WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

WordPress.org has announced a new security measure that will require accounts with plugin and theme update capabilities to enable mandatory two-factor authentication (2FA).

The enforcement is set to take effect from October 1, 2024.

“Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide,” stated the maintainers of the open-source CMS.

Enhancing Security Measures:
In addition to mandatory 2FA, WordPress.org is introducing SVN passwords—a dedicated password for committing changes. This extra security layer separates users’ code commit access from their main WordPress.org account credentials.

“This password functions like an application or additional user account password,” the team explained. “It protects your main password from exposure and allows you to easily revoke SVN access without changing your WordPress.org credentials.”

Due to technical limitations, applying 2FA to existing code repositories has been a challenge. Instead, WordPress.org is implementing a combination of:
- Account-level two-factor authentication
- High-entropy SVN passwords
- Deploy-time security features like Release Confirmations

Preventing Supply Chain Attacks:
These measures aim to prevent unauthorized access that could introduce malicious code into plugins and themes, leading to large-scale supply chain attacks.

Meanwhile, security firm Sucuri has warned about ongoing ClearFake campaigns targeting WordPress sites. These campaigns attempt to trick site visitors into running PowerShell code to resolve fake rendering issues, ultimately installing the RedLine information stealer.

Additionally, threat actors have been found leveraging infected PrestaShop e-commerce sites to deploy credit card skimmers, stealing financial information from checkout pages.

Security Recommendations:
Security researcher Ben Martin advises website owners to:
- Keep plugins and themes up-to-date
- Deploy a web application firewall (WAF)
- Regularly review administrator accounts
- Monitor for unauthorized changes to website files

By implementing these security measures, WordPress aims to strengthen the integrity and trust of its community.