‘Jaco’ builds on Site Health security feature and adds supply chain attack mitigations

Over the past 24 hours, millions of WordPress sites updated to version 5.2 of the content management system (CMS), which enhances the Site Health security feature and adds protection against supply chain attacks.

First introduced in version 5.1 back in February, Site Health is designed to alert site owners when they are using outdated versions of PHP.

When installing new plugins, the feature also checks to see if the add-on requires a version of PHP that’s incompatible with the site. If so, WordPress will prevent admins from installing that plugin.

The latest version of WordPress core – dubbed ‘Jaco’, in honor of the American jazz bassist Jaco Pastorius – adds two new Site Health pages to help admins debug common configuration issues.

In addition, version 5.2 features PHP Error Protection, which helps site owners to safely fix or manage fatal errors without site crashes.

Secure updates

Given its status as the world’s most popular CMS, WordPress has long invited the attention of attackers.

In an effort to keep sites updated with the latest security patches, the developers introduced an (optional) automated update mechanism back in October 2013.

While this has no doubt helped to protect millions of sites, it comes with the risk that if the WordPress update server was compromised, an attacker could push out malicious updates – a so-called supply chain attack.

Scott Arciszewski of the Paragon Initiative explains:

[T]he WordPress automatic update feature had one glaring Achilles’ heel: If a criminal or nation state were to hack into the WordPress update server, they could trigger a fake automatic update to infect WordPress sites with malware.

This isn’t just a theoretical concern, it could have happened if not for WordFence’s security researchers finding and disclosing an easy attack vector into their infrastructure.

Six years on since the rollout of automatic updates, WordPress 5.2 now provides offline digital signatures, which aims to provide a measure of defense against a compromised update infrastructure.

“Before WordPress 5.2, if you wanted to infect every WordPress site on the internet… you just had to hack their update server,” said Arciszewski.

“After WordPress 5.2, you would need to pull off the same attack and somehow pilfer the signing key from the WordPress core development team.”

Web admins who have turned automatic updates off can upgrade to WordPress 5.2 through their dashboard, or via the WordPress core download page.


RELATED Toxic comments: WordPress admins under threat from latest bug