Wordpress security

WordPress 5.2 Security

May 9, 2019 by Oliver Sild

WordPress 5.2 “Jaco” named after bassist Jaco Pastorius, is available for download since May 7th. The new version includes more tools for identifying and fixing configuration issues and fatal errors.

It also has accessibility updates, new dashboard icons and most importantly security update for WordPress core. We, of course, focus our blog post on the security side of the new release.

Before you update

The new minimum supported PHP version is 5.6.20. Before you update, take a look at your hosting panel to see if your PHP version is compatible.

Monitor WordPress security issues with WebARX

Try WebARX for free

As a quick reminder, just 5 days before WordPress. 5.2 release, PHP 7.2.18 was released as well. Instead of updating your PHP to 5.6.20, jump over to PHP 7.X, it will improve your sites loading speed and general performance.

What is a Supply-Chain Attack?

Two years ago Paragon Initiative made a suggestion to secure WordPress core against infrastructure attacks. They were stressing the following scenario:

Currently, if an attacker can compromise api.wordpress.org, they can issue a fake WordPress update and gain access to every WordPress install on the Internet that has automatic updating enabled. 

WordPress 5.2

Given WordPress’s ubiquity, an attacker with control of 27% of websites on the Internet is a grave threat to the security of the rest of the Internet. I don’t know how much infrastructure could withstand that level of DDoS. (Maybe Google?)

Before WordPress 5.2, there was a risk that if someone would have hacked the WordPress update server, they would have been able to trick the automatic update feature into downloading and installing malicious code. This would have been a catastrophic event as today around 33.8% of the websites run on WordPress.

WordPress 5.2 cryptographically signed updates

On WordPress 5.2, the suggestion made by Paragon Initiative is now included in the WordPress core and the ticket has been closed as “fixed”. The solution prevents possible attacks where a malicious mass update is being released to all websites after someone has taken over the WordPress infrastructure.

The offline digital signatures feature included in the WordPress 5.2 build comes as a “first real layer of defence against a compromised update infrastructure”.

Scott Arciszewski – Paragon Initiative Enterprises

After WordPress 5.2, you would need to pull off the same attack and somehow pilfer the signing key from the WordPress core development team.

Scott Arciszewski – Paragon Initiative Enterprises

With WordPress 5.2, only the core updates are cryptographically signed, but plugins and themes will receive the same treatment in the future.

Site Health and WSOD Protection

After updating your site to the latest version of WordPress, you will notice a new Site Health page nested under the “Tools” menu.

From there, you will find issues and potential improvements which you as a website owner should be aware of. There is another feature originating from the servehappy project, a functionality that allows administrators to fix or mitigate fatal errors.

Site Health Status

As you navigate to “Tools” -> “Site Health”, you will end up on a “Status” page which essentially runs a series of tests on the site, which then will be categorized as critical, recommended or good responses. Most of the tests will also have an actionable item, and provide links to the appropriate areas on your dashboard.

WordPress 5.2

It will also show a controversial percentage of completion, which is scheduled to be removed on version 5.3.

Site Health Information

On top of the Site Health page, you will find an “Info” tab. This page is meant for debugging purposes and provides a wide range of information about the website and server setup.

WordPress 5.2

Fatal Error Recovery Mode in WordPress 5.2

In the recovery mode, plugins and themes which are causing an error are paused to ensure the access to the admin panel. When such an incident takes place, an email is being sent to the site admin email address informing about the issue with a link to the recovery mode.

Even in the case where a fatal error would commonly have made the backend completely inaccessible (for example through a so-called “white screen of death”), administrators will now still have the chance to log in and do something about the issue.


WordPress 5.2 and WebARX

We definitely see an improvement on security when it comes to cryptographically signed updates, site health monitoring and to error reporting to the site admins.

Next-Generation WordPress Security Platform for Developers

Try 7-day free trial
website firewall webarx website security

It also allows us to use these internal functionalities to give WebARX users an even better overview of their websites security via WebARX web application security platform. Meanwhile, the current version of WebARX is already compatible with WordPress 5.2.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms: