WordPress Bolsters Security: 2FA Now Mandatory for Updates

From October 1, 2024, WordPress will implement a new mandatory requirement for accounts with access to plugin and theme updates: the activation of two-factor authentication (2FA). This measure aims to enhance security and prevent unauthorized access.

According to WordPress representatives, these accounts have the ability to modify plugins and themes used by millions of websites worldwide, making their protection a priority to ensure the security and trust of the community.

In addition to mandatory 2FA, WordPress.org has introduced a new feature—SVN passwords. These are separate passwords for making changes to code, allowing users to separate repository access from their main login credentials. Essentially, this adds an extra layer of security, reducing the risk of a primary password leak and enabling easy revocation of SVN access without altering the main account details.

Technical limitations prevent the implementation of 2FA for existing code repositories, so it was decided to employ a combination of two-factor authentication at the account level, highly secure SVN passwords, and other security measures, including release verification.

These steps are designed to prevent attacks where malicious actors could gain access to a developer’s account and inject malicious code into plugins and themes, potentially leading to large-scale supply chain attacks.

The main concern with the introduction of mandatory two-factor authentication is the potential inconvenience for developers. Some users may encounter difficulties in setting up 2FA, which could slow down their work or temporarily block access to their accounts. Moreover, the introduction of the new SVN password system requires adaptation, which may prompt additional questions from developers accustomed to standard authentication methods.

However, in the long run, these measures are expected to significantly improve the overall security of the WordPress ecosystem. Any negative effects are likely to be limited to temporary inconveniences, while the benefits of enhanced account protection and the prevention of supply chain attacks on plugins and themes are clear.

The announcement comes in the wake of recent warnings from Sucuri about the ongoing ClearFake malicious campaign targeting WordPress sites. Cybercriminals are spreading RedLine malware, tricking users into manually running PowerShell to “fix” display issues on pages. Additionally, attackers are exploiting compromised PrestaShop sites to steal credit card data on payment pages.

As noted by Sucuri researcher Ben Martin, outdated software and weak administrator passwords are often the targets of attacks. To mitigate risks, it is recommended to regularly update plugins and themes, use web application firewalls (WAF), review administrator accounts, and monitor file changes on websites.