WordPress: 2FA becomes mandatory for plug-in and theme developers
To make it more difficult for attackers to access WordPress code repositories, the login process has been tightened.
(Image: serato/shutterstock.com)
Plug-in and theme developers for WordPress websites have permissions to distribute patches to millions of websites, among other things. If an attacker gets in at this point, it can have far-reaching consequences and, in the worst case, an update infected with malicious code can contaminate countless websites.
Access protection
To prevent such attacks, those responsible for WordPress are now toughening up the login procedure. From October 1, 2024, plug-in and theme developers must activate two-factor authentication (2FA) in their account. Activation is mandatory.
If 2FA is active, developers will need a code generated by an authenticator app, for example, in addition to their password to log in. If an attacker only knows a password, this is not enough to log in. The WordPress team explains how developers can activate 2FA in an article.
Separate passwords
They also announce that developers will receive a Subversion password (SVN) in addition to their password for their main WordPress account in order to log in for commit access. This password separation is intended to guarantee additional security. For example, plug-in and theme developers can revoke their SVN password after a security incident without having to change their main account. SVN passwords can be generated in the WordPress profile.
For technical reasons, however, 2FA is not compatible with SVN passwords. In this scenario, 2FA can therefore only additionally secure the main account. In a post, those responsible for WordPress explain further practices to protect developer accounts from attacks.
(des)
