WordPress updates are digitally signed at last!
WordPress 5.2 is out and brings a number of functional improvements, but the great news for those who are worried about the security of their installation is the implementation of digital signing of update packages.
WordPress provided the option for automatic implementation of updates back in 2013 but, until now, these updates were not digitally singed, meaning that a successful compromise of WordPress update servers would allow attackers to deliver malicious updates to all those who use the popular content management system (CMS).
(According to the latest available numbers, WordPress powers 33.8 percent of websites who use a CMS, i.e., tens of millions of websites.)
The new feature make this type of supply chain attack more difficult: even if the attackers compromise the update servers, they won’t be able to deliver malicious updates without also stealing the signing key from the WordPress core development team and using it to sign them.
A new cryptographic library
The verification of the signature will be performed by the WordPress installation, through the newly implemented Sodium Compat cryptographic library, which is “a pure PHP polyfill for the Sodium cryptography library (libsodium).” Sodium Compat has also been adopted by Joomla! and Magento.
“In addition to the security enhancements to the WordPress core, the inclusion of sodium_compat on WordPress 5.2 means that plugin developers can start to migrate their custom cryptography code away from mcrypt (deprecated in PHP 7.1, removed in PHP 7.2) and towards libsodium (introduced in PHP 7.2, polyfilled by sodium_compat),” noted Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, the company that developed the library.
He also pointed out that this digital signing feature only covers core WP updates and that they will be working to implement a system that allows vendors to sign themes and plugins and and publish these signatures and related metadata to an append-only cryptographic ledger.
“Once this is done, WordPress’s auto-update will finally be secure,” he added.