Contact
Site: US UK AU |
Nexcess Blog

WordPress Security: What Is A Patch?

September 20, 2016 0 Comments RSS Feed

WordPress SecurityWordPress is a complex piece of software comprising many thousands of lines of code — a mixture of PHP, HTML, CSS, and JavaScript. It’s under constant development, which means that all those files are subject to change. Often, those changes will address security issues; that is, they are edits to code that caused a vulnerability.
These changes are often referred to as security patches or simply patches. Have you ever wondered exactly what a patch is and how it got its name? You might think it’s an analogy to patching your clothes when they get a hole in them, but that’s not quite right.

Imagine you have a chunk of code — let’s take a snippet of text from a randomly chosen WordPress PHP file as an example.

WordPress Security Patch

You want to change the function name and various other parts of the file and then have it included in the source code that lives in the main WordPress source repository. You could just make your changes and send the whole file to the repository, but that’s not typically how it’s done. We’re really only interested in what’s changed between the file currently in the repository and the new file.

Security Patch

Often, the process of applying changes is handled by a version control system like Git, which takes care of the sticky details for us, but in the old days, we’d probably have used a program called “diff”. Diff will take a pair of files and spit out another file that contains the differences between the two files. Diff outputs the following for our two files.

Wordpress Patch

The output of diff (or whichever tool is used) is sometimes called a diff, but it’s often just called a patch. As you can see, only the changes are included; all the lines that didn’t change aren’t relevant.

If our developer wanted to send the changes he made to his friend, he would only send the patch. The second developer would take look at the patch, and if she decided that she wanted the changes in her own source code, she’d use a tool called — can you guess? — “patch” to apply the differences to her own file.

All of which is interesting, but it doesn’t explain why patches are called patches. To understand that, we have to look back to the early days of computing. Back then, instructions to computers were stored on cards with holes in them that the computer was able to read. You’d “program” a computer by feeding it a stack of punch cards. If you wanted to change the instructions on the card, instead of making a new punch card, you could just stick a small piece of cardboard with different holes in it onto the larger punch card — you would literally patch the punch card.

WordPress updates typically don’t contain patches as we’ve discussed — they contain replacement files. But those replacement files were made by patching the files in the WordPress version control repository. If you don’t update a WordPress site regularly, its source code doesn’t get the changes that were in the patches. If those patches fixed a security vulnerability, your site will remain vulnerable to exploitation because the source code hasn’t been fixed.

Posted in: WordPress