Article Details
Scrape Timestamp (UTC): 2024-09-11 17:35:04.412
Original Article Text
Click to Toggle View
WordPress.org to require 2FA for plugin developers by October. Starting October 1st, WordPress.org accounts that can push updates and changes to plugins and themes will be required to activate two-factor authentication (2FA) on their accounts. The decision is part of the platform's plugin review team effort to reduce the risk of unauthorized access, which could lead to supply-chain attacks. “Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide,” reads the announcement. “Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community.” WordPress is an open-source content management system (CMS), blog tool, and publishing platform that helps users create and manage websites. Users have access to a wide variety of free and paid themes and plugins that allow customizing the look and extending the functionality of their websites. A malicious actor hijacking a publisher's account could alter code in a theme or plugin to include vulnerabilities or backdoors that would allow privileged access to websites using them. 2FA and SVN passwords To prevent such risks, the 2FA security feature needs to be active on October 1st for accounts that have commit access on the WordPress.org platform. Account administrators can enable the setting from the security menu of their account. Step-by-step instructions on how to activate 2FA are available here. Additionally, WordPress.org has added SVN-specific passwords that separates the access to making code changes from the main account credentials. Plugin authors using deployment scripts such as GitHub Actions will need to update their scripts to use the new SVN-specific passwords. Check this page for more information on Subversion (SVN) access. The team notes that technical limitations prevent 2FA from being applied to existing code repositories and opted to combine "account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features."
Daily Brief Summary
WordPress.org will require two-factor authentication (2FA) for developer accounts with commit access starting October 1st.
The policy aims to secure accounts that can update themes and plugins, protecting millions of sites globally.
This measure is to prevent unauthorized access and potential supply-chain attacks through compromised plugin or theme updates.
Additional security includes SVN-specific passwords to distinctively separate coding access from main account credentials.
Plugin authors utilizing deployment scripts, such as GitHub Actions, must update their scripts to accommodate new SVN passwords.
The adjustments link to a broader strategy including high-entropy SVN passwords and deployment-time security features, enhancing overall platform integrity.
WordPress is a widely-used open-source platform that supports a large number of websites through its themes and plugins system.