hi everyone my name is John Blackbourne i am the WordPress core security team lead and a longtime contributor to the WordPress open-source project uh I hope you’re enjoying the Cloudways WordPress security boot camp so far i’m going to talk today about two topics firstly the security enhancements that will be released soon in the next version of WordPress and secondly some improvements that have been made to the software supply chain for the WordPress opensource project and how both of those changes can help website owners maintain a more secure website so let’s take a look the next major version of WordPress will be version 6.8 which is due to be released in April one of the security related changes in this version is to the way that user passwords are stored in the database in order to increase their security this is a technical change to the underlying algorithm that is used to convert a password from its plain value into something that’s safe to store in the database and this is a notable change because the way that a password is stored in a database is very important the password can’t be stored in plain text because that would mean if somebody were to gain access to your database they would be able to see the value of all of the passwords a password needs to be stored in a cryptographically secure method which means if someone were to gain access to your database they would not be able to reverse engineer that value in order to discover the actual value of the password now you might be thinking well how could that happen how might somebody gain access to the database for my website and if they do surely I have a bigger problem to worry about than my password well there are a few ways that this might happen one common one is a misplaced database backup uh how many times have you taken a backup of your database and stored it somewhere else or downloaded it to your computer or accidentally left a backup laying around on the file system on your website all of these are opportunities where an outside factor could result in somebody getting access to a copy of your database even if they don’t have live access to your current database and this is why protecting the value of passwords stored in the database is important as it prevents passwords from being discovered and then used to log into your website or indeed to log in anywhere else that you’ve used the same password which you shouldn’t be doing so in WordPress 6.8 the underlying mechanism that’s used to securely store a password is being updated to brypt which is the industry standard for creating a cryptographically secure hash of a password if somebody were to gain access to your database or a copy of a backup of your database they would not be able to reverse engineer a stored password value in order to discover the password itself the password storage mechanism used in WordPress prior to version 6.8 A is still secure but BCrypt increases this security by a couple of orders of magnitude and this sets us up well for the future as the capabilities of computers continues to increase and we need to continue protecting stored passwords so why is all of this important surely if nobody accesses your database then none of this matters well you may have heard the term defense in depth unfortunately it’s not possible to just press a button and make every aspect of your web website secure security is only achieved by combining measures and continually improving and this is one of those improvements that when combined with other security best practices helps maintain the overall security of your website and its data now the neat thing about this change is that it’s entirely invisible if you’re the owner of a WordPress website and you update it to version 6.8 There is nothing at all that you need to do users don’t need to change their password to take advantage of the improved password storage mechanism it will just happen behind the scenes the next time they log in in fact you could forget about everything I’ve just said and after updating to WordPress 6.8 the security of each of the passwords stored in your database would be increased as each user subsequently logs in again now all that said it’s important to note that this change doesn’t mean that a weak password becomes more secure one of the easiest and most important aspects of keeping your website secure is to use strong passwords to begin with but hopefully you don’t need me to tell you that uh if you want to read more about the technical information behind this change then you can find all the information in the post about this change on the WordPress development site at make.wordpress.org i will ask the folks at Cloudways to include the link so you can read more information about this change if you wish so the second thing I wanted to talk about is an area that in a lot of ways gets less attention than it should which is the security and reliability of the supply chain that is involved in creating the software that’s used on your website whether that’s the WordPress core software or the plugins and themes that you use uh modern software development processes include a lot of automated aspects whether that’s automated testing developer tooling for dependencies or running scripts to build and package the software for release and the security of this tooling and these processes is often just as important as the security of the software itself and the security of the websites that it’s used on because ultimately they’re all involved in the creation of the software uh if there was a security vulnerability in any of these processes or tools then it could allow malicious code to get surreptitiously included into WordPress or plugins or themes uh this isn’t a new problem but in recent years there have been a few high-profile instances in other ecosystems where the developer tools that are used in the creation of the software uh was compromised and it resulted in malicious code being included in the published packages uh there have been a handful of instances of this within the WordPress ecosystem in uh recent years luckily nothing too bad but it did end up in malicious code uh being published in a plug-in without the developer’s knowledge uh such compromises are usually only discovered by security researchers who identify the malicious code and then the plug-in developers have to release an update uh so why do I mention this well some renewed efforts have been made in recent months to ensure that the software supply chain of WordPress itself remains as strong as it can be um one of those is an improvement to the GitHub actions workflows that are used by the WordPress organization on GitHub uh GitHub actions use automated workflows that perform all sorts of testing packaging and deployment of the various aspects of WordPress this includes the core software and the block editor uh the security team for WordPress have assessed and hardened a whole bunch of aspects of these workflows in recent months to ensure that they’re as secure as can be and to reduce the potential for vulnerabilities to be introduced uh to the software via its supply chain i’m not going to go into the details uh now because it is very technical but if this is something that sounds interesting to you then you might like to take a look at a resource resource that I maintain called awesome GitHub actions security um and supply chain security in general is a fascinating topic but within the WordPress ecosystem um the security specifically of GitHub actions that are used by the WordPress core team and the developers of plugins and themes is a particularly important aspect uh so take a look and uh as I said if this is something that interests you then uh there’s a whole bunch of resources and reading on this topic and uh hopefully something there that you will find interesting uh that’s all I have time for today i hope you all enjoy the rest of the Cloudways WordPress security boot camp uh if you have any questions feel free to get in touch uh I’m on LinkedIn if you search my name on there you’ll find me and uh thanks very much for watching bye for now [Music]