50.3 F
New York
Sunday, September 20, 2020

-

Home News Hidden WordPress 5.5 Feature Blocks Rogue Plugins

Hidden WordPress 5.5 Feature Blocks Rogue Plugins

Document Analysis NLP IA

807
WORDS

WORDS
4:2
Reading Time

Reading Time
neutral
sentiment

Sentiment0.083130725863284
subjective
redaction

Subjectivity0.5002701432934
it's an affirmation
Affirmation0.5021186440678

Highlights

RELEVANT
FREQ, RAKE or TFIDF
Entity
ORG
Entity
PERSON
Entity
PRODUCT
Entity
OTHER
Key Concepts (and relevance score)

Summary (IA Generated)

The newly updated WordPress 5.

The change allows a WordPress site to check if a plugin is legitimate or not and to block it from updating if it is flagged as blocked from updating.

Instead, the notation of this change was virtually hidden within a list of hundreds of other improvements to WordPress.

It was hidden in a long list of hundreds of other changes that were a part of WordPress 5.

5.

This code update within WordPress 5.

With auto-update enabled, this  could give a malicious plugin an easy way to infect every publisher using that plugin.

However, WordPress built a way to flag bad plugins and remotely disable the auto-update feature for the rogue plugin.

WordPress has built in a way to disable plugins from auto-updating if there’s a problem with it.

“The new auto-update UI is great, but it would benefit from having a way to remotely disable the auto-update for a plugin/theme.

org to control the rollout of an auto-update, for example, auto-updating everyone 1-24hrs after release rather than immediately to allow for any major bugs to be discovered.

Ideally it’ll never need to be used for it, but it’ll also protect WordPress users by allowing us to disable it for a plugin or entirely if there are any unexpected behaviours from it.

What will happen is that a WordPress site will check for verification on whether or not a plugin should be updated.

A “flag” called “disable_autoupdate” will communicate to the WordPress site to not update a specific plugin.

This “flag” acts like a gatekeeper deciding which plugin will be stopped from updating.

The code acts like a gatekeeper, asking for a yes or no answer in order to determine whether to allow or block a plugin update.

I contacted the security researchers at Wordfence (@wordfence) about this new feature.

The site will look to the repository to identify theme/plugin updates if the site owner has auto-updates enabled for that particular theme or plugin.

Repository theme and plugin developers will check in a new version of a plugin on their own; the core team and repo managers don’t audit that code or check it.

So, with the auto-update feature now in place, any plugin code checked in will be available for download to any site that has auto-updates enabled.

This control is designed to prevent the rollout of that code to auto-updating sites if there is a problem.

For example, this functionality could prevent some of the supply chain attacks we’ve seen in the past where an attacker purchased plugins and placed malicious code in repository plugins.

When a site reaches out to the repo for updates, the repo can respond with this flag (which should only be set to true or false) to make sure that plugins or themes with problems are not automatically updated.

org to Remotely Disable Auto-updates for Plugins/Themes.

WordPress GitHub page for Auto-update FlagAllow the API to Remotely Disable Auto-updates.


129FansLike
3FollowersFollow
14FollowersFollow