WordPress 5.2 released a modern cryptographic library with support for cryptographic updates.
The Content Management System for WordPress (CMS) today receives a variety of new security features that will eventually add the level of protection many people desire for years.
The official release of WordPress 5.2 is expected to end today with these features.
The includes support for encrypted updates, support for a modern cryptography library, an admin backend site health section and a feature that serves to protect a white-screen-of – the-death (WSOD) website in the event of catastrophic PHP errors.
With WordPress installed on approximately 33.8 percent of all websites, these features make certain fears easier in relation to certain attack vectors.
Cryptography Signed Updates
Probably the biggest and most important feature of today’s security is the offline WordPress digital signature system.
Starting with WordPress 5.2, the WordPress team will digitally sign its update packages with an Ed25519 public key signature system so that a local installation can verify the authenticity of the update package before using it on a local site.
Adding support for encrypted updates is an important step in avoiding the threat of actors attacking all WordPress websites that security firms have been warning of for over two years.
“We just had to hack[WordPress] update server before WordPress 5.2, if you wanted to infect every WordPress site on the Internet,” said Scott Arciszewski, chairman of the development department of Paragon Initiative Enterprises and one of the developers who helped ensure WordPress updates.
“After WordPress 5.2, you should pull off the same attack and somehow pilfer the key signing WordPress Core Development Team.
WORDPRESS GETS A MODERN LIBRARY CRYPTOGRAPHIC
But the WordPress CMS work of Arciszewski did not end here. He also contributed to replacing WordPress by an old cryptographic library that fits modern times.
Beginning with WordPress 5.2, CMS will support the Libsodium library, instead of a now deprecated and removed mcrypt, for all cryptographic operations.
Libsodium and the Arciszewski sodium compat library are now part of WordPress CMS source code, which works as a polyfill for oldern PHP servers that don’t support Libsodium. Sodium.
WordPress is now amongst modern web-dev tools that support Libsodium natively, like PHP 7.2+, Magento 2.3 +, and Joomla 3.8+.
Magento 2.3, Joomla 3.8, WordPress 5.2.
If you’re developing for any of these platforms and are using these versions, you already have sodium_compat installed.
Just use libsodium for your plugins/modules/extensions. Don’t even bother with mcrypt.
— Scott Arciszewski (@CiPHPerCoder) 7 May 2019
In addition, with Libsodium’s addition to the WordPress CMS core, it can also be supported by plug-in and theme developers.
Arciszewski today published a blog post with basic advice on how to replace old cryptographical functions with libzodium for WordPress plugin and theme developers.
NEW SITE HEALTH SECTION
However, the first WordPress 5.2 security features users find in today’s release are not modifications to the code of CMS, but the new section on “Site Health” in the Tools menu of the admin panel.
This section contains two new pages-namely health status and health information for the site.
The health status page of the Site works by carrying out a series of basic security checks and reporting the findings along with recommendations to resolve any identified problems.
This section includes a number of bundled tests, but security plugins owners and developers can also write their own to expand safety checks into more areas of a WordPress website.
Image: Marius L. J.
The second section, called Health Info, implies its name. It provides a wealth of information about the site and server installation and is intended for debugging or for sharing server details in support services with an IT specialist.
Information about installing WordPress, the underlying server, themes and the use of file storage is provided.
Image: Marius L. J.
Another new safety feature with WordPress 5.2 is the Servehappy Project that was originally planned for release with WordPress 5.1 but was split into two, with one part of the project being delivered with WordPress 5.1 and the other part being delivered with WordPress 5.2 today.
WordPress 5.1 included the ability to warn when WordPress servers run on outdated PHP versions of servers.
WordPress 5.2, which is now available, will include’ White Screen Of Death’ (WSOD) Protection, also called’ Fatal Failure Protection,’ and works as a’ Safe Mode’ for WordPress sites.
WSOD protection works by temporarily disabling themes and plugins when a fatal PHP error occurs so that site administrators can recover access to the backends and correct the error of their sites.
Image: Felix Arntz
The feature initially was scheduled for WordPress 5.1, but was postponed to version 5.2 after security researchers raised a number of scenarios where hackers had been able to abuse WSOD protection system to disable WordPress plugins and launch attacks on WordPress sites.
But improving security for WordPress won’t stop with the release of 5.2. Additional projects include the Gossamer project, planned for WordPress 5.4.
The Gossamer project aims to port the same code signing system used for the main updates of WordPress into a framework that developers can also utilize to sign up code for WordPress themes and plugins.