Starting October 1, 2024, WordPress.org will introduce a new security requirement for users who can update plugins and themes. These users will now be required to enable two-factor authentication (2FA) to enhance account protection.

You might be interested in: Microsoft macOS Apps Vulnerable to Hackers

Why This Security Update Matters

The WordPress.org team emphasized the importance of securing accounts that have “commit access.” These accounts are responsible for pushing updates to millions of WordPress sites worldwide, and protecting them is crucial to preventing unauthorized changes.

“Securing these accounts is critical to ensuring that malicious actors don’t gain access and compromise the security and trust of the WordPress community,” the team said.

What’s Changing?

Along with requiring 2FA, WordPress.org is introducing SVN passwords. These new passwords are specifically designed to be used when making changes to plugins and themes. They work separately from your main WordPress.org account details to provide an extra layer of security.

This password acts like an application password, which shields your primary credentials from being exposed. If needed, SVN access can be easily revoked without having to update your WordPress.org login details.

Technical Challenges with 2FA on Repositories

Currently, WordPress.org cannot enable 2FA on existing code repositories due to technical limitations. To work around this, they have implemented a combination of account-level two-factor authentication, high-entropy SVN passwords, and additional deploy-time security measures like Release Confirmations.

These efforts are designed to protect against scenarios where hackers could potentially take over a user’s account and inject malicious code into trusted plugins or themes, which could lead to large-scale security breaches.

Recent Cybersecurity Threats

This move follows warnings from Sucuri, a security company, about ClearFake campaigns targeting WordPress sites. These attacks attempt to install the RedLine information stealer by tricking users into manually running PowerShell code.

Additionally, PrestaShop e-commerce sites have been exploited to insert credit card skimmers, stealing customer data at checkout.

Security Tips for WordPress Users

To protect your site, it’s recommended that you:

1. Update plugins and themes regularly.
2. Use a web application firewall (WAF).
3. Check your admin accounts frequently.
4. Monitor your website files for any unauthorized changes.

Security expert Ben Martin also advises that outdated software, weak admin passwords, and old plugins or themes are common targets for attackers. Keeping your site’s software updated and secure is the best way to prevent these kinds of threats.