WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

WordPress.org has announced a new account security feature that will require accounts with ability to update plugins and themes to activate two-factor authentication (2FA) mandatorily.

The enforcement is planned to come into effect beginning October 1, 2024.

"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the maintainers of the open-source, self-hosted version of the content management system (CMS) noted.

"Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community."

Besides having obligatory 2FA, WordPress.org stated it's adopting what's called SVN passwords, which refers to a separate password for committing changes.

This, it added, is an attempt to offer a new layer of security by segregating users' code commit access from their WordPress.org account credentials.

"This password functions like an application or additional user account password," the company claimed. "It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials."

WordPress.org also noted that technical limitations have prevented 2FA from being applied to existing code repositories, as a result of which it has opted for a "combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations)."

The steps are considered as a strategy to address instances where a hostile actor may acquire control of a publisher's account, therefore inserting harmful code into legal plugins and themes, culminating in large-scale supply chain assaults.

The news comes as Sucuri warns of continuous ClearFake attacks targeting WordPress sites that try to deploy an information stealer called RedLine by deceiving site users into manually executing PowerShell code in order to repair a problem with displaying the web page.

Threat actors have also been detected utilizing hacked PrestaShop e-commerce sites to install a credit card skimmer to drain financial information submitted on checkout pages.

"Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes," security expert Ben Martin stated. "Weak admin passwords are a gateway for attackers."

Users are urged to maintain their plugins and themes up-to-date, establish a web application firewall (WAF), frequently evaluate administrator accounts, and watch for unauthorized modifications to website files.