If you have been following along with much of my community involvement lately, you’ve probably noticed I’ve been very preoccupied with security lately.
This new found push for rigorous security overhauls all started when I accidentally learned how to hack websites using XHR. Previously, remembering to use POST instead of GET for handling user data was enough to protect against CSRF. NOT ANY MORE!
The past few weeks have taken me down many security roads including SRI , XSS, CSRF, CSP and now the latest HSTS. While may of these subjects were well known to me, It had been a while since I’d done a deep delve.
If you don’t recognize all these acronyms, don’t feel bad. Only about 1/3 of my team recognized them all. If you are in charge of site security and/or hosting, it’s not a bad idea to become familiar with all of them.
I know what you are thinking, “Why is Mat blogging about all this technical jargon when I have him to handle my security anyway?”. Well, I’m bringing this up because today I change was rolled out that may affect a small number of plugin users.
Today this site became 100% HSTS compliant. What this means is this site no longer supports any http:// requests of any kind. All requests are forced to be handled over https:// from now until forever. Previously the plugin update endpoint did support http:// to allow for servers using old versions of PHP and/or server software to catch up.
If you are running old versions on your server, you will no longer be able to update your plugins through the WP Admin. You will now have to manually download updates through My Account.
Really, this shouldn’t affect a lot of users since the minimum supported version of PHP for our plugins is 5.6 and PHP version 5.5+ supports using https:// for requests.
If you are not using PHP 5.6+ yet, it’s time to get that updated! The entire WP community (including WP Core) is moving on and the cost of issues from maintaining you old PHP version will be much greater than the cost of updating PHP now.