WordPress version 5.2, called “Jaco” in honor of popular jazz bassist Jaco Pastorius, is available for download from the official website. The new version comes with some robust tools, and a number of functional improvements, but the most important updates are related to the security features including a modern cryptography library, site health section and a safe mode in case of catastrophic PHP errors occur.
What are the security features that WordPress 5.2 gets?
With WordPress being the most popular CMS around the world, these features were much needed to keep the sites secure. Let’s dive into the detail of these new features.
New Dashboard Icons
With the latest version, there are new dashboard icons – 13 to-be-precise which includes icons for Instagram, BuddyPress and rotated Earth icons for international inclusion.
Plugin Compatibility Checks
WordPress 5.2 can automatically determine if your site’s version is compatible with the plugins already installed. If WordPress finds a compatibility issue, it will not let you activate those plugins, to prevent any compatibility errors.
Cryptographically-signed updates
Perhaps the biggest and most important update is a new security feature which allows the WordPress core development team to digitally-signed the new update package using the ED25519 public-key signature system. Due to this, the local installation of WordPress will be able to identify and verify the authenticity of the update package before the update begins.
The offline digital signature feature works as a defense against a vulnerable WordPress update infrastructure.
Adding support for the offline digital signature feature is an important step towards potential supply-chain attacks on all WordPress sites, something security enthusiast have highlighted almost two years ago.
Cryptographic Library
Earlier versions of WordPress have been using mcrypt for cryptographic operations but this library was outdated and lack the ability to fit into the modern day security requirements.
WordPress 5.2 will support the Libsodium library for all crypto operations, replacing mcrypt from the core of WordPress. To provide support for old PHP servers that don’t support Libsodium, WordPress has a sodium_compat library that acts as a polyfill.
WordPress 5.2 has now joined the list of software that natively supports Libsodium such as Magneto 2.3+ and Joomla 3.8+. According to Archiszewkski, WordPress developers should now switch to Libsodium library for the plugin and theme development.
Magento 2.3, Joomla 3.8, WordPress 5.2.
If you’re developing for any of these platforms and are using these versions, you already have sodium_compat installed.
Just use libsodium for your plugins/modules/extensions. Don’t even bother with mcrypt.
— Scott Arciszewski (@CiPHPerCoder) May 7, 2019
Site Health Section
WordPress 5.2 also comes with a new Site Health section in the Admin panel. You can go to Admin > Tool menu to see this new section which includes two pages – Site Health Status and Site Health info which helps to debug common configuration and fatal error issues.
The Site Health Status page runs a set of basic security checks and generates a report along with a percentage score grade based on how many tests your site has passed. It also recommends fixing the issues being found. The section has already some built-in tests to run but developers of security plugins are free to write their own security checks as per their requirements.
The other page Health info provides information about the web server, website, WordPress version, themes, plugins, and storage, etc. It is useful for debugging purposes.
Some of the performance tests check for the up-to-date versions of PHP, WordPress and database server. The tests are completely customizable, which means developers can add or remove existing tests.
Comments