Starting October 1st, WordPress.org accounts that can push updates and changes to plugins and themes will be required to activate two-factor authentication (2FA) on their accounts.
The decision is part of the platform’s plugin review team effort to reduce the risk of unauthorized access, which could lead to supply-chain attacks.
“Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide,” reads the announcement.
“Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community.”
WordPress is an open-source content management system (CMS), blog tool, and publishing platform that helps users create and manage websites.
Users have access to a wide variety of free and paid themes and plugins that allow customizing the look and extending the functionality of their websites.
A malicious actor hijacking a publisher’s account could alter code in a theme or plugin to include vulnerabilities or backdoors that would allow privileged access to websites using them.
2FA and SVN passwords
To prevent such risks, the 2FA security feature needs to be active on October 1st for accounts that have commit access on the WordPress.org platform. Account administrators can enable the setting from the security menu of their account. Step-by-step instructions on how to activate 2FA are available here.
Additionally, WordPress.org has added SVN-specific passwords that separates the access to making code changes from the main account credentials.
Plugin authors using deployment scripts such as GitHub Actions will need to update their scripts to use the new SVN-specific passwords. Check this page for more information on Subversion (SVN) access.
The team notes that technical limitations prevent 2FA from being applied to existing code repositories and opted to combine “account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features.”