WordPress 5.2 to Come with Supply-Chain Attack Protection – BleepingComputerWordPress
The WordPress 5.2 build which will be released today will ship with offline digital signatures for all core updates as a defense measure against possible supply-chain attacks, with support for themes, plugins, and translations to be delivered at a later date.
This new feature complements the automatic update mechanism WordPress introduced with the 3.7 version released on October 24, 2013, and it makes it possible to prevent threat actors from issuing a mass update pushing malicious code onto all installations after taking control of the WordPress infrastructure.
Before the WordPress 5.2 release, this could be possible because there was no signature verification mechanism available for the packages issued by the update server.
Additionally, since “By default, every site has automatic updates enabled for minor core releases and translation files” according to the WordPress documentation site, such an attack would lead to the immediate infection of approximately 33,8% of all websites on the Internet.
“A failure of this magnitude would be catastrophic for the Web. Furthermore, it would provide a massive attack platform for the attacker, who would control millions of web hosting accounts from which they could launch further attacks,” said WordFence in an analysis of a potential WordPress infrastructure attack vector.
The offline digital signatures feature included in the WordPress 5.2 build comes as a “first real layer of defense against a compromised update infrastructure” as explained by Paragon Initiative Enterprises’ Scott Arciszewski.
Paragon Initiative Enterprises was behind the initial proposal to secure WordPress against infrastructure attacks from two years ago, with the ticket recently being closed just 13 days ago, after many of the suggestions were included in the WordPress 5.2 code base.
Before WordPress 5.2, if you wanted to infect every WordPress site on the Internet (approximately 33.8% of websites as of this writing), you just had to hack their update server. Upon doing so, you can trick the automatic update feature into downloading and installing arbitrary code, which allows you to do all sorts of nefarious things (e.g. build the world’s largest DDoS botnet).
After WordPress 5.2, you would need to pull off the same attack and somehow pilfer the signing key from the WordPress core development team.
Right now only the core WordPress updates are cryptographically signed, with plugins and themes to also receive the same treatment in the future.
A code-signing feature for developers is also planned, allowing them “to sign their own releases and publish these signatures (and related metadata) to an append-only cryptographic ledger. Once this is done, WordPress’s auto-update will finally be secure.”
While the addition of supply-chain mitigation to WordPress removes is definitely an important step ahead which, while not being able to stop all attacks against WordPress- powered websites head on, will definitely lower the attack surface.
More details on the other improvements, new features, and fixes that will ship with WordPress 5.2 are available in the WordPress 5.2 field guide.