Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

WordPress 5.2 Brings New Security Features

WordPress released version 5.2 of the popular content management system (CMS) this week, which includes new security and stability features. 

Named “Jaco,” the update is already available in the WordPress dashboard, and provides administrators with the ability to fix sites much easier than before, in the event something goes wrong. 

WordPress released version 5.2 of the popular content management system (CMS) this week, which includes new security and stability features. 

Named “Jaco,” the update is already available in the WordPress dashboard, and provides administrators with the ability to fix sites much easier than before, in the event something goes wrong. 

Version 5.2 includes more robust tools for identifying and fixing common configuration issues, and also adds space where developers can include debugging information for site maintainers.

It also comes with PHP Error Protection, a feature to fix and manage fatal errors without requiring developer time, which also improves the handling of the so-called “white screen of death,” along with means to enter recovery mode and pause error-causing plugins or themes.

The new WordPress release requires PHP 5.6.20 or newer and can automatically determine whether the running PHP version is compatible with installed plugins and will prevent activation of plugins that requires a higher version of PHP. 

WordPress 5.2 also adds a layer of defense against compromised update infrastructures, with offline digital signatures, a new feature that allows sites to check updates for valid signatures and verify their authenticity. 

“For the first release, WordPress will (by default) soft-fail if the signature is not valid. In future releases, the default will be configured to a hard failure. The reason for this unsafe default is to ensure updates aren’t blocked if there’s a bug in the update code,” Paragon Initiative Enterprises’ Scott Arciszewski explains.

With one third of all websites out there running WordPress, the new security features mark a turning point in the CMS’ evolution. 

Advertisement. Scroll to continue reading.

Before WordPress 5.2, an attacker only needed to hack the update server and trick the update mechanism into running arbitrary code to infect every WordPress site out there. Following the update to WordPress 5.2, the attacker also needs to steal the signing key from the WordPress core development team, Arciszewski says. 

Another change in WordPress 5.2 is the inclusion in the CMS of sodium_compat, which functions as a polyfill for installations that lack support for Libsodium, a software library for encryption-related operations. On WordPress installations running PHP versions older than 7.2, the update signature verification is provided by sodium_compat

At the moment, only core WordPress updates are covered by the offline digital signatures, with themes and plugins still not cryptographically signed. A system that allows vendors to sign their own releases will arrive, making WordPress’s auto-update a secure process, Arciszewski says. 

The system is called Gossamer and is expected to arrive in WordPress 5.3 or 5.4, depending on how testing with the current release goes.

“If WordPress’s goal is to democratize publishing, then Gossamer’s goal is to democratize code-signing,” Arciszewski concludes. 

Related: WordPress 5.1.1 Patches Remote Code Execution Vulnerability

Related: WordPress to Warn on Outdated PHP Versions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.