Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Internet Technology

WordPress Finally Gets the Security Features a Third of the Internet Deserves (zdnet.com) 47

The WordPress content management system (CMS) is set to receive an assortment of new security features today that will finally add the protection level that many of its users have desired for years. From a report: These features are expected to land with the official release of WordPress 5.2, expected for later today. Included are support for cryptographically-signed updates, support for a modern cryptography library, a Site Health section in the admin panel backend, and a feature that will act as a White-Screen-of-Death (WSOD) protection -- letting site admins access their backend in the case of catastrophic PHP errors. With WordPress being installed on around 33.8 percent of all internet sites, these features are set to put some fears at ease in regards to some attack vectors. Probably the biggest and the most important of today's new security features is WordPress' offline digital signatures system. Starting with WordPress 5.2, the WordPress team will digitally sign its update packages with the Ed25519 public-key signature system so that a local installation will be able to verify the update package's authenticity before applying it to a local site.
This discussion has been archived. No new comments can be posted.

WordPress Finally Gets the Security Features a Third of the Internet Deserves

Comments Filter:
  • Deletion? (Score:3, Funny)

    by Gravis Zero ( 934156 ) on Tuesday May 07, 2019 @02:40PM (#58553532)

    If it's not deletion then it's not really what the Internet deserves. ;)

  • In the 21st century proper security should be mandatory and a luxury item for those who choose to buy the up sale.

  • WSOD protection (Score:3, Insightful)

    by 93 Escort Wagon ( 326346 ) on Tuesday May 07, 2019 @03:00PM (#58553632)

    Seriously, this will be good news if it works. I ran into this once after a theme update, of all things.

    Fortunately we had backups, but still - how the heck does a single theme's update kill the entire Wordpress admin panel?

  • by pieisgood ( 841871 ) on Tuesday May 07, 2019 @03:38PM (#58553862) Journal

    Until Wordpress implements compartmentalization and permissions within their plugin system, none of this really matters. Any plugin can access any file anywhere and modify it. They can modify your htaccess to redirect to malicious domains they can do what ever they want. Wordpress has a small review process for plugins on their own repository but after that initial review they will never check that crap again even if the plugin destroys sites. I guess this is a step in the right direction though.

  • The security feature a third of the Internet needs is to not use WordPress. Why is WP's only defense and first selling point always an argumentum ad populum fallacy?

    If Mozilla can't handle signed code, why should anyone think the WP team can? WP has been the poster child for how to write PHP badly since 2004.

    • by lgw ( 121541 )

      WP has been the poster child for how to write PHP badly since 2004.

      Is there another way to write PHP?

    • by Anonymous Coward

      If Mozilla can't handle signed code, why should anyone think the WP team can?

      All the signature says is "We approve of this in it's current form." It does not say anything about the safety of whatever this is. The bugs are still there, the only difference is they are "approved" bugs in the sense that they will be allowed to execute and wrought whatever havoc they want if triggered. The bugs are probably* not approved in the "We think this is a good thing" sense.

      What code signing is meant to stop, and does a

  • letting site admins access their backend in the case of catastrophic PHP errors

    ... such as installing PHP?

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...