This article originally appeared in SC Magazine on January 25, 2019.
WordPress may have intended a new feature to be included in WordPress CMS 5.1, WSOD (white screen of death) protection, to allow the platform to detect fatal PHP errors and determine which plugin or theme is the culprit, but security pros say hackers could use it to disable security plugins and make WordPress sites vulnerable to attack.
“Stopping extensions based on Fatal Error is more than fatal for WordPress as a whole, at any place, in any time,” researcher Slavco Mihajloski wrote in a blog post, noting that attackers could provoke a fatal PHP error in a plugin and swoop in once the WSOD protection feature temporarily stops the plugin from executing.
“Malicious campaigns are relentless with their targets. Any pauses to the security plugins will render the sites vulnerable to any attack. There needs to be a better method for identifying and addressing PHP errors without disabling the security plugins,” said The Media Trust Digital Security and Operations Director Pat Ciavolella. “Given the risk that the white screen of death feature raises, it becomes even more imperative that site owners who use this feature continuously monitor all the code it executes to ensure that none pose threats to the security and privacy of users.”