This entry was posted in WordPress Security on December 8, 2020 by Ram Gall36 Replies
WordPress 5.6, the final major release planned for 2020, comes out today, on December 8, 2020. It includes a few major features and updates, as well as a huge number of minor enhancements and bug fixes. A few changes have immediate implications for security and compatibility which we’ve highlighted in this post for WordPress users.
Auto-Updates For WordPress Core UI. On the heels of auto-updates for plugins and themes added in. WordPress 5.6 will be launched with a brand-new default theme, named Twenty Twenty-One. The new WordPress default theme features an elegant and streamlined design, which aims to be AAA ready. #Auto-update Option for Major Releases The much-awaited functionality will ship in WordPress 5.6.
Application Passwords add functionality, and risk
WordPress 5.6 will come with a new feature that allows external applications to request permission to connect to a site and generate a password specific to that application. Once the application has been granted access, it can perform actions on behalf of a user via the WordPress REST API.
Unfortunately, socially engineering a site administrator into granting application passwords to a malicious application is trivial. An attacker could trick a site owner into clicking a link requesting an application password, naming their malicious application whatever they wanted:
Worse yet, the application password request URLs are set up to send the newly generated password to the requester’s site via a redirect URL. Since application passwords function with the permissions of the user that generated them, an attacker could use this to gain control of a website. We demonstrated how an attacker could use a social engineering attack using application passwords on Wordfence Live.
For this reason, the latest version of Wordfence, 7.4.14, disables application passwords by default. If you have a specific use case for application passwords and would like to re-enable application passwords, you can do so under Wordfence->Firewall->Manage Brute Force Protection:
Despite the risk, application passwords are likely to offer some utility in the future. Some examples of how they could be used include publishing posts to a WordPress site from other interfaces, accessing or updating data in the WordPress database, or even creating users.
This functionality is, on the surface, similar to XML-RPC, but the REST API offers significantly broader capabilities. Additionally, application passwords are securely generated and are 24 characters long, so brute force and credential stuffing attacks are unlikely to be successful.
If you decide to make use of application passwords, we strongly recommend setting up a user with minimal permissions, ideally with only the necessary capabilities specifically for the application you wish to connect to.
The jQuery update continues
WordPress 5.5, released in August 2020, removed the jQuery Migrate script. This caused many sites using plugins dependent upon older versions of jQuery to experience issues.
If your site was affected and you’re currently using the Enable jQuery Migrate Helper plugin to work around these issues, you’ll want to make sure your site works without it before updating to WordPress 5.6.
This is because WordPress 5.6 will update to the latest version of jQuery and add jQuery Migrate 3.3.2, which can conflict with the version re-enabled by the Enable jQuery Migrate Helper plugin, which is jQuery Migrate 1.4.1.
WordPress has been using outdated versions of the jQuery library for several years now.
WordPress 5.6 is step 2 of a 3-step plan to get WordPress on an up-to-date version of jQuery. This plan has been:
- WordPress 5.5: Remove the jQuery Migrate 1.x script. (August 2020)
- WordPress 5.6: Update to the latest jQuery, jQuery UI, and jQuery Migrate scripts. (December 2020)
- WordPress 5.7: Remove the jQuery Migrate script. (March 2021)
Because of this timeline, jQuery compatibility is actually significantly more urgent than PHP 8.0 compatibility. Plugin and theme developers should use the next few months before the release of WordPress 5.7 to completely transition their code to be compatible with the latest version of jQuery without the assistance of jQuery Migrate.
Although security fixes have been backported into the versions of jQuery used by previous versions of WordPress, many tools, such as Google’s Lighthouse, have reported that WordPress sites were vulnerable due to running an older version of jQuery. One bit of good news is that these site auditing tools should no longer show WordPress 5.6 sites as being vulnerable.
WPTavern has an excellent article that goes into more detail about the situation.
PHP 8 Compatibility
WordPress 5.6 is intended to be “beta compatible” with PHP 8. This means that during normal usage, a site running WordPress 5.6 on PHP 8 with a default theme and no plugins will be unlikely to run into any problems. Our previous article dives into some of the challenges plugin authors will face when it comes to compatibility with PHP 8.
If you’re a typical WordPress site owner using a fair number of plugins, it may be some time before it’s safe to update to PHP 8. On the other hand, if you’re creating a brand new site from scratch, you’ll be able to get ahead of many issues by starting with the latest version of PHP and WordPress.
Automatic major version updates
We’ve discussed automatic updates in the past, and how they can be essential for some use cases and potentially catastrophic for others. Currently, WordPress core automatically applies minor updates, which are typically much safer than automatic plugin updates due to extensive testing.
Starting with WordPress 5.6, all new WordPress installations will receive automatic updates for major versions. This means that if you create a fresh WordPress site with WordPress 5.6, it will automatically be updated to WordPress 5.7 when it comes out. While this has a higher likelihood of causing issues, bear in mind that the most likely problems will be with incompatible plugins, which will be much less prevalent on brand new sites.
Existing sites that have updated to WordPress 5.6 from previous versions will retain the current behavior of automatically updating only for minor versions and security patches, so current site owners do not have to worry about this. If desired, a current site owner can now opt in to automatic major version updates and even Beta and RC releases.
A brand new theme
Since 5.6 is the final major version of WordPress to be released for 2020, it includes a new default theme for next year, titled Twenty Twenty-One. Like previous default WordPress themes, it is based on an existing theme, Seedlet, and is fairly minimal, though it does include support for Dark Mode.
WordPress 5.6 includes a number of changes, improvements, and bug fixes, including many we haven’t covered. We’ve focused on the items we feel are most relevant to our users and most likely to cause issues. As with all major updates to WordPress, whether or not you wish to update right away will depend on your use case. There are a number of promising new features as well as some potential for growing pains, but these will be applicable to developers rather than users.
Special thanks to QA Lead Matt Rusnak and Threat Analyst Chloe Chamberland for their findings and assistance with this article.
It might be easier to say what this guide isn’t, rather than what it is. It isn’t an in depth look at every single function available within the WordPress dashboard. Nor is it a guide to help you develop or modify WordPress themes. My aim is to create a simple WordPress manual that will help you to get an understanding of how you use the various features within the WordPress Dashboard to keep your site or blog updated.
If you’re looking for more in-depth knowledge, there are heaps of articles in the WordPress Codex that go into more detail. This is great if you want to get really involved in developing your own WordPress theme or modifying your site with plugins, but it can be a bit daunting for those users who just want a simple guide to using the Content Management side of WordPress or just need to update their site pages every so often.
Table of Contents
- Posts versus Pages
- Adding your Site Content
- Block Editor
- Adding Content with Blocks
- Text Blocks
- Media Blocks
- Design Blocks
- Classic Editor
- Adding Images & Other Media
- Adding HTML Links
- Inserting an HTML Link
- Block Editor
- Media Library
- Editing the File Properties
- Editing a Comment
- Selecting your theme
- Updating the Menu