WordPress.org has announced new account security measures that will require mandatory activation of two-factor authentication (2FA) for accounts with the ability to update plugins and themes.
The law is scheduled to come into effect on October 1, 2024.
“Accounts with commit access can push updates and changes to plugins and themes that are used by millions of WordPress sites around the world,” said an administrator of the open-source, self-hosted content management system (CMS) version.
“Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community.”
In addition to requiring 2FA, WordPress.org said it will introduce something called SVN passwords, which refers to dedicated passwords for committing changes.
The company says this is an effort to introduce an additional layer of security by separating users’ code commit access from their WordPress.org account credentials.
“This password acts like an application or additional user account password,” the team states, “preventing your main password from being leaked and allowing you to easily revoke SVN access without changing your WordPress.org credentials.”
WordPress.org also said that technical limitations prevented it from applying 2FA to existing code repositories, and as a result opted for “a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deployment-time security features (e.g. release verification).”
The measure is seen as a way to counter a scenario in which bad actors could hijack a publisher’s account and introduce malicious code into legitimate plugins or themes, potentially causing a large-scale supply chain attack.
The disclosure comes after Sucuri warned about an ongoing ClearFake campaign targeting WordPress sites with the aim of tricking site visitors into manually running PowerShell code to fix webpage rendering issues and to distribute an information stealing tool called RedLine.
Threat actors have also been seen using infected PrestaShop e-commerce sites to deploy credit card skimmers to steal financial information entered on the checkout page.
“Outdated software is a prime target for attackers exploiting vulnerabilities in old plugins and themes,” said security researcher Ben Martin. “Weak admin passwords are a gateway for attackers.”
Users are advised to keep plugins and themes up to date, deploy a Web Application Firewall (WAF), regularly review admin accounts, and monitor website files for any unauthorized changes.
