Beginning October 1st, WordPress.org accounts that may push updates and modifications to plugins and themes shall be required to activate two-factor authentication (2FA) on their accounts.
The choice is a part of the platform’s plugin overview staff effort to scale back the chance of unauthorized entry, which might result in supply-chain assaults.
“Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide,” reads the announcement.
“Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community.”
WordPress is an open-source content material administration system (CMS), weblog instrument, and publishing platform that helps customers create and handle web sites.
Customers have entry to all kinds of free and paid themes and plugins that enable customizing the look and lengthening the performance of their web sites.
A malicious actor hijacking a writer’s account might alter code in a theme or plugin to incorporate vulnerabilities or backdoors that might enable privileged entry to web sites utilizing them.
2FA and SVN passwords
To stop such dangers, the 2FA safety characteristic must be lively on October 1st for accounts which have commit entry on the WordPress.org platform. Account directors can allow the setting from the safety menu of their account. Step-by-step directions on learn how to activate 2FA are accessible right here.
Moreover, WordPress.org has added SVN-specific passwords that separates the entry to creating code modifications from the primary account credentials.
Plugin authors utilizing deployment scripts similar to GitHub Actions might want to replace their scripts to make use of the brand new SVN-specific passwords. Examine this web page for extra data on Subversion (SVN) entry.
The staff notes that technical limitations stop 2FA from being utilized to present code repositories and opted to mix “account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features.”