WordPress sites are being hacked to install malicious plugins that display fake software updates and errors to push information-stealing malware.
Starting October 1st, WordPress.org accounts that can push updates and changes to plugins and themes will be required to activate two-factor authentication (2FA) on their accounts.