Podcast Episode 40: WordPress Considers Ditching Signed Core Updates

A recent discussion among WordPress core developers about removing support for code signing in core caught our attention. Code signing support was included with the WordPress 5.2 release. The discussion centers around removing code signing and implementing SSL verification and hashes to verify code integrity. In this week’s episode we chat about the history behind the vulnerability found by Wordfence’s Matt Barry, which is what motivated the addition of code signing to WordPress core. We review several high profile supply chain attacks and discuss how SSL and hashes would not protect against a sophisticated attack on WordPress core servers.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Some sources we reference in this week’s episode include:

• The discussion on make.wordpress.org.
• The trac ticket update to the initial campaign for securing WordPress against infrastructure attacks.
• Scott Arciszewski’s analysis of Server-Side HTTP Requests for WordPress developers.
• Matt Barry’s discovery of a vulnerability in WordPress infrastructure.
• Other supply-chain attacks that have exploited software delivery, including: ASUS, the Flame Windows exploit, and the CCleaner “ShadowPad” exploit which affected over 2.27 million computers.
• A previous supply-chain attack on WordPress plugins which affected 9 plugins over 4.5 years.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Do you have thoughts about WordPress core update code signing? Please feel free to post your feedback in the comments below.