Beginning October 1st, WordPress.org accounts that may push updates and modifications to plugins and themes shall be required to activate two-factor authentication (2FA) on their accounts.
The choice is a part of the platform’s plugin evaluate group effort to cut back the chance of unauthorized entry, which might result in supply-chain assaults.
“Accounts with commit entry can push updates and modifications to plugins and themes utilized by hundreds of thousands of WordPress websites worldwide,” reads the announcement.
“Securing these accounts is crucial to stopping unauthorized entry and sustaining the safety and belief of the WordPress.org neighborhood.”
WordPress is an open-source content material administration system (CMS), weblog software, and publishing platform that helps customers create and handle web sites.
Customers have entry to all kinds of free and paid themes and plugins that permit customizing the look and increasing the performance of their web sites.
A malicious actor hijacking a writer’s account might alter code in a theme or plugin to incorporate vulnerabilities or backdoors that might permit privileged entry to web sites utilizing them.
2FA and SVN passwords
To forestall such dangers, the 2FA safety characteristic must be energetic on October 1st for accounts which have commit entry on the WordPress.org platform. Account directors can allow the setting from the safety menu of their account. Step-by-step directions on easy methods to activate 2FA are accessible right here.
Moreover, WordPress.org has added SVN-specific passwords that separates the entry to creating code modifications from the primary account credentials.
Plugin authors utilizing deployment scripts similar to GitHub Actions might want to replace their scripts to make use of the brand new SVN-specific passwords. Test this web page for extra info on Subversion (SVN) entry.
The group notes that technical limitations forestall 2FA from being utilized to present code repositories and opted to mix “account-level two-factor authentication, high-entropy SVN passwords, and different deploy-time security measures.”