Blog Details

  • Home
  • Blog
  • WordPress.org to Enforce Mandatory 2FA for Plugin and Theme Updates
WordPress.org to Enforce Mandatory 2FA for Plugin and Theme Updates

WordPress.org to Enforce Mandatory 2FA for Plugin and Theme Updates

Starting October 1, 2024, WordPress.org will require accounts with the ability to update plugins and themes to activate two-factor authentication (2FA) as a mandatory security measure. This move aims to strengthen the security of accounts with commit access, which can push updates to plugins and themes used by millions of websites globally.

"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the maintainers of the open-source, self-hosted version of WordPress announced. "Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community."

In addition to requiring 2FA, WordPress.org is introducing SVN passwords, which refer to dedicated passwords for committing changes. This is designed to provide an additional layer of security by separating code commit access from the main WordPress.org account credentials.

"This password functions like an application or additional user account password," WordPress.org stated. "It protects your main password from exposure and allows you to easily revoke SVN access without changing your WordPress.org credentials."

The team also highlighted technical limitations that prevent 2FA from being directly applied to existing code repositories. To mitigate this, they have opted for a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features such as Release Confirmations.

 

Combating Supply Chain Attacks

These security upgrades are designed to counter the risk of a malicious actor gaining control of a publisher's account, potentially inserting harmful code into legitimate plugins and themes, which could lead to large-scale supply chain attacks.

This announcement comes at a time when threats to WordPress sites are growing. Security company Sucuri recently warned of ClearFake campaigns, which are targeting WordPress websites to distribute the RedLine information stealer. These campaigns trick visitors into running PowerShell code to fix an issue with rendering the web page, creating a serious security risk.

Additionally, threat actors have been observed infecting PrestaShop e-commerce sites to deploy credit card skimmers, which siphon financial data from checkout pages.

 

Best Practices for WordPress Users

Ben Martin, a security researcher, emphasized the importance of keeping software updated. "Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes," Martin said. "Weak admin passwords are a gateway for attackers."

To secure WordPress sites, users should follow these recommended practices:

  • Keep plugins and themes updated to their latest versions.
  • Deploy a web application firewall (WAF) to guard against attacks.
  • Regularly review and manage administrator accounts.
  • Monitor for unauthorized changes to website files.

These steps, combined with WordPress.org’s new security measures, are essential for maintaining a secure and resilient website in today’s threat landscape.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067