New Plugin Makes WordPress Core Updates More Secure by Requiring Cryptographic Signature Verification

New Plugin Makes WordPress Core Updates More Secure by Requiring Cryptographic Signature Verification

In 2016, WordFence published their findings of a vulnerability that could have compromised the servers that are used to send out WordPress updates. It turned out to be a complex, obscure vulnerability that ignited a conversation surrounding the security of and what could happen if the servers were compromised.

One idea that was brought forth is to digitally sign WordPress core, theme, and plugin updates. For at least five years, a trac ticket has laid semi-dormant with this idea in mind.

Fifteen months ago, Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, who is most widely known for his cryptography engineering work, published an article that has since been taken down, expressing his strong desire for Matt Mullenweg to make secure cryptographic signatures a priority. Mullenweg responded to his post with one of his own stating that although WordPress update signing is important, it’s not a high priority.

“We will at some point; as said above it’s a good idea — can’t hurt, might help,” Mullenweg responded when asked if WordPress was ever going to do update signing. “There are, however, some more important security issues in front of it, that impact millions of sites in the real world, so we are prioritizing those issues above a nice-to-have, defense in-depth effort.”

Eric Mann Launches Secure WordPress Updates Plugin

While WordPress does not digitally sign updates, Eric Mann, founder of Displace Technologies, LLC, has created and released a new plugin that adds code signing to WordPress core updates. It’s called DGXPCO or Digital Guarantees for eXplicitly Permitted Core Operations. You’ll find it on the plugin directory by searching for DGXPCO.

When installed and activated, the plugin integrates with the core updater and requires that any core update must have a valid signature before it can be installed. The signature provides a secondary source of truth that confirms the integrity of the files. The signatures are created using a Ed25519 public/private keypair and Libsodium to sign the files’ contents.

Mann keeps the private key offline and has published the public key online. The public key will not change and if a core update is signed by a different key, it is a red flag and the update should be avoided. In addition, commits made to the release hashes repository on GitHub are signed with Mann’s PGP key to verify that he is the one who added new code.

Mann admits that the solution is not fool-proof and is working towards improving it. In future versions, the plugin will only notify the user of a WordPress core update if a digital signature is available. Plugins and themes are on the roadmap as well with the ability to opt-in.

Although he is the only person allowed to digitally sign packages, the model is not sustainable.

“As I prove out the update system, I’ll also begin adding sets of public keys that are scoped to specific sets of packages,” Mann said. “This will, for example, allow me to whitelist a small number of trusted developers to also sign core packages. It might also empower plugin developers to sign their own releases (but not anyone else’s).”

Mann is seeking feedback and is hoping the project provides evidence that something like it can be added to WordPress core.

Read Full Article Here

[clear] [box style=”yellow”] About the Author


Sweet beast intently stare at the same spot. Leave hair everywhere intently stare at the same spot so claw drapes chase mice, and sun bathe. Stretch stretch. Sleep on keyboard play time sweet beast. Make muffins under the bed, so rub face on everything, but play time intently sniff hand sun bathe but sun bathe. Chew foot throwup on your pillow under the bed for mark territory, chase mice sun bathe. Hate dog hunt anything that moves. Flop over claw drapes throwup on your pillow yet intently stare at the same spot swat at dog play time, but claw drapes. Destroy couch stick butt in face make muffins, stick butt in face swat at dog yet burrow under covers, but chase mice. A Link! [clear]
[clear] [/box]

Leave a Reply