The Information Highway

The Information Highway

Font size: +
2 minutes reading time (306 words)

WordPress.org to require 2FA for plugin developers by October

Starting October 1st, WordPress.org accounts that can push updates and changes to plugins and themes will be required to activate two-factor authentication (2FA) on their accounts.

The decision is part of the platform's plugin review team effort to reduce the risk of unauthorized access, which could lead to supply-chain attacks.

"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," reads the announcement. 

"Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community."

WordPress is an open-source content management system (CMS), blog tool, and publishing platform that helps users create and manage websites.

Users have access to a wide variety of free and paid themes and plugins that allow customizing the look and extending the functionality of their websites.

A malicious actor hijacking a publisher's account could alter code in a theme or plugin to include vulnerabilities or backdoors that would allow privileged access to websites using them.

2FA and SVN passwords

To prevent such risks, the 2FA security feature needs to be active on October 1st for accounts that have commit access on the WordPress.org platform. Account administrators can enable the setting from the security menu of their account. Step-by-step instructions on how to activate 2FA are available here.

Additionally, WordPress.org has added SVN-specific passwords that separates the access to making code changes from the main account credentials.

Plugin authors using deployment scripts such as GitHub Actions will need to update their scripts to use the new SVN-specific passwords. Check this page for more information on Subversion (SVN) access.

The team notes that technical limitations prevent 2FA from being applied to existing code repositories and opted to combine "account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features." 

Adobe fixes Acrobat Reader zero-day with public Po...
Veeam Backup security flaws

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023