WordPress requires two-factor authentication for plugin and theme developers.

WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

TLDR: WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

WordPress.org has announced that accounts with capabilities to update plugins and themes will be required to activate two-factor authentication (2FA) starting October 1, 2024. This measure aims to enhance security and prevent unauthorized access to push updates to plugins and themes used on WordPress sites worldwide.

Key points from the article:

Accounts with commit access must activate 2FA for security.
WordPress.org introduces SVN passwords for committing changes separately from account credentials.

Full Article:

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily. The enforcement is expected to come into effect starting October 1, 2024. This measure is crucial as accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide. Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community.

Along with mandatory 2FA, WordPress.org is introducing what’s called SVN passwords, a dedicated password for committing changes. This introduces a new layer of security by separating users’ code commit access from their WordPress.org account credentials. This password functions like an application or additional user account password, protecting the main password from exposure and allowing easy revocation of SVN access without changing WordPress.org credentials.

Due to technical limitations, 2FA cannot be applied to existing code repositories. As a result, WordPress.org is implementing a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features to ensure the security of plugins and themes.

The measures are in response to the threat of malicious actors seizing control of publisher accounts and introducing malicious code into legitimate plugins and themes, leading to large-scale supply chain attacks. It is essential to keep plugins and themes up-to-date, deploy a web application firewall, review administrator accounts periodically, and monitor unauthorized changes to website files to protect against such attacks.

Overall, the mandate for two-factor authentication for plugin and theme developers on WordPress aims to enhance security, prevent unauthorized access, and maintain the integrity of the WordPress.org community.

Post Views: 22

Latest from Blog

Beware: UNC2970 Hackers Weapons in Job Seekers’ PDFs

TLDR: UNC2970 hackers are targeting job seekers with weaponized PDF files. They use sophisticated phishing tactics to deliver malware to victims. In a recent report, cybersecurity analysts at Google Mandiant have identified

Cyber insurance changes shape of security for good and bad

TLDR: Key Points: Cyber-insurance landscape is shifting to encourage greater cyber resiliency Rising costs of cyberattacks are prompting insurers to re-examine underwriting How Cyber-Insurance Shifts Affect the Security Landscape The article discusses