Bedrock 1.12.5 has been released with a minor change to development environments as of WordPress 5.2.
This update prevents the new WordPress’ built-in fatal error handler from running on development. Bedrock 1.12.4 was also released last week with a few other changes:
- Update to WordPress 5.2 (#432)
- Configure WP-CLI
wp serverwebroot (#427)
- Fix issue with
WordPress 5.2 introduced a Site Health Status page from the Tools menu which isn’t accessible on non-development Bedrock environments due to a new bug: Site Health: not showing if
DISALLOW_FILE_MODS is set to true. It looks like WordPress core will have this fixed in 5.2.1.
Signature verification in WordPress 5.2
Paragon Initiative Enterprises wrote about the new signature verification in WordPress 5.2:
Before WordPress 5.2, if you wanted to infect every WordPress site on the Internet (approximately 33.8% of websites as of this writing), you just had to hack their update server. Upon doing so, you can trick the automatic update feature into downloading and installing arbitrary code, which allows you to do all sorts of nefarious things (e.g. build the world’s largest DDoS botnet).
After WordPress 5.2, you would need to pull off the same attack and somehow pilfer the signing key from the WordPress core development team.
The work that went into WordPress 5.2 started many years ago and only covers core updates. Themes and plugins are still not cryptographically signed.
Development updates in WordPress 5.2
Some of the development updates in WordPress 5.2 include:
- The minimum supported PHP version is now 5.6.20
- Addition of
wp_body_openhook (you must update your theme to add the hook within the body tag)
Thanks for the code and review contributions in the latest Bedrock releases from: