WordPress 5.2, released earlier this month, added the first step towards fully secure updates with offline digital signatures. Scott Arciszewski, Chief Development Officer for Paragon Initiative Enterprises, explains how it works and how developers can migrate away from mcrypt to libsodium.

When your WordPress site installs an automatic update, from version 5.2 onwards, it will first check for the existence of an x-content-signature header.

If one isn’t provided by the update server, your WordPress site will instead query for a filenamehere.sig file.

No matter how it’s delivered, the signatures are calculated using Ed25519 of the SHA384 hash of the file’s contents. The signature is base64-encoded for safe transport.

Scott Arciszewski

The WordPress core development team manages the signing or secret keys. WordPress 5.2 contains a signing key that expires on April 1, 2021. The verification key or public key is used to decipher the secret key. This value determines the validity of the signature.

Since the feature is still in an experimental phase, WordPress 5.2 allows an update to occur if a soft error or invalid signature is encountered. This is to prevent more severe errors from causing the user to be locked out of the update process until a manual update is applied. The team will use the reported error information to improve the signature checking process.

The digital signatures are only supported for core updates with Themes and Plugins to follow in a later release. It’s also likely that the team will include separate keys for core releases, plugins, themes, translations, etc. to allow for more fine-grained control.

Digital signatures applied to WordPress core updates is an important milestone because it prevents users from unknowingly downloading updates from malicious sources.

For example, without digital signatures, if the server or servers that house the core update files were compromised, a false update could be sent to millions of sites. In 2016, WordFence explained how this scenario could play out when they publicized a security vulnerability they discovered with api.wordpress.org.

Persistence Pays Off

In early 2017, Arciszewski published a plea to Matt Mullenweg to focus on securing WordPress’ automatic updates system by using secure cryptographic signatures. Mullenweg responded to the article with one of his own on Medium.

We will at some point; as said above it’s a good idea — can’t hurt, might help. There are, however, some more important security issues in front of it, that impact millions of sites in the real world, so we are prioritizing those issues above a nice-to-have, defense in-depth effort.

Matt Mullenweg

Arciszewski has spent at least six years trying to convince the core team to implement digitally signed updates. Four months ago, Gary Pendergast, WordPress core developer, responded to the ticket saying that the feature fell in line with the list of WordPress priorities planned for 2019 and beyond. Pendergast laid out a plan and with a confirmed commitment to landing it in core, Arciszewski worked with the core team to make it a reality.

Millions of WordPress sites are on their way to becoming more secure thanks to the persistence and efforts of Arciszewski and the WordPress core team.