This update comes as the WordPress ecosystem faces increasing cybersecurity threats
WordPress.org is set to introduce mandatory two-factor authentication (2FA) for accounts with access to update plugins and themes, a move aimed at strengthening security across millions of WordPress websites. This requirement, which will take effect from October 1, 2024, is designed to protect accounts that hold commit access, preventing unauthorized users from pushing updates that could compromise the security of the platform.
The maintainers of the open-source content management system emphasised the importance of securing these accounts to prevent unauthorised access and ensure the continued trust and safety of the WordPress.org community. In addition to mandatory 2FA, WordPress.org is introducing SVN passwords, a new security feature for users with commit access to plugins and themes. These dedicated passwords are designed to separate code commit access from standard WordPress.org account credentials, offering an additional layer of protection. By using a dedicated SVN password, users can revoke commit access without altering their main account credentials, making the process of securing accounts more flexible.
WordPress.org acknowledged that technical limitations have prevented the implementation of 2FA directly for existing code repositories. To address this, the platform is combining account-level two-factor authentication with high-entropy SVN passwords and other deploy-time security measures like Release Confirmations. These steps are aimed at reducing the risk of supply chain attacks, where malicious actors could inject harmful code into plugins and themes through compromised accounts.
This update comes as the WordPress ecosystem faces increasing cybersecurity threats. Recently, Sucuri, a website security firm, warned of ongoing “ClearFake” campaigns targeting WordPress sites. These campaigns distribute malware, such as the RedLine information stealer, by tricking users into running PowerShell commands disguised as fixes for rendering issues. Additionally, vulnerabilities in PrestaShop e-commerce sites have been exploited by attackers to deploy credit card skimmers, stealing payment information from customers during checkout.
Security researcher Ben Martin highlighted the risks posed by outdated software, noting that “outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes.” He also stressed the importance of strong admin passwords, as weak credentials remain a common entry point for cybercriminals.
To mitigate these risks, security experts recommend keeping plugins and themes up to date, using web application firewalls (WAFs), regularly reviewing administrator access, and monitoring websites for unauthorized file changes. With the new security measures in place, WordPress.org is taking significant steps to safeguard its users and reduce the likelihood of compromised accounts leading to large-scale attacks.
