WordPress finally gets the security features a third of the Internet deserves

WordPress 5.2 released with support for cryptographically-signed updates, a modern cryptographic library.
Written by Catalin Cimpanu, Contributor

The WordPress content management system (CMS) is set to receive an assortment of new security features today that will finally add the protection level that many of its users have desired for years.

These features are expected to land with the official release of WordPress 5.2, expected for later today.

Included are support for cryptographically-signed updates, support for a modern cryptography library, a Site Health section in the admin panel backend, and a feature that will act as a White-Screen-of-Death (WSOD) protection --letting site admins access their backend in the case of catastrophic PHP errors.

With WordPress being installed on around 33.8 percent of all internet sites, these features are set to put some fears at ease in regards to some attack vectors.

Cryptographically-signed updates

Probably the biggest and the most important of today's new security features is WordPress' offline digital signatures system.

Starting with WordPress 5.2, the WordPress team will digitally sign its update packages with the Ed25519 public-key signature system so that a local installation will be able to verify the update package's authenticity before applying it to a local site.

Adding support for cryptographically-signed updates is an important step in preventing threat actors from carrying out a supply-chain attack on all WordPress sites, something that security firms have warned for more than two years now.

"Before WordPress 5.2, if you wanted to infect every WordPress site on the Internet, you just had to hack [the WordPress] update server," said Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, and one of the developers involved in securing the WordPress update system.

"After WordPress 5.2, you would need to pull off the same attack and somehow pilfer the signing key from the WordPress core development team."

WordPress gets a modern cryptographic library

But Arciszewski's work on the WordPress CMS did not end here. He also contributed to WordPress replacing an aging cryptographic library with one that's fit for modern times.

Starting with WordPress 5.2, the CMS will support the Libsodium library for all cryptographic operations, instead of the now-deprecated and removed mcrypt.

Libsodium is now part of the WordPress CMS source code, along with Arciszewski's sodium_compat library that works as a polyfill for older PHP servers that don't support Libsodium.

WordPress now joins the ranks of modern web-dev tools that natively support Libsodium, such as PHP 7.2+, Magento 2.3+, and Joomla 3.8+.

Furthermore, with Libsodium's addition to the WordPress CMS core, this also means plugin and theme developers can start supporting it as well.

Arciszewski published today a blog post with basic advice for WordPress plugin and theme developers on how to replace old mcrypt cryptographic functions with libsodium ones.

New Site Health section

But the first WordPress 5.2 security features that users will spot in today's release are not the changes to the CMS' code, but the new "Site Health" section in the admin panel's Tools menu.

This section includes two new pages --namely Site Health Status and Site Health Info.

The Site Health Status page works by running a set of basic security checks and delivering a report with the findings, along with recommendations to fix any discovered issues.

This section comes with a series of bundled tests, but site owners and developers of security plugins can also write their own to expand security checks to more areas of a WordPress site.

WordPress Site Health Status
Image: Marius L. J.

The second section, named Site Health Info, is what its name implies. It provides a plethora of information about the website and server setup and is meant for debugging purposes or when needing to share server details with an IT professional for support services.

Info is provided about the WordPress install, the underlying server, plugins, themes, and file storage usage.

WordPress Site Health Info
Image: Marius L. J.

Servehappy feature

Another new security feature included with WordPress 5.2 is the Servehappy project, which was initially scheduled to be released with WordPress 5.1 but was split in two, with one part of the project shipping with WordPress 5.1 and the other half being shipped today, with WordPress 5.2.

WordPress 5.1 included the ability to show warnings when WordPress servers were running on servers with outdated PHP versions.

WordPress 5.2, released today, will include a feature called 'White Screen Of Death' (WSOD) protection, also known as "Fatal error protection," and works as a "Safe Mode" for WordPress sites.

WSOD protection works by temporarily disabling themes and plugins when a PHP fatal error is encountered, so that site admins can regain access to their sites' backends and fix the error.

WordPress WSOD Protection
Image: Felix Arntz

The feature was initially scheduled for WordPress 5.1 but was delayed to v5.2 after security researchers raised several scenarios in which hackers could have abused the WSOD protection system to turn off WordPress security plugins and launch attacks on WordPress sites.

Future plans

But work on improving WordPress security will not stop with the release of the 5.2 version. Other projects include project Gossamer, scheduled for WordPress 5.4.

Project Gossamer aims to port the same code-signing system used for the main WordPress updates into a framework that developers can use to code-sign updates for WordPress themes and plugins as well.

WordPress 5.0 is out. Here's a tour of the new features!

Related cybersecurity coverage:

Editorial standards