WordPress has rolled-out its last release of 2020 on 8th December – WordPress 5.6 (the “Simone”). The latest WordPress version not only includes a few major updates and new features, but it also includes many improvements. While some are much needed, a few caused security and compatibility with existing WordPress websites. This blog post reviews how new improvements may cause security vulnerabilities or break down your website.
WordPress 5.6, the last release of 2020, rolled out on 8th December with dozens of improvements and new features. WordPress 5.6 has received positive feedback from the developer community so far, probably because it has not broken anything. But that’s a half-truth!
The latest WordPress version not only includes a few major updates and new features, but it has a huge number of minor improvements and bug fixes reported in the earlier versions. And a few of the changes or enhancements introduced have repercussions considering the security and compatibility of the existing WordPress websites. Let’s dig into how WordPress 5.6 can break your website like its ancestor.
The upgraded version of jQuery Migrate Plugin – A good initiative with a “Negative” impact
Earlier, when WordPress 5.5 released, millions of websites stopped functioning normally since jQuery was removed. Although WordPress made an announcement a long time back about their move to modernize WordPress, many website owners left with a website that was stopped displaying at all or locked out of their website.
That was the first dose of modernizing WordPress by forcing the WordPress ecosystem to change their code and onboard with the newest jQuery version. With WordPress 5.6, the WordPress team has taken the modernization to the next level by updating jQuery Migrate Plugin to the next version – 3.3.1!
What is so big deal in the latest version of jQuery Migrate Plugin?
Well, the possible effect of upgrading the jQuery Migrate Plugin is that the websites relying on the “Enable jQuery Migrate Helper” will have to bear the pain of inaccessible websites once again. If you look at the announcement made by WordPress, it is something like:
“In order to upgrade the jQuery version, the 3-step plan was outlined by the WordPress team. The first step was carried out in WordPress 5.5, to stop enabling jQuery Migrate version 1.x.
The second step was included in WordPress 5.6 release, where the jQuery Migrate plugin was updated to the latest 3.3.1 version.
It is important to note that the Migrate script for version 3 is incompatible with the previous migrate script features. Moreover, the deprecated features are no longer supported in the latest version.”
This indicates that WordPress 5.6 will again break the sites' reliance on enabling jQuery Migrate Helper plugin to run smoothly. WordPress developers mentioned that WordPress Developers that enable jQuery Migrate helper plugin will not help once WordPress 5.6 will be released since they are going to upgrade the jQuery library. This means the older version of the jQuery Migrate helper plugin will be of no use for the developers and website owners.
Application Passwords – Great addition, but RISKFUL
WordPress 5.6 has brought a new feature that will restrict external applications to access your website's specific portion. Now onwards, the external applications are required to request permission to connect with any WordPress website. The site administrator can generate a specific password key using which the application can interact using REST API.
Of course, it is a thoughtful feature. Giving the site administrator the right to generate and grant access to the specific application is a little risky. Any smart attacker can trick the website owner with the help of malicious links.
Another possible security leakage is the application password request URLs. All the application password request URLs are designed to send the newly generated password to the requester’s website using a “redirect URL”. This opens new gates for the attackers to gain access and control of a website. Wordfence has demonstrated how an attacker could use a social engineering attack via application passwords.
Do you think WordPress 5.6 will affect your site in the form of a jQuery migrate plugin or application password?
Well, that is dependent on the WordPress theme and plugins being used by your website. Suppose you are facing challenges login into the admin panel or seeing any error messages, then yes. In that case, you are one of those who are experiencing erratic website behaviour after updating to WordPress 5.6.
On the other hand, if you are excited to use the new feature of application passwords for your website, it is highly recommended that you provide the user with minimal permissions only. The functionality is fantastic, but it is always advisable to safeguard your website when trying anything new!
What other loopholes do you think could hamper WordPress sites after upgrading to WordPress 5.6? Let us know your views in the comment section below!