The newly updated WordPress 5.5 includes a feature that prevents rogue plugins from taking over WordPress sites. This change allows a WordPress site to check if a plugin is legitimate and to block it from updating if it is flagged as blocked from updating.
WordPress Security Feature Unannounced
This new feature was not formally announced.
Instead, the notation of this change was virtually hidden within a list of hundreds of other improvements to WordPress.
It was buried in a long list of changes that came with WordPress 5.5.
This code update in WordPress 5.5 enhances security and deserves more recognition because of its positive impact on security.
The list of changes made to WordPress 5.5 is so extensive that you have to scroll six times to reach the note about this important security-related update.
WordPress Supply Chain Attacks
There are malicious organizations that purchase WordPress plugins to add malvertising, backdoors, and links. This attack method exploits the trust that a publisher has in a plugin they have already downloaded and trusted.
With auto-update enabled, this could allow a malicious plugin to easily infect every publisher using that plugin.
However, WordPress has built a way to flag bad plugins and remotely disable the auto-update feature for such rogue plugins.
How WordPress 5.5 Stops Rogue Plugins
WordPress has incorporated a way to disable plugins from auto-updating if there’s a problem with them.
According to WordPress:
“The new auto-update UI is great, but it would benefit from having a way to remotely disable the auto-update for a plugin/theme.
It’ll open the possibility for WordPress.org to control the rollout of an auto-update, for example, auto-updating everyone 1-24hrs after release rather than immediately to allow for any major bugs to be discovered.
Ideally it’ll never need to be used for it, but it’ll also protect WordPress users by allowing us to disable it for a plugin or entirely if there are any unexpected behaviors from it.
The attached PR allows for the WordPress.org API response to include a disable_autoupdate flag which will disable it for that item, it’ll not affect the UI and hopefully will never be needed (aside from the example use-case of A/B smoke testing or the like).”
A WordPress site will check for verification on whether or not a plugin should be updated.
A “flag” called “_disableautoupdate” will communicate to the WordPress site not to update a specific plugin. This "flag" acts as a gatekeeper, deciding which plugin will be stopped from updating.
Screenshot of WordPress Page Documenting Change in Code
This is a screenshot of the added code as documented by WordPress. The code acts as a gatekeeper, asking for a yes or no answer to determine whether to allow or block a plugin update.
Wordfence Says This is a Good Change
The security researchers at Wordfence were contacted about this new feature.
Their response referred to the following technical terms:
- WP-Cron: This is a scheduled task carried out by the WordPress installation.
- Core Team and Repo Managers: Workers at WordPress.org.
- Repository: Where plugins are stored.
This is what the researchers at Wordfence said:
“Auto-updates are triggered by the wp-cron on individual sites twice daily.
The site will look to the repository to identify theme/plugin updates if the site owner has auto-updates enabled for that particular theme or plugin.
Repository theme and plugin developers will check in a new version of a plugin on their own; the core team and repo managers don’t audit that code or check it.
So, with the auto-update feature now in place, any plugin code checked in will be available for download to any site that has auto-updates enabled.
This control is designed to prevent the rollout of that code to auto-updating sites if there is a problem. For example, this functionality could prevent some of the supply chain attacks we’ve seen in the past where an attacker purchased plugins and placed malicious code in repository plugins.
When a site reaches out to the repo for updates, the repo can respond with this flag (which should only be set to true or false) to ensure that plugins or themes with problems are not automatically updated.”
WordPress 5.5 Security Improvement
This new feature wasn’t announced. But it’s an important one because it makes publishing sites on WordPress safer and prevents criminals from taking over WordPress sites.
Citations
- Allow for WordPress.org to Remotely Disable Auto-updates for Plugins/Themes
- Wordfence Article About WordPress Supply Chain Attacks
- WordPress GitHub page for Auto-update Flag: Allow the API to Remotely Disable Auto-updates
