WordPress.org has introduced a brand new account safety measure that can require accounts with capabilities to replace plugins and themes to activate two-factor authentication (2FA) mandatorily.
The enforcement is anticipated to return into impact beginning October 1, 2024.
“Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide,” the maintainers of the open-source, self-hosted model of the content material administration system (CMS) stated.
“Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community.”
Moreover requiring necessary 2FA, WordPress.org stated it is introducing what’s known as SVN passwords, which refers to a devoted password for committing modifications.
This, it stated, is an effort to introduce a brand new layer of safety by separating customers’ code commit entry from their WordPress.org account credentials.
“This password functions like an application or additional user account password,” the staff stated. “It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials.”
WordPress.org additionally famous that technical limitations have prevented 2FA from being utilized to present code repositories, because of which it has opted for a “combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations).”
The measures are seen as a solution to counter eventualities the place a malicious actor might seize management of a writer’s account, thereby introducing malicious code into legit plugins and themes, leading to large-scale provide chain assaults.
The disclosure comes as Sucuri warned of ongoing ClearFake campaigns focusing on WordPress websites that goal to distribute an info stealer known as RedLine by tricking website guests into manually working PowerShell code with the intention to repair a problem with rendering the online web page.
Risk actors have additionally been noticed leveraging contaminated PrestaShop e-commerce websites to deploy a bank card skimmer to siphon monetary info entered on checkout pages.
“Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes,” safety researcher Ben Martin stated. “Weak admin passwords are a gateway for attackers.”
Customers are advisable to maintain their plugins and themes up-to-date, deploy an internet utility firewall (WAF), periodically evaluate administrator accounts, and monitor for unauthorized modifications to web site information.
