WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily.
The enforcement is expected to come into effect starting October 1, 2024.
“Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide,” the maintainers of the open-source, self-hosted version of the content management system (CMS) said.
“Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community.”
Besides requiring mandatory 2FA, WordPress.org said it’s introducing what’s called SVN passwords, which refers to a dedicated password for committing changes.
This, it said, is an effort to introduce a new layer of security by separating users’ code commit access from their WordPress.org account credentials.
“This password functions like an application or additional user account password,” the team said. “It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials.”
WordPress.org also noted that technical limitations have prevented 2FA from being applied to existing code repositories, as a result of which it has opted for a “combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations).”
The measures are seen as a way to counter scenarios where a malicious actor could seize control of a publisher’s account, thereby introducing malicious code into legitimate plugins and themes, resulting in large-scale supply chain attacks.
The disclosure comes as Sucuri warned of ongoing ClearFake campaigns targeting WordPress sites that aim to distribute an information stealer called RedLine by tricking site visitors into manually running PowerShell code in order to fix an issue with rendering the web page.
Threat actors have also been observed leveraging infected PrestaShop e-commerce sites to deploy a credit card skimmer to siphon financial information entered on checkout pages.
“Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes,” security researcher Ben Martin said. “Weak admin passwords are a gateway for attackers.”
Users are recommended to keep their plugins and themes up-to-date, deploy a web application firewall (WAF), periodically review administrator accounts, and monitor for unauthorized changes to website files.
