In a move aimed at fortifying account security, WordPress.org has decreed that developers with the authority to update plugins and themes must now activate two-factor authentication (2FA) as a compulsory measure.
This mandate is set to be enforced from October 1, 2024.
“Developers with commit access possess the ability to push updates and modifications to plugins and themes used by millions of WordPress sites globally,” the custodians of the open-source, self-hosted CMS revealed.
“Ensuring the safety of these accounts is paramount to curbing unauthorized access, thereby safeguarding the integrity and trust of the WordPress.org ecosystem.”
In addition to mandating 2FA, WordPress.org has unveiled a new security feature known as SVN passwords. This refers to a specialized password dedicated to submitting code changes.
The initiative is designed to introduce an additional security layer by isolating code commit privileges from the main WordPress.org account credentials.
“This password operates similarly to an application-specific or secondary user account password,” the team explained. “It shields the primary password from potential exposure and allows for swift revocation of SVN access without necessitating a reset of the main WordPress.org credentials.”
The organization also pointed out that technical limitations have restricted the application of 2FA to existing repositories. Consequently, a multi-layered approach combining account-level two-factor authentication, high-entropy SVN passwords, and other deployment security mechanisms, such as Release Confirmations, has been adopted.
These security enhancements are seen as critical measures to mitigate scenarios where a malevolent entity might commandeer a developer’s account and insert malicious code into otherwise legitimate plugins and themes, triggering widespread supply chain attacks.
The announcement coincides with warnings from Sucuri regarding ongoing ClearFake campaigns targeting WordPress websites. These campaigns attempt to distribute a data-stealing malware known as RedLine by deceiving users into executing PowerShell scripts under the guise of resolving webpage rendering issues.
Cybercriminals have also exploited compromised PrestaShop e-commerce platforms to install credit card skimmers, harvesting sensitive financial details from checkout pages.
“Outdated software provides fertile ground for attackers seeking to exploit vulnerabilities in obsolete plugins and themes,” remarked security researcher Ben Martin. “Weak administrative passwords remain a glaring entry point for malicious actors.”
Users are urged to keep their plugins and themes updated, implement a robust web application firewall (WAF), routinely audit administrator accounts, and vigilantly monitor for unauthorized alterations to website files.