You might have noticed that the service release of WordPress 2.0.3 is now available for download. I do recommend to users that they perform this upgrade if they are using the 2.0 branch, because it addresses at least one security issue.
One security-related issue that you might be interested in is the new nonce system. It started with this thread on the WordPress hackers mailing list and became one of the most involved and complex discussions we’ve ever had. I personally had all too much to say about it. So what is a nonce and how does it affect you?
First off, “nonce” is pronounced like the prefix “non”, but with an “s” sound at the end. It is not “noun” with an “s” sound. The term “nonce” is used in a variety of ways, but for our purposes it is a unique code that is only used (more or less) once to identify a particular transaction. How is this useful?
Every time you submit a form in the WordPress admin console in versions prior to 2.0.3, the system looks for the originating page of the form submission in your request. It verifies that the page that you were on prior to submitting the form was actually within the WordPress admin. Why is this important?
Imagine that you had logged into your WordPress admin but were browsing your own site. The cookie stored in your browser would allow you to access your admin pages without logging in again. While you are browsing your site, you encounter a new comment on a post. The comment has a link in it, and without looking too closely at it, you click it. That link could be to a page in your admin console that is responsible for deleting a post!
Now before you panic, note that for normal visitors who do not have permission to delete posts on your site this link would have no effect. They would simply see the WordPress login page and be able to proceed no further. But since you were already authenticated for deleting pages, that link could prove disastrous!
Thankfully, WordPress verifies the page that you were on prior to submitting that link. Since it is not part of the admin console, the link fails to execute and you are saved from a hazardous mistake.
The trouble is that if you are using a browser that does not report the referring page, then everything you try to do in the admin fails like this. It makes it very difficult to manage your site from behind some privacy proxies (common at the workplace or public terminals) and even from some more functional cell phones.
To get around this issue, WordPress 2.0.3 introduces nonces. Basically, every operation in the admin is now assigned a unique code - the nonce. That code is passed along with the form information when you delete posts, moderated comments, etc. WordPress verifies that the nonce is valid for the transaction that you’re trying to make, just like it used to do with the referrer. The difference now is that this method works for every page and offers a tad more security by tieing the nonce code to the action, your site, and a range of time.
With nonces, it would be virtually impossible for someone to leave a comment that worked in the horror story I described above. When you clicked the link, you would receive a confirmation page asking you if you were sure that you wanted to proceed. If you really did, you could follow through. But this extra page prevents anything bad from happening. Because your admin produces valid nonces, you will never see these confirmation pages under normal use.
Ok, so this feature isn’t all that impressive from the point of view of the average user. But it gives you a better idea of the security concerns that you should have about your web site’s software, and what WordPress is doing to address these issues.
I’m particularly happy with the inclusion of nonces since I lobbied so hard for its addition and it has turned out so nicely.
