WordPress Mandates Two-Issue Authentication for Plugin and Theme Builders
WordPress.org has introduced a brand new account safety measure that may require accounts with capabilities to replace plugins and themes to activate two-factor authentication (2FA) mandatorily.
The enforcement is predicted to come back into impact beginning October 1, 2024.
“Accounts with commit entry can push updates and adjustments to plugins and themes utilized by thousands and thousands of WordPress websites worldwide,” the maintainers of the open-source, self-hosted model of the content material administration system (CMS) said.
“Securing these accounts is crucial to stopping unauthorized entry and sustaining the safety and belief of the WordPress.org group.”
Apart from requiring necessary 2FA, WordPress.org mentioned it is introducing what’s known as SVN passwords, which refers to a devoted password for committing adjustments.
This, it mentioned, is an effort to introduce a brand new layer of safety by separating customers’ code commit entry from their WordPress.org account credentials.
“This password features like an software or extra consumer account password,” the workforce mentioned. “It protects your principal password from publicity and permits you to simply revoke SVN entry with out having to vary your WordPress.org credentials.”
WordPress.org additionally famous that technical limitations have prevented 2FA from being utilized to present code repositories, because of which it has opted for a “mixture of account-level two-factor authentication, high-entropy SVN passwords, and different deploy-time safety features (akin to Launch Confirmations).”
The measures are seen as a technique to counter situations the place a malicious actor may seize management of a writer’s account, thereby introducing malicious code into official plugins and themes, leading to large-scale provide chain assaults.
The disclosure comes as Sucuri warned of ongoing ClearFake campaigns concentrating on WordPress websites that purpose to distribute an info stealer known as RedLine by tricking website guests into manually operating PowerShell code in an effort to repair a difficulty with rendering the online web page.
Risk actors have additionally been noticed leveraging contaminated PrestaShop e-commerce websites to deploy a bank card skimmer to siphon monetary info entered on checkout pages.
“Outdated software program is a main goal for attackers who exploit vulnerabilities in outdated plugins and themes,” safety researcher Ben Martin said. “Weak admin passwords are a gateway for attackers.”
Customers are really helpful to maintain their plugins and themes up-to-date, deploy an internet software firewall (WAF), periodically evaluate administrator accounts, and monitor for unauthorized adjustments to web site information.