WordPress.org introduces a crucial security enhancement, mandating two-factor authentication (2FA) for users managing plugins and themes, ensuring heightened account safety.
It is expected that the new policy will come into effect on October 1, 2024.
The ability for accounts with commit entries to push updates and adjustments to plugins and themes, utilized by tens of millions of WordPress websites globally, is a key feature offered by the maintainers of the open-source, self-hosted model of the content management system.
“Ensuring the security of these accounts is vital for preventing unauthorised access and maintaining the trust and confidence within the WordPress.org community.”
WordPress.org is rolling out a new security feature that goes beyond the mandatory two-factor authentication (2FA). The introduction of SVN passwords requires users to create a dedicated password specifically for committing updates.
By introducing this innovative feature, the goal is to add an additional layer of security by segregating users’ code commit activity from their WordPress.org login credentials.
The newly introduced password capability functions similarly to a utility or additional consumer account password, stated the group. “It safeguards sensitive passwords from public exposure, allowing for seamless revocation of SVN entries without compromising your WordPress.org login credentials.”
WordPress.org noted that technical constraints have hindered the implementation of 2FA in existing code repositories, prompting a hybrid approach consisting of account-level two-factor authentication, high-entropy SVN passwords, and additional deploy-time security measures like Launch Confirmations.
To mitigate situations where a malicious actor could take control of a writer’s account, thereby injecting harmful code into official plugins and themes, potentially triggering massive supply-chain attacks.
As part of its ongoing efforts to combat malware, Sucuri has identified and taken action against numerous WordPress sites attempting to disseminate a data-stealing malware called RedLine by deceiving visitors into executing PowerShell code under the guise of resolving a webpage rendering issue.
Malicious actors have been exploiting compromised PrestaShop e-commerce sites to inject card-skimming malware, which steals financial information input during checkout processes.
“Attackers are increasingly targeting outdated software programs that remain vulnerable due to neglected plugins and themes, says safety researcher Ben Martin.” Weak admin passwords are a straightforward entry point for malicious actors to breach systems and gain unauthorized access.
To ensure the security of your website, it is highly recommended that customers keep their plugins and themes updated, implement a robust online utility firewall (WAF) to prevent malicious traffic, regularly scrutinize administrator accounts for any suspicious activity, and continuously monitor for any unauthorized changes to website content.
