For a Content Management System (CMS) that powers one third of the Internet, Wordpress leaves a lot to be desired in terms of security features. A lot of it is not necessarily the fault of the Wordpress team. Independent developers contribute "plugins" that are often full of vulnerabilities and junk code. Also, some of these plugins are not frequently maintained resulting in sites loaded with vulnerabilities.
WordPress is set to receive an assortment of new security features today that will finally add the protection level that many of its users have desired for years.
These features are expected to land with the official release of WordPress 5.2, expected for later today. Included are support for cryptographically-signed updates, support for a modern cryptography library, a Site Health section in the admin panel backend, and a feature that will act as a White-Screen-of-Death (WSOD) protection -- letting site admins access their backend in the case of catastrophic PHP errors. With WordPress being installed on around 33.8 percent of all internet sites, these features are set to put some fears at ease in regards to some attack vectors.
Probably the biggest and the most important of today's new security features is WordPress' offline digital signatures system. Starting with WordPress 5.2, the WordPress team will digitally sign its update packages with the Ed25519 public-key signature system so that a local installation will be able to verify the update package's authenticity before applying it to a local site.
Better late than never, Wordpress...
