WordPress.org Introduces New Security Measures for Plugin and Theme Authors
As of October 1st, 2024, WordPress.org is taking significant steps to enhance the security of accounts with commit access to plugins and themes. In a recent announcement by Dion Hulse, a developer sponsored by Automattic, these new security measures aim to provide added protection for WordPress authors, ensuring the safety of their accounts and contributions to the platform.
Strengthening Account Security with Mandatory Two-Factor Authentication (2FA)
Starting in October, all plugin and theme authors will be required to use two-factor authentication (2FA) to secure their accounts. This update is already rolling out, with WordPress.org prompting authors to configure 2FA by visiting their profile settings.
Dion Hulse stressed the critical importance of securely storing backup codes, highlighting that losing both 2FA methods and backup codes could lead to significant difficulties in recovering account access. To avoid such issues, WordPress.org encourages authors to take immediate action in setting up and safeguarding their backup credentials.
Explore: Critical Vulnerability Discovered in Popular WordPress Elementor Widgets Add-On
2FA and SVN Passwords for Enhanced Commit Access Protection
In addition to the mandatory 2FA, WordPress.org is introducing Subversion (SVN) passwords for those who commit changes to plugins and themes. This change will add an extra layer of protection by separating commit access from main account credentials. Authors can generate SVN passwords via their WordPress.org profiles.
This move particularly impacts developers using deployment scripts like GitHub Actions, who will need to update their stored passwords with the newly generated SVN credentials. By making these changes, WordPress.org aims to better protect developers’ accounts from unauthorized access or potential breaches.
Dion Hulse explained the rationale behind these new security measures, addressing why the Plugin Review Team is not using 2FA with SVN. He cited technical limitations that prevent applying 2FA to existing code repositories. To compensate, WordPress.org is securing its codebase with account-level 2FA, high-entropy SVN passwords, and other deploy-time features such as release confirmations.
For further details, WordPress.org has provided guides on configuring Two-Factor Authentication and Subversion Access, as well as a post by Chris Christoff on keeping plugin committer accounts secure.
Related: WordPress WPML Plugin Patches Critical Remote Code Execution Vulnerability
Positive Response from the WordPress Community
The WordPress community has largely welcomed these new security measures, with some developers even noting that these updates were overdue. Toma Todua, a WordPress developer, humorously remarked, “At least we were earlier than someone stepping on Mars.”
This isn’t the first time WordPress.org has prioritized security in recent months. In June 2024, the WordPress Plugin Team took decisive action by temporarily halting plugin releases and requiring all plugin authors to reset their passwords after five WordPress.org user accounts were compromised.
Read: WordPress LiteSpeed Cache Plugin Exploit: Hackers Gain Admin Access
Final Thoughts: Prioritizing Security for a More Safe WordPress Ecosystem
The introduction of mandatory 2FA and SVN passwords marks a significant step in bolstering security on WordPress.org. With these changes, the platform aims to reduce vulnerabilities and ensure that plugin and theme authors can continue contributing to WordPress safely. Authors are encouraged to act swiftly in configuring these security settings to protect their accounts and maintain the integrity of their projects.
For more information on these changes and how to secure your accounts, visit the official guides provided by WordPress.org or reach out to the support team.