New WordPress security feature could jeopardize websites and blogs.
The functionality can provide attackers with the ability to disable firewalls, two-factor authentication, and protection against brute-force attacks.
A new security feature that WordPress developers intend to implement in WordPress 5.1, scheduled for release this spring, may put sites and blogs on this platform at risk, security experts warn.
This is a feature called “WSOD (white-screen-of-death) Protection” (“Protecting against the white screen of death”), designed to warn of fatal PHP errors and plugins and their calling topics. If a similar situation arises, WSOD Protection will suspend the theme or plug-in, giving the site administrator the opportunity to understand the problem.
The WordPress team began working on a new functionality several months ago as part of a strategy to translate sites from using outdated versions of PHP 5.x to more recent PHP 7.x releases.
However, according to some experts, attackers can use the functionality for their own purposes. In particular, information security specialist Slavco Mihajloski pointed out that attackers can use low-level exploits in WordPress plugins to initiate fatal PHP errors. In this case, WSOD Protection will pause the plug-in, giving the attacker the ability to disable firewalls, two-factor authentication, protection against brute-force attacks, and other security plug-ins on sites.
Matt Rusnak, a WordFence specialist, agrees with Mihailoski. He described several attack scenarios where the functional might prove useful to the attacker. For example, the plug-in can be suspended due to the use of too much memory by other plug-ins, which can cause security problems. In the second scenario, attackers can take advantage of the vulnerabilities of local file injection in plugins / themes to massly stop plugins at the right time.
WordPress developers intend to add the WP_DISABLE_FATAL_ERROR_HANDLER option to the wp-config.php configuration file that will allow site owners to disable the new security feature. At the moment, it is unclear whether WSOD Protection will be enabled by default in WordPress 5.1.
Experts recommend enabling this feature only temporarily when updating a PHP server, WordPress core or plug-ins, and deactivate it the rest of the time.