Hidden WordPress 5.5 Feature Blocks Rogue Plugins

The newly updated WordPress 5.5 contains a feature that prevents rogue plugins from taking over WordPress sites. The change allows a WordPress site to check if a plugin is legitimate or not and to block it from updating if it is flagged as blocked from updating.

WordPress Security Feature Unannounced

This new feature didn’t get an announcement.

Instead, the notation of this change was virtually hidden within a list of hundreds of other improvements to WordPress.

It was hidden in a long list of hundreds of other changes that were a part of WordPress 5.5.

This code update within WordPress 5.5 improves security and deserves to be better understood because it has a positive impact on security.

The list of changes made to WordPress 5.5 is so long that you have to scroll six times to get to where the note about this important security related update is.

WordPress Supply Chain Attacks

There are malicious organizations that purchase WordPress plugins to add malvertising, backdoors and links.  This attack method takes advantage of the trust that a publisher has for a plugin that they have already downloaded and trusted.

With auto-update enabled, this  could give a malicious plugin an easy way to infect every publisher using that plugin.

However, WordPress built a way to flag bad plugins and remotely disable the auto-update feature for the rogue plugin.

How WordPress 5.5 Stops Rogue Plugins

WordPress has built in a way to disable plugins from auto-updating if there’s a problem with it.

According to WordPress:

“The new auto-update UI is great, but it would benefit from having a way to remotely disable the auto-update for a plugin/theme.

It’ll open the possibility for WordPress.org to control the rollout of an auto-update, for example, auto-updating everyone 1-24hrs after release rather than immediately to allow for any major bugs to be discovered.

Ideally it’ll never need to be used for it, but it’ll also protect WordPress users by allowing us to disable it for a plugin or entirely if there are any unexpected behaviours from it.

The attached PR allows for the WordPress.org API response to include a disable_autoupdate flag which will disable it for that item, it’ll not affect the UI and hopefully will never be needed (aside from the example use-case of A/B smoke testing or the like).”

What will happen is that a WordPress site will check for verification on whether or not a plugin should be updated.

A “flag” called “disable_autoupdate” will communicate to the WordPress site to not update a specific plugin. This “flag” acts like a gatekeeper deciding which plugin will be stopped from updating.

Screenshot of WordPress Page Documenting Change in Code

This is a screenshot of the added code as documented by WordPress. The code acts like a gatekeeper, asking for a yes or no answer in order to determine whether to allow or block a plugin update.


Wordfence Says This is a Good Change

I contacted the security researchers at Wordfence (@wordfence) about this new feature.

Their answer they make reference to the following technical terms:

  • WP-Cron: This is a scheduled task that is carried out by the WordPress installation.
  • Core Team and Repo Managers: Workers at WordPress.org.
  • Repository: Where plugins are stored

This is what the researchers at Wordfence said:

“Auto-updates are triggered by the wp-cron on individual sites twice daily.

The site will look to the repository to identify theme/plugin updates if the site owner has auto-updates enabled for that particular theme or plugin.

Repository theme and plugin developers will check in a new version of a plugin on their own; the core team and repo managers don’t audit that code or check it.

So, with the auto-update feature now in place, any plugin code checked in will be available for download to any site that has auto-updates enabled.

This control is designed to prevent the rollout of that code to auto-updating sites if there is a problem. For example, this functionality could prevent some of the supply chain attacks we’ve seen in the past where an attacker purchased plugins and placed malicious code in repository plugins.

When a site reaches out to the repo for updates, the repo can respond with this flag (which should only be set to true or false) to make sure that plugins or themes with problems are not automatically updated.”

WordPress 5.5 Security Improvement

This new feature didn’t get an announcement. But it’s an important one because it makes publishing sites on WordPress safer and stops criminals from taking over WordPress sites.


Allow for WordPress.org to Remotely Disable Auto-updates for Plugins/Themes

Wordfence Article About WordPress Supply Chain Attacks

WordPress GitHub page for Auto-update Flag
Allow the API to Remotely Disable Auto-updates