WordPress WOSD protection feature could make sites vulnerable to attack

News by Teri Robinson

Security pros say new WordPress feature for detection of fatal PHP errors and determine which plugin or theme is the culprit could be used by hackers to disable security plugins and make WordPress sites vulnerable to attack.

WordPress may have intended a new feature to be included in WordPress CMS 5.1, WSOD (white screen of death) protection, to allow the platform to detect fatal PHP errors and determine which plugin or theme is the culprit, but security pros say hackers could use it to disable security plugins and make WordPress sites vulnerable to attack.

"Stopping extensions based on Fatal Error is more than fatal for WordPress as a whole, at any place, in any time," researcher Slavco Mihajloski wrote in a blog post, noting that attackers could provoke a fatal PHP error in a plugin and swoop in once the WSOD protection feature temporarily stops the plugin from executing.

"Malicious campaigns are relentless with their targets. Any pauses to the security plugins will render the sites vulnerable to any attack. There needs to be a better method for identifying and addressing PHP errors without disabling the security plugins," said The Media Trust Digital Security and Operations Director Pat Ciavolella. "Given the risk that the white screen of death feature raises, it becomes even more imperative that site owners who use this feature continuously monitor all the code it executes to ensure that none pose threats to the security and privacy of users."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop