Starting on October 1st, WordPress.org will require two-factor authentication (2FA) for accounts that can push updates and changes to plugins and themes.

This move is aimed at reducing the risk of unauthorized access, which could potentially lead to dangerous supply-chain attacks.

WordPress decided as part of its ongoing efforts to enhance security for the millions of websites that rely on its platform. According to the platform’s plugin review team, accounts with commit access play a critical role, as they have the power to push updates and changes that affect themes and plugins used by numerous WordPress sites. Therefore, securing these accounts is essential for preventing unauthorized access and ensuring the safety and trust of the WordPress.org community.

WordPress is a widely used open-source content management system (CMS) that allows users to build and manage websites with customizable themes and plugins. However, if a hacker were to take over a plugin or theme author’s account, they could modify the code to introduce vulnerabilities or backdoors, giving them privileged access to websites using those plugins or themes.

Buy Me A Coffee

To address these risks, the platform will enforce 2FA for all accounts with commit access starting October 1st. Users can enable 2FA by accessing the security settings in their WordPress.org accounts. Step-by-step instructions for activating 2FA are available on the site.

Additionally, WordPress.org has introduced SVN-specific passwords, which separate the credentials used for committing code changes from the main account credentials. This added layer of security requires plugin authors who use deployment scripts, like GitHub Actions, to update their scripts to include the new SVN-specific passwords. More details about Subversion (SVN) access and these changes can be found on WordPress.org.

READ
Google Removes Kaspersky Apps from Play Store Amid U.S. Sanctions

Despite these improvements, the platform notes that technical limitations prevent 2FA from being applied to existing code repositories. As a result, WordPress has opted to strengthen security by combining account-level 2FA with high-entropy SVN passwords and other security measures during deployment.