Episode 82: Important Changes in the WordPress 5.5 Update

WordPress 5.5 was released on August 11 with a number of important updates, including a new feature allowing auto-updates of themes and plugins as well as changes to the block editor. The popular Astra theme was suspended from the repository for having affiliate links in the code.

A vulnerability found in Google Chromium browsers could allow attackers to bypass content security policy in order to steal data and execute rogue code, this vulnerability affects billions of users. The Wall Street Journal reported that government tracking software is embedded in over 500 mobile apps.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 WordPress Auto-Updates: What do you have to lose?
2:17 Astra theme suspended and reinstated
3:57 Google Chrome browser bug exposes billions of users to data theft
5:35 WSJ Report: Hundreds of apps have hidden tracking software used by the government

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 82 Transcript

Scott Miller:
Hey everyone, it’s Scott from Wordfence. This is another edition of Think Like a Hacker, the weekly podcast about WordPress, security and innovation. let’s get right into the news.

Our first story of the day is the WordPress 5.5 update. So on Tuesday, August 11th, WordPress released their 5.5 update, and it allows automatic updates to be enabled for individual plugins and themes. Auto-updates will be disabled by default, but you can enable the ability for those plugins to update automatically by the plugin section of your site. Now, the addition of auto-updates improves site security by shortening the time that it takes to get plugins updated. And this can be big if there are security updates in those plugins. Now auto-updates do pose some problems, and we talked about that at length on our Office Hours stream this week, and you can find that on the Wordfence YouTube channel by searching Wordfence Office Hours on YouTube.

So depending on the kind of site that you’re running and how often you log in to check on things, auto-updates might be a good idea to keep things up to date and protected. If you’re a larger business and you have eyes on the site very frequently, it might be best to start off slow and continue updating your plugins manually for now. If you’d like to read more about how these auto-updates can impact your site, we have a great blog post on wordfence.com titled WordPress Auto-Updates: What do you have to lose? That was posted on August 6th and you can head over there and check it out on the blog.

Also introduced in WordPress 5.5 were multiple user interface changes to the block editor, which was initially introduced in WordPress 5.0 in 2018. These UI changes make adding, editing, and moving blocks in your posts and pages a bit more fluid. Also included in WordPress 5.5 were site maps, which WordPress will generate for you by default and a new lazy-load feature, which aims to save on bandwidth and speed your site up. How this works is it basically only loads images that are in view of the browser window for your visitor at any given time. So this is a nice impact on speed and performance.

Our second story this week is the Astra theme suspension. This is the first non-default WordPress theme to break the 1 million install mark and not long after it did, it was suspended due to breaking a rule on having affiliate links in the code. Shortly after a back and forth between the themes team and the theme authors, the theme was then reinstated. However, the ongoing penalty at the moment is that the theme is absent from the popular themes list. The way the popular themes list works is it uses the themes date of publication, as well as the number of downloads to determine a theme’s popularity. So what the theme team did was they changed the date for the theme to push it down the popular list. Delisting a theme like this is a way for the themes team to deal with guideline violations while not outright suspending a theme. And such as in this case, the users will still then have access to new updates.

It’s worth noting that this is the company’s first violation and while Brainstorm Force, the team behind the Astra theme, didn’t directly add affiliate links, they did inject the company’s referral ID into affiliate links for third party plugins. Since the initial encounter, an additional week has been added to the suspension when another affiliate related violation was found. These penalties can result in a large loss in revenue. And in a similar case, the Zerif Lite theme received a suspension and it resulted in a significant revenue loss. The Zerif Lite theme had only about one third of the active users that Astra has.

Next up, a vulnerability was found in the Google Chromium browsers, which would allow attackers to bypass CSP, content security policy, in order to steal data and execute rogue code. This vulnerability affects Chrome, Opera and Edge on Windows, Mac, and Android, which spans to potentially affect billions of users. The affected versions are Chrome version 73 through version 83. The issue was patched in Chrome version 84, which was released last month in July. The vulnerability was then present for more than a year before the patch. Now content security policy is a standard method to enforce data security and it’s used by a lot of major companies, such as Facebook, ESPN, Gmail, to just name a few.

And it’s used to prevent attacks such as cross-site scripting and data injection attacks. In order for this vulnerability to have been exploited, an attacker would have first had to have gained access to the web server. And that could have been done via social engineering or brute forcing, among other things. After gaining access, attackers could have then altered the JavaScript code that the server uses to load and inject code resulting in a bypass of the CSP. So a couple things, be sure to check and see if you’re on the latest version of your web browser, and it’s also advised to audit your browser by checking your browser extensions and remove anything that you either aren’t familiar with or that you no longer use.

And our last story for this week, a new report by The Wall Street Journal has exposed government tracking software in over 500 mobile apps. Anomaly Six, a Virginia-based company included it’s tracking code within their mobile apps, which then collected data from mobile devices and that data was then sold to the US government. In the report, it’s mentioned that Anomaly Six would not name any of the apps that their software is currently included in. Now, if there’s a bright side, it’s that the data collected is anonymous. Though, as we’ve seen in cases in the past, there are methods along the way for identifiers to be used to associate data with an individual. It appears that at the current time, what is being done here is legal and it’s also mentioned that it’s clear that we’re behind on laws and regulations with regard to collecting this kind of information, even anonymously.

Currently, there is no way to tell if we’re even using one of these apps right now. So it might be a good time to audit our phones as well. So you can do that by just going through and looking at some apps that you don’t commonly use, or you don’t use it all and go ahead and get rid of those. You also might be asking, “What is the government doing with this anonymous information?” And I think a lot of us are wondering the same thing. So drop us a comment in our show notes on wordfence.com/podcast and give us your thoughts on this or any of our other stories today.

That does it for this week’s edition of Think Like a Hacker. Be sure to check us out on Wordfence Office Hours, which airs every Tuesday at noon, Eastern 9:00 AM Pacific, where we talk all things WordPress and Wordfence security. I hope today’s news found you well, and we’ll be back next week on Think Like a Hacker. From all of us here at Wordfence, have a great weekend and we’ll see you next time.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.