WordPress 5.6 Introuduces a new risk to your site. What to do.

WordPress 5.6 Introduces a New Risk to Your Site: What to Do

WordPress 5.6, the final major release planned for 2020, comes out today, on December 8, 2020. It includes a few major features and updates, as well as a huge number of minor enhancements and bug fixes. A few changes have immediate implications for security and compatibility which we’ve highlighted in this post for WordPress users.

Application Passwords add functionality, and risk

WordPress 5.6 will come with a new feature that allows external applications to request permission to connect to a site and generate a password specific to that application. Once the application has been granted access, it can perform actions on behalf of a user via the WordPress REST API.

Unfortunately, socially engineering a site administrator into granting application passwords to a malicious application is trivial. An attacker could trick a site owner into clicking a link requesting an application password, naming their malicious application whatever they wanted:

WordPress login page with text "Please login to SG Blog to authorize Anyone who feels like it to connect to your account"

Worse yet, the application password request URLs are set up to send the newly generated password to the requester’s site via a redirect URL. Since application passwords function with the permissions of the user that generated them, an attacker could use this to gain control of a website. We demonstrated how an attacker could use a social engineering attack using application passwords on Wordfence Live.

For this reason, the latest version of Wordfence, 7.4.14, disables application passwords by default. If you have a specific use case for application passwords and would like to re-enable application passwords, you can do so under Wordfence->Firewall->Manage Brute Force Protection:

Wordfence settings to Disable Application Passwords
Despite the risk, application passwords are likely to offer some utility in the future. Some examples of how they could be used include publishing posts to a WordPress site from other interfaces, accessing or updating data in the WordPress database, or even creating users.

This functionality is, on the surface, similar to XML-RPC, but the REST API offers significantly broader capabilities. Additionally, application passwords are securely generated and are 24 characters long, so brute force and credential stuffing attacks are unlikely to be successful.

If you decide to make use of application passwords, we strongly recommend setting up a user with minimal permissions, ideally with only the necessary capabilities specifically for the application you wish to connect to.

The jQuery update continues

WordPress 5.5, released in August 2020, removed the jQuery Migrate script. This caused many sites using plugins dependent upon older versions of jQuery to experience issues.

If your site was affected and you’re currently using the Enable jQuery Migrate Helper plugin to work around these issues, you’ll want to make sure your site works without it before updating to WordPress 5.6.

This is because WordPress 5.6 will update to the latest version of jQuery and add jQuery Migrate 3.3.2, which can conflict with the version re-enabled by the Enable jQuery Migrate Helper plugin, which is jQuery Migrate 1.4.1.

WordPress has been using outdated versions of the jQuery library for several years now.

WordPress 5.6 is step 2 of a 3-step plan to get WordPress on an up-to-date version of jQuery. This plan has been:

  • WordPress 5.5: Remove the jQuery Migrate 1.x script. (August 2020)
  • WordPress 5.6: Update to the latest jQuery, jQuery UI, and jQuery Migrate scripts. (December 2020)
  • WordPress 5.7: Remove the jQuery Migrate script. (March 2021)

Because of this timeline, jQuery compatibility is actually significantly more urgent than PHP 8.0 compatibility. Plugin and theme developers should use the next few months before the release of WordPress 5.7 to completely transition their code to be compatible with the latest version of jQuery without the assistance of jQuery Migrate.

Although security fixes have been backported into the versions of jQuery used by previous versions of WordPress, many tools, such as Google’s Lighthouse, have reported that WordPress sites were vulnerable due to running an older version of jQuery. One bit of good news is that these site auditing tools should no longer show WordPress 5.6 sites as being vulnerable.

WPTavern has an excellent article that goes into more detail about the situation.

PHP 8 Compatibility

WordPress 5.6 is intended to be “beta compatible” with PHP 8. This means that during normal usage, a site running WordPress 5.6 on PHP 8 with a default theme and no plugins will be unlikely to run into any problems. Our previous article dives into some of the challenges plugin authors will face when it comes to compatibility with PHP 8.

If you’re a typical WordPress site owner using a fair number of plugins, it may be some time before it’s safe to update to PHP 8. On the other hand, if you’re creating a brand new site from scratch, you’ll be able to get ahead of many issues by starting with the latest version of PHP and WordPress.

Automatic major version updates

We’ve discussed automatic updates in the past, and how they can be essential for some use cases and potentially catastrophic for others. Currently, WordPress core automatically applies minor updates, which are typically much safer than automatic plugin updates due to extensive testing.

Starting with WordPress 5.6, all new WordPress installations will receive automatic updates for major versions. This means that if you create a fresh WordPress site with WordPress 5.6, it will automatically be updated to WordPress 5.7 when it comes out. While this has a higher likelihood of causing issues, bear in mind that the most likely problems will be with incompatible plugins, which will be much less prevalent on brand new sites.

Existing sites that have updated to WordPress 5.6 from previous versions will retain the current behavior of automatically updating only for minor versions and security patches, so current site owners do not have to worry about this. If desired, a current site owner can now opt in to automatic major version updates and even Beta and RC releases.

A brand new theme

Since 5.6 is the final major version of WordPress to be released for 2020, it includes a new default theme for next year, titled Twenty Twenty-One. Like previous default WordPress themes, it is based on an existing theme, Seedlet, and is fairly minimal, though it does include support for Dark Mode.

Conclusion

WordPress 5.6 includes a number of changes, improvements, and bug fixes, including many we haven’t covered. We’ve focused on the items we feel are most relevant to our users and most likely to cause issues. As with all major updates to WordPress, whether or not you wish to update right away will depend on your use case. There are a number of promising new features as well as some potential for growing pains, but these will be applicable to developers rather than users.

Special thanks to QA Lead Matt Rusnak and Threat Analyst Chloe Chamberland for their findings and assistance with this article.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

36 Comments
  • Thanks for the update, we hope the Wordpress theme fix this security loopholes as soon as possibt

    • Thanks for the comment, Rimplenet. To be clear, there are no security loopholes in WordPress 5.6. However, if you are not using Wordfence, be aware of social engineering risks of application passwords. If you are using Wordfence, be aware that application passwords are disabled by default as of Wordfence 7.4.14.

  • Thank you

  • Thanks for the update! Love Wordfence!

  • Is the new option "Disable WordPress application passwords" exisiting in both - premium and free version?

    • Yes, disabling WordPress application passwords is available to both Wordfence Premium as well as free users of Wordfence. It is also on by default. If you require application passwords in the future, you can turn this off. We also recommend using a lower privilege user for any applications requiring access to your WordPress site, if at all possible.

      • Thank you very much! Great point to let us all understand.

  • Thanks so much for this. I hadn't caught up with what was happening with JQuery, so it's great to see what the migration plan is/should be.

  • Thanks to the Wordfence team for staying on top of WP problematic security issues. Not being a techie, having your guys standing guard over our site means I no longer have worry about security issues. You guys are the best.

  • Do you think I should postpone the WordPress update to the latest? And I have to test the latest WordPress first on my local site?
    And is there no problem if I delay updating WordPress to the latest version? Are there no security holes or other bugs if I delay updating WordPress to the latest version?

    • Hi Mushlih,

      I do recommend testing the latest version of WordPress on your local site, but if there are no issues then you should likely update. While the latest version does not appear to contain any security patches that we are aware of, it does contain a number of fixes for other issues, and staying up to date is good practice. While the jQuery changes may cause some growing pains, it will be worth it.

      • Thank you very much for the answer
        If I update that, will it also update my site to PHP 8?

        • Hi Mushlih,

          You can update WordPress to 5.6 without updating PHP. The update to PHP 8 is separate and would have to be through your hosting provider.

          • Ok, thank you very much

  • Hello Wordfence team,
    Thank you for this very interesting post. Every update of WP makes me worried, especially lately because of all the plugin and themes update needed after... and the risk of big bug...
    For the security, Wordfence is installed in all my websites for many years now and it really help me to sleep well ;)
    Merry christmas time for all
    Cécile from France

  • Thanks for sharing this...
    Although the WordPress core team might introduce the application password as a precaution but like you mentioned, one still has to be careful

  • Thank you for this useful rundown of the newest WordPress update. While it does sound exciting, I'm going to hold off for the time being and make sure all my plugins have caught up.

  • Thanks, these recaps are good!

  • Thank you so much for being there. You guys are awesome.

  • Also a potential problem is that the latest WP update by default installs the TwentyTwentyOne theme. On one of our sites, it also apparently installed a whole raft of older WP themes: TwentyTwelve THROUGH TwentyTwenty! I do not think an "update" should be installing new themes, even though they are not activated.

  • How do we update to PHP 8?

    • Hi Aliya,

      You'll need to check with your hosting provider to see if they offer PHP 8. We expect most hosting providers will not begin offering it for several months, though a few are making it available already.

  • I turned WP auto-updates OFF in my current version (5.5.3). Will this setting be lost / need to be re-applied if I update to 5.6?

    • Older sites will not get autoupdates set on by default, only brand new sites that are starting out on WordPress 5.6 Your setting should apply going forward.

  • Great post!

  • Hello Wordfence team,
    Where is the application password located at? I don’t see it!!

    • If you're using the most recent version of Wordfence, you'll need to toggle off "Disable application passwords" in Wordfence settings. Then, you can see application passwords within each user's profile page. If you're not using application passwords, we recommend that you keep application passwords disabled.

  • i had upgraded my website to latest version of wordpress from 5.5 to 5.6. after few hours from upgrade my site started showing blank popup on screen which was not removeable even this have a cancel icon at top.
    my whole structure of saibanproperteis.com was disturbed.
    so I've downgraded back to 5.5 now it's working fine.
    so if you want to upgrade your version. do it at your own risk.

    • Hi Saiban,

      The issue you encountered does sound like it was likely caused by the new jQuery, jQuery UI, or jQuery Migrate versions. While you're on 5.5, you can use the "Enable jQuery Migrate Helper" plugin for troubleshooting as it should tell you whether your site needs the older version of jQuery Migrate enabled - you can disable plugins one by one to determine which one(s) are causing the compatibility issue.

  • I'm confused what you say here:

    If your site was affected and you’re currently using the Enable jQuery Migrate Helper plugin to work around these issues, you’ll want to make sure your site works without it before updating to WordPress 5.6.

    Surely the point of using Enable jQuery Migrate Helper was to fix a site broken by the WordPress 5.5 update, so removing it will just break it again? Or do you simply mean, deactivate it just before updating to 5.6 because that now includes the latest version of Enable jQuery Migrate Helper?

    • Hi Alan,

      The idea was that between WordPress 5.5 and WordPress 5.6, any plugins you are using should have been updated to work with the updated version of jQuery and if they have not you would want to troubleshoot that before updating to 5.6. However, it's come to our attention that the Enable jQuery Migrate Helper plugin has been updated as well to help with this troubleshooting process. Please keep in mind that the goal is not to use the jQuery Migrate Helper plugin indefinitely, but to use it to determine what needs to be changed in order to successfully update.

      • Thanks, Ram.

        The issue for me is templates (although I suspect I may also come across some plugin issues as well): I have a number of older sites whose template was designed in Artisteer. I do have some already converted to a pagebuilder template, but the others don't really need to be updated and this is simply a load of additional work I could do without. I was just unaware that this was WordPress's plan and didn't find out about the V5.5 issues until it was too late - and even then it was difficult for me as a relative amateur to understand what happened and what was needed to fix it. When my sites broke on the V5.5 update, I spent more than a few hair-raising hours finding out what the problem was and how to fix it. Yes, Artisteer is old but I just did not know it was going to happen. History is repeating itself with V5,6.

        Now I'm still not entirely clear what I need to do for V5.6. I suspect for many amateur WordPress users, troubleshooting jQuery issues is a non-starter. I have some (rusty) software skills but I will probably just have to bite the bullet and redesign nine sites before updating to V5.6.

        I appreciate I'm complaining to the wrong people here and thanks for at least making me aware of the plans for WordPress and jQuery - even if I don't fully understand!

  • Does Wordfence Console or ManageWP use application passwords?

    • As this is a brand new feature never before available in WordPress, both Wordfence Central and ManageWP have their own authentication methods.

  • thanks for your great quick article about wordpress 5.6

  • Great info. I was wondering what else will Wordpress change and came through this article which is very informative. WordPress will close these loopholes soon hopefully.