WordPress is getting some much needed new security features in its latest update, WordPress 5.2, which is rolling out now to websites around the world.
The world's most popular content management system (CMS) is adding support for cryptographically-signed updates, a modern cryptography library, a Site Health section in the admin panel and White-Screen-of-Death (WSOD) protection.
Beginning with WordPress 5.2, the WordPress team will digitally sign its update packages using the ED25519 public-key signature system. This will allow a local installation to verify the update package's authenticity before applying it to a local site and can even help prevent supply-chain attacks on all WordPress sites.
- Remote code execution vulnerability discovered in WordPress
- Security researcher exposes zero-day WordPress vulnerabilities
- What Is Managed WordPress hosting?
Chief Development Officer at Paragon Initiatives Enterprises, Scott Arciszewski explained how WordPress 5.2 will make launching attacks against the platform more difficult for cybercriminals to ZDNet, saying:
"Before WordPress 5.2, if you wanted to infect every WordPress site on the Internet, you just had to hack [the WordPress] update server. After WordPress 5.2, you would need to pull off the same attack and somehow pilfer the signing key from the WordPress core development team."
WordPress is aiming to improve website security with its new “Site Health” section in the admin panel's Tools menu which includes two new pages: Site Health Status and Site Health Info.
The Site Health Status page runs a set of basic security checks and delivers a report with the findings and recommendations on how to fix any issues it discovered while the Site Health Info section provides a wealth of useful information about a website and its server setup. Information is also provided about the WordPress install itself, file storage usage, plugins and themes.
The Serverhappy project is another new security feature included in the latest release of WordPress. While WordPress 5.1 included the ability to show warnings when WordPress installs were running on servers with outdated PHP versions, WordPress 5.2 includes WSOD protection that works as a safe mode for WordPress sites.
WSOD protection can temporarily disable themes and plugins when a PHP fatal error is encountered so that site admins can access their sites' backends and fix the error.
Improved security for a system used on 33.8 percent of the world's websites is certainly a welcome addition especially after Alert Logic (opens in new tab) recently discovered a vulnerability in the WP live chat plugin for WordPress that could allow attackers to upload arbitrary malicious files to vulnerable systems.
- Concerned about the security of your WordPress site? We've also highlighted the best managed WordPress hosting