Starting October 1, 2024, WordPress.org will introduce a new security requirement for users who can update plugins and themes. These users will now be required to enable two-factor authentication (2FA) to enhance account protection.
You might be interested in: Microsoft macOS Apps Vulnerable to Hackers
Why This Security Update Matters
The WordPress.org team emphasized the importance of securing accounts that have “commit access.” These accounts are responsible for pushing updates to millions of WordPress sites worldwide, and protecting them is crucial to preventing unauthorized changes.
“Securing these accounts is critical to ensuring that malicious actors don’t gain access and compromise the security and trust of the WordPress community,” the team said.
What’s Changing?
Along with requiring 2FA, WordPress.org is introducing SVN passwords. These new passwords are specifically designed to be used when making changes to plugins and themes. They work separately from your main WordPress.org account details to provide an extra layer of security.
This password acts like an application password, which shields your primary credentials from being exposed. If needed, SVN access can be easily revoked without having to update your WordPress.org login details.
Technical Challenges with 2FA on Repositories
Currently, WordPress.org cannot enable 2FA on existing code repositories due to technical limitations. To work around this, they have implemented a combination of account-level two-factor authentication, high-entropy SVN passwords, and additional deploy-time security measures like Release Confirmations.
These efforts are designed to protect against scenarios where hackers could potentially take over a user’s account and inject malicious code into trusted plugins or themes, which could lead to large-scale security breaches.
Recent Cybersecurity Threats
This move follows warnings from Sucuri, a security company, about ClearFake campaigns targeting WordPress sites. These attacks attempt to install the RedLine information stealer by tricking users into manually running PowerShell code.
Additionally, PrestaShop e-commerce sites have been exploited to insert credit card skimmers, stealing customer data at checkout.
Security Tips for WordPress Users
To protect your site, it’s recommended that you:
- Update plugins and themes regularly.
- Use a web application firewall (WAF).
- Check your admin accounts frequently.
- Monitor your website files for any unauthorized changes.
Security expert Ben Martin also advises that outdated software, weak admin passwords, and old plugins or themes are common targets for attackers. Keeping your site’s software updated and secure is the best way to prevent these kinds of threats.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.