[wp-trac] [WordPress Trac] #39309: Secure WordPress Against Infrastructure Attacks

WordPress Trac noreply at wordpress.org
Tue Jan 8 08:42:40 UTC 2019


#39309: Secure WordPress Against Infrastructure Attacks
------------------------------------------+-----------------------
 Reporter:  paragoninitiativeenterprises  |       Owner:  pento
     Type:  enhancement                   |      Status:  assigned
 Priority:  normal                        |   Milestone:  5.1
Component:  Upgrade/Install               |     Version:  4.8
 Severity:  critical                      |  Resolution:
 Keywords:  has-patch                     |     Focuses:
------------------------------------------+-----------------------

Comment (by pento):

 Thanks for your patience on this, @paragoninitiativeenterprises. I've been
 thinking about this a bit, and I believe it will fit nicely into several
 initiatives planned for 2019.

 First off, there's the priorities for 2019:
 https://make.wordpress.org/core/2018/12/08/9-priorities-for-2019/

 Auto updates feature relatively heavily, it's going to be important to do
 them right, and ensuring the site has downloaded the correct, uncorrupted
 update file is part of that. As you've mentioned previously, the hash
 checks for update file downloads are currently... inadequate. 🙂 While
 there are a myriad of options available, something cryptographically
 secure makes the most sense from both security and future-proofing
 perspectives.

 Secondly, we're looking at bumping the minimum PHP version pretty
 aggressively: https://make.wordpress.org/core/2018/12/08/updating-the-
 minimum-php-version/

 The April 2019 date (where we increase the minimum to PHP 5.6) will
 probably coincide with WordPress 5.2. As you mentioned in #45806, we could
 avoid committing masses of PHP by bumping our minimum to PHP 5.3+.

 So, with those points in in mind, this is the (tentative) list that I'm
 looking at for WordPress 5.2:

 - Bump WordPress' minimum PHP version to 5.6.
 - Include `sodium_compat` as a composer dependency.
 - Add experimental package signing for Core updates: a failing signature
 wouldn't prevent an update, but it would report error information to
 WordPress.org, so we can determine if there are significant real-world
 factors that we need to account for.
 - Stretch goal: do the same, but for plugins and themes, too.

 Depending on the results from WordPress 5.2, as well as the state of the
 other auto update work that will need to be done, package signatures would
 be enforced in a subsequent WordPress 5.x release.

 Does this seem like a reasonable set of steps to you? All of it is 100%
 open for suggestions, feedback, and questions.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/39309#comment:53>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list