally, it reminds the site operator when the file's expiry date is approaching.

Development of the plugin was aligned with the Internet.nl test portal – an initiative by the Platform for Internet Standards to promote the adoption of various modern internet (security) standards, including security.txt. On the Internet.nl portal, you can test your web and mail domains, as well as your own internet connection, to see whether they support the main open standards. Testing yields a comprehensive report detailing the situation with each standard, and giving an overall score of between 0 and 100 per cent. The report can be used to identify gaps in support and faulty implementations, as a starting point for remedial action. The overall score additionally serves as a metric for measuring progress towards full support. The WordPress plugin's interface features a button for testing the user's security.txt configuration there and then.

Figure 1: Screenshot of the interface of the WordPress plugin for the Internet standard security.txt.

Hosting control panels and best practices

Development of the WordPress plugin was underwritten by SIDN Fund. The project is also intended to yield native support for security.txt in popular hosting control panels, such as DirectAdmin, cPanel and Plesk, as well as best practice guidelines on application of the standard.

In the summer, native support for security.txt was added to DirectAdmin (from version 1.664) and Plesk (from version 18.0.61). Both of those control panels are widely used by hosting service providers to configure and manage web-related services for their customers. In this case, native support involves security.txt set-up being fully integrated within the software, and hosters being able to enable security.txt for their customers by default. The 'security.txt' file is generated (and then published) using information previously entered into the control interface. DirectAdmin features a 'Security.txt Report' page, where the user can easily see whether a 'security.txt' file is available for each website.

Discussions are currently ongoing with the developers of ISPConfig and cPanel regarding support for security.txt in their software. The ISPConfig team has already indicated a willingness to add support.

Making the internet stronger

The security.txt project is supported through the Strengthening the internet programme – one of SIDN Fund's 3 funding programmes, along with Empowering internet users and Internet and society. Most of the projects supported by the Strengthening the Internet programme involve open-source initiatives that come to SIDN Fund's attention through its own network. "We use a number of funding vehicles," explains Programme Manager Mieke van Heesewijk. "First there's our scheme for pioneering projects, which is open to anyone. Then we make themed calls for proposals, and we scout projects as well. Most of the projects that we fund through the Strengthening the Internet programme are scouted: we identify promising initiatives through our own network, and invite them to apply. That's what happened in this case, with the RA obviously being an organisation we know well."

The project grant wasn't linked to any concrete goals regarding the number of security.txt implementations. "This project will be a success if it substantially increases adoption of the security.txt protocol. So far, adoption in the Netherlands has been poor. We'd like to see that change, because security.txt can help make the internet stronger by increasing security. The project is attractive to SIDN Fund because the RA, SIDN and SIDN Labs are collaborating on it, and various other stakeholders are involved, including Internet.nl and the Digital Trust Center [DTC, an initiative by the Ministry of Economic Affairs aimed at increasing the Dutch business community's resilience to electronic threats]." According to Van Heesewijk, there is also scope for the development of plugins for other content management systems besides WordPress, if there's demand.

Financial incentive

Along with realisation of the security.txt WordPress plugin and native support for security.txt in the control panels, the project involves promotion of the standard's adoption. From 2025, SIDN plans to offer a financial incentive for the use of security.txt through the Registrar Scorecard (RSC) scheme. In practical terms, that will involve giving .nl registrars a rebate on domain names whose websites have valid 'security.txt' files. As the graph below shows, only 2.5 per cent of .nl websites had such a file in September 2024.

Experience with other open standards shows that a critical mass is needed to impart momentum to the adoption process. SIDN's incentive scheme is intended to give the adoption of certain standards a temporary boost, so as to create the necessary mass and get things moving. It does that by incentivising registrars to start using open standards that can make the internet more secure, but whose value can't yet be translated into billable services that end users are willing to pay for.

SIDN plans to make account-specific adoption data available to registrars via the RSC dashboard for the fourth quarter of this year. Registrars will then be able to start working with security.txt ahead of the incentive's introduction next year and payment of the first rebates in summer 2025. The amount payable per qualifying domain name will be decided in the months ahead.

https://images.ctfassets.net/yj8364fopk6s/4jG5W126sGIBdOOwetaaub/09d3cb6cb2d953dba6c2daad753e0374/stats.sidnlabs.nl-security.txt-20240909.png

Higher profile

The RA, SIDN Fund and SIDN are committed to raising the profile of security.txt this autumn. The recent Day of the Domain Name, Tuesday 24 September, provided one good opportunity. And the RA is busy reaching out to partners active in the promotion of open standards and security measures, including the DTC, Internet.nl and the Dutch Institute of Vulnerability Disclosure (DIVD, an initiative by the Dutch security community to alert the operators of websites that are vulnerable to known attack strategies). In the period ahead, these efforts will hopefully drive up the adoption and use of security.txt.

"Through the security.txt project, we're delivering added value for our members and supporters, while also working with SIDN, SIDN Fund and other stakeholders to make the internet more secure and to enable relevant actors to contact each other more quickly and easily," says RA Chair Berend van Dalfzen. "So everybody wins: the registrars, the registry and the local internet community."