WordPress Requires Two-Step Verification for Authors and Designers of Plugins and Templates
An announcement from WordPress.org states that individuals with privileges for updating plugins and templates must activate two-step verification (2SV) as a compulsory action.
The enforcement will be implemented from October 1, 2024, onwards.
The team behind the self-hosted version of the popular content management system (CMS) highlighted the significance of securing accounts that have the authority to introduce changes to plugins and templates utilized by numerous WordPress websites worldwide.
“Securing such accounts is crucial in preventing unauthorized entry and safeguarding the security and confidence of the WordPress.org community,” mentioned the maintainers.
WordPress.org is also introducing SVN passwords alongside the mandatory 2sv to strengthen security measures. This arrangement involves the use of a separate password solely for committing modifications.
This step has been taken to establish an additional security layer by separating the code commit privileges from the user’s credentials on WordPress.org.
The team explained it as “This password functions similarly to an app or secondary user account password. It acts as a shield for your primary password from exposure and simplifies the revocation of SVN access without requiring changes to your WordPress.org credentials.”
Moreover, WordPress.org pointed out that due to certain technical constraints, applying 2sv to existing code repositories was not viable. Consequently, they have resolved to implement a mix of account-level two-step verification, robust SVN passwords, and other security features during deployment (such as Release Confirmations).
These efforts have been devised to counter instances where malevolent entities gain control of an author’s account, and this control is misused to introduce malicious code into genuine plugins and templates, causing significant supply chain attacks.
This information comes in the wake of Sucuri warning about sustained ClearFake campaigns targeting WordPress websites. These campaigns aim to propagate an information-stealing threat named RedLine by tricking site visitors into running PowerShell code manually to address a web page rendering issue.
There have been reports of threat actors exploiting infected PrestaShop e-commerce websites to deploy a credit card skimmer aimed at siphoning financial details provided on checkout pages.
Security researcher Ben Martin shared insights by saying, “Outdated software remains a prime target for attackers who leverage vulnerabilities in old plugins and themes. Weak administrative passwords serve as an entrance for attackers.”
Users are advised to update their plugins and templates regularly, deploy a web application firewall (WAF), periodically check administrator accounts, and monitor any unauthorized alterations made to website files.
About Author
