+44 0330 223 3428
Call Us
+44 0330 223 3428

WPTavern: New Plugin Makes WordPress Core Updates More Secure by Requiring Cryptographic Signature Verification

WPTavern: New Plugin Makes WordPress Core Updates More Secure by Requiring Cryptographic Signature Verification

In 2016, WordFence published their findings of a vulnerability that could have compromised the servers that are used to send out WordPress updates. It turned out to be a complex, obscure vulnerability that ignited a conversation surrounding the security of api.wordpress.org and what could happen if the servers were compromised.

One idea that was brought forth is to digitally sign WordPress core, theme, and plugin updates. For at least five years, a trac ticket has laid semi-dormant with this idea in mind.

Fifteen months ago, Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, who is most widely known for his cryptography engineering work, published an article that has since been taken down, expressing his strong desire for Matt Mullenweg to make secure cryptographic signatures a priority. Mullenweg responded to his post with one of his own stating that although WordPress update signing is important, it’s not a high priority.

“We will at some point; as said above it’s a good idea — can’t hurt, might help,” Mullenweg responded when asked if WordPress was ever going to do update signing. “There are, however, some more important security issues in front of it, that impact millions of sites in the real world, so we are prioritizing those issues above a nice-to-have, defense in-depth effort.”

Eric Mann Launches Secure WordPress Updates Plugin

While WordPress does not digitally sign updates, Eric Mann, founder of Displace Technologies, LLC, has created and released a new plugin that adds code signing to WordPress core updates. It’s called DGXPCO or Digital Guarantees for eXplicitly Permitted Core Operations. You’ll find it on the plugin directory by searching for DGXPCO.

When installed and activated, the plugin integrates with the core updater and requires that any core update must have a valid signature before it can be installed. The signature provides a secondary source of truth that confirms the integrity of the files. The signatures are created using a Ed25519 public/private keypair and Libsodium to sign the files’ contents.

Mann keeps the private key offline and has published the public key online. The public key will not change and if a core update is signed by a different key, it is a red flag and the update should be avoided. In addition, commits made to the release hashes repository on GitHub are signed with Mann’s PGP key to verify that he is the one who added new code.

Mann admits that the solution is not fool-proof and is working towards improving it. In future versions, the plugin will only notify the user of a WordPress core update if a digital signature is available. Plugins and themes are on the roadmap as well with the ability to opt-in.

Although he is the only person allowed to digitally sign packages, the model is not sustainable.

“As I prove out the update system, I’ll also begin adding sets of public keys that are scoped to specific sets of packages,” Mann said. “This will, for example, allow me to whitelist a small number of trusted developers to also sign core packages. It might also empower plugin developers to sign their own releases (but not anyone else’s).”

Mann is seeking feedback and is hoping the project provides evidence that something like it can be added to WordPress core.



Source: WordPress

Related Post
WPTavern: Gutenberg 3.9 Introduces Reusable, Exportable Templates for Multiple Blocks

WPTavern: Gutenberg 3.9 Introduces Reusable, Exportable Templates for Multiple Blocks Gutenberg 3.9 was released last week with a new feature that allows users to group multiple blocks into reusable templates. The templates can also be exported and imported as a JSON file. The idea of reusable templates is an expansion of the concept of dynamic […]

Read more
WPTavern: New commonWP Plugin Enables WordPress Sites to Use the Free jsDelivr CDN

WPTavern: New commonWP Plugin Enables WordPress Sites to Use the Free jsDelivr CDN Milan Dinić, a WordPress developer based in Serbia, has released his commonWP plugin that enables WordPress sites to use the free, public jsDelivr CDN. Last year jsDelivr was revamped to allow any file from GitHub and npm to be served by the […]

Read more
WPTavern: Gutenstats Blog Is Live, Tracking Gutenberg Beta Testing Data

WPTavern: Gutenstats Blog Is Live, Tracking Gutenberg Beta Testing Data Matt Mullenweg tweeted out a link to Gutenstats.blog this evening, a new site dedicated to tracking Gutenberg beta testing data. The site shows there are currently more than 420,000 active installations of Gutenberg, a slightly more precise number than reported on the WordPress.org plugin page […]

Read more