CWP 2.4 updates the recipe to SilverStripe CMS 4.4.3, and includes a number of improvements and bugfixes to supported modules. We’re hard at work tightening screws and exterminating bugs to improve the consistency and usability of the CMS, and the beginnings of this project are visible in the 2.4 release.
As usual, this release follows semantic versioning(external link), so it’s ready to be used in any current SilverStripe project right now.
What should users get really excited about in CWP 2.4?
An upgrade to the latest version brings a number of minor improvements and bugfixes from the Experience Debt initiative that benefit Content Managers, and optionally introduces the Multi-Factor Authentication (MFA) module suite. Highlights for Developers include Opt-in HSTS headers and a shift to PBKDF2-based password hashing.
We unpack each of these new features below.
For Content Managers
Focusing on Experience Debt
For this CWP release and the next in December, the development teams overseeing the maintenance of the CWP and SilverStripe module will be focusing on one thing, experience debt(external link).
We’ve defined 'experience debt' as “issues that if left unresolved, will both hamper the customer experience and slow down our ability to work on improving things”.
There is a focus on:
- Insufficient self-service features, or features users expected after an upgrade from CWP 1 to CWP 2
- Regressions or upgrade difficulties
- Broad software bugs, or oddities that may have tripped Content Managers up in the past
You’ll notice minor improvements with CWP 2.4, but keep an eye out for future CWP updates where we’ll dive into the details of where these improvements are going.
Multi-Factor Authentication (MFA) module suite
The CWP team has spent the past few months engineering a major security enhancement now available to all CWP sites: Multi-Factor Authentication support. Once the modules are installed and configured for your site, you’ll be able to protect your CMS accounts with an additional factor—using either an authenticator app on your phone, or a dedicated security key.
When MFA is present on your site, you’ll also see a fresh, standalone login experience that supports Dark Mode in modern browsers.
For more information, take a look at the full MFA release announcement, and if you’re keen to adopt these modules, get in touch with your Digital Agency or Developer.
Opt-in HTTP Strict Transport Security (HSTS) headers
HSTS is a great way to improve the security of connections to your website. It works by instructing browsers to only make HTTPS-based requests to your website, rather than allowing insecure HTTP-based requests which could be spoofed or intercepted by an attacker.
Fresh CWP projects now ship with HSTS headers applied by default in the Apache .htaccess config, and existing projects can easily adopt this. See the 2.4.0 patch notes for instructions.
Shift to PBKDF2-based password hashing
CWP 2.4.0 changes the default password hashing method used for authentication to a PBKDF2 implementation, with the SHA512 algorithm. This improves the compliance of CWP sites with NZISM standards(external link).
Migrating to the new method is seamless and automatic, and no development work is required.
Keen to get your upgrade underway?
Talk to your Digital Agency or Developer about upgrading to CWP 2.4.
Developers, head to our documentation to view the changelogs or check out the Upgrade Guide.