WordPress 5.2 Improves the Security of Automatic Updates

WordPress 5.2, released earlier this month, added the first step towards fully secure updates with offline digital signatures. Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, explains how it works and how developers can migrate away from mcrypt to libsodium.

When your WordPress site installs an automatic update, from version 5.2 onwards, it will first check for the existence of an x-content-signature header.

If one isn’t provided by the update server, your WordPress site will instead query for a filenamehere.sig file.

No matter how it’s delivered, the signatures are calculated using Ed25519 of the SHA384 hash of the file’s contents. The signature is base64-encoded for safe transport.

Scott Arciszewski

The WordPress core development team manages the signing or secret keys. WordPress 5.2 contains a signing key that expires on April 1, 2021. The verification key or public key is used to decipher the secret key. This value determines the validity of the signature.

Since the feature is still in an experimental phase, WordPress 5.2 allows an update to occur if a soft error or invalid signature is encountered. This is to prevent more severe errors from causing the user to be locked out of the update process until a manual update is applied. The team will use the reported error information to improve the signature checking process.

The digital signatures are only supported for core updates with Themes and Plugins to follow in a later release. It’s also likely that the team will include separate keys for core releases, plugins, themes, translations, etc. to allow for more fine-grained control.

Digital signatures applied to WordPress core updates is an important milestone because it prevents users from unknowingly downloading updates from malicious sources.

For example, without digital signatures, if the server or servers that house the core update files were compromised, a false update could be sent to millions of sites. In 2016, WordFence explained how this scenario could play out when they publicized a security vulnerability they discovered with api.wordpress.org.

Persistence Pays Off

In early 2017, Arciszewski published a plea to Matt Mullenweg to focus on securing WordPress’ automatic updates system by using secure cryptographic signatures. Mullenweg responded to the article with one of his own on Medium.

We will at some point; as said above it’s a good idea — can’t hurt, might help. There are, however, some more important security issues in front of it, that impact millions of sites in the real world, so we are prioritizing those issues above a nice-to-have, defense in-depth effort.

Matt Mullenweg

Arciszewski has spent at least six years trying to convince the core team to implement digitally signed updates. Four months ago, Gary Pendergast, WordPress core developer, responded to the ticket saying that the feature fell in line with the list of WordPress priorities planned for 2019 and beyond. Pendergast laid out a plan and with a confirmed commitment to landing it in core, Arciszewski worked with the core team to make it a reality.

Millions of WordPress sites are on their way to becoming more secure thanks to the persistence and efforts of Arciszewski and the WordPress core team.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

6 Comments


  1. How would this affect services like ManageWP?

    Report


  2. I was really excited about this addition to core and think it’s a great step in terms of security. That ticket was a few years old and I remember that #StopMullware twitter incident from a few years back.

    Report


  3. I have used this “Site Health” innovation to check the results but to my dismay I scored badly because: –
    1. I should upgrade to latest version of PHP!! I have been on 7.2.* since whenever. FAIL !
    2. ‘One or more recommended modules are missing’ Really!
    a. Fileinfo
    b. Imagick
    Neither of these I had heard of so I looked them up and “low and behold” they both belong to Automattic would you believe. Incredible; I am now subject to abuse because my site does not use a product which is (according to my google research) designed for wordpress.com users.
    Well well. What do we expect next?

    Report


    1. 1. The latest version of PHP is 7.3.5.

      2. Neither FileInfo nor Imagick are owned by Automattic.

      3. Research isn’t that hard.

      Report

Comments are closed.