May 9, 2019 by Oliver Sild
It also has accessibility updates, new dashboard icons and most importantly security update for WordPress core. We, of course, focus our blog post on the security side of the new release.
The new minimum supported PHP version is 5.6.20. Before you update, take a look at your hosting panel to see if your PHP version is compatible.
As a quick reminder, just 5 days before WordPress. 5.2 release, PHP 7.2.18 was released as well. Instead of updating your PHP to 5.6.20, jump over to PHP 7.X, it will improve your sites loading speed and general performance.
Two years ago Paragon Initiative made a suggestion to secure WordPress core against infrastructure attacks. They were stressing the following scenario:
Currently, if an attacker can compromise api.wordpress.org, they can issue a fake WordPress update and gain access to every WordPress install on the Internet that has automatic updating enabled.
Given WordPress’s ubiquity, an attacker with control of 27% of websites on the Internet is a grave threat to the security of the rest of the Internet. I don’t know how much infrastructure could withstand that level of DDoS. (Maybe Google?)
Before WordPress 5.2, there was a risk that if someone would have hacked the WordPress update server, they would have been able to trick the automatic update feature into downloading and installing malicious code. This would have been a catastrophic event as today around 33.8% of the websites run on WordPress.
On WordPress 5.2, the suggestion made by Paragon Initiative is now included in the WordPress core and the ticket has been closed as “fixed”. The solution prevents possible attacks where a malicious mass update is being released to all websites after someone has taken over the WordPress infrastructure.
The offline digital signatures feature included in the WordPress 5.2 build comes as a “first real layer of defence against a compromised update infrastructure”.Scott Arciszewski – Paragon Initiative Enterprises
After WordPress 5.2, you would need to pull off the same attack and somehow pilfer the signing key from the WordPress core development team.Scott Arciszewski – Paragon Initiative Enterprises
With WordPress 5.2, only the core updates are cryptographically signed, but plugins and themes will receive the same treatment in the future.
After updating your site to the latest version of WordPress, you will notice a new Site Health page nested under the “Tools” menu.
From there, you will find issues and potential improvements which you as a website owner should be aware of. There is another feature originating from the servehappy project, a functionality that allows administrators to fix or mitigate fatal errors.
As you navigate to “Tools” -> “Site Health”, you will end up on a “Status” page which essentially runs a series of tests on the site, which then will be categorized as critical, recommended or good responses. Most of the tests will also have an actionable item, and provide links to the appropriate areas on your dashboard.
It will also show a controversial percentage of completion, which is scheduled to be removed on version 5.3.
On top of the Site Health page, you will find an “Info” tab. This page is meant for debugging purposes and provides a wide range of information about the website and server setup.
In the recovery mode, plugins and themes which are causing an error are paused to ensure the access to the admin panel. When such an incident takes place, an email is being sent to the site admin email address informing about the issue with a link to the recovery mode.
Even in the case where a fatal error would commonly have made the backend completely inaccessible (for example through a so-called “white screen of death”), administrators will now still have the chance to log in and do something about the issue.Source
We definitely see an improvement on security when it comes to cryptographically signed updates, site health monitoring and to error reporting to the site admins.
It also allows us to use these internal functionalities to give WebARX users an even better overview of their websites security via WebARX web application security platform. Meanwhile, the current version of WebARX is already compatible with WordPress 5.2.