WordPress has announced major measures to safeguard its theme and plugin ecosystem from password insecurity. These steps follow a spate of attacks in June that compromised several plugins at their source.
Improving Plugin Developer Security
This security update addresses a flaw that allowed hackers to utilize compromised passwords from other breaches to access developer accounts with "commit access," permitting them to alter the plugin code at its source. This measure closes a security gap that allowed multiple plugins to be compromised starting in late June of this year.
Double Layer of Developer Security
WordPress is introducing two levels of security: one for individual developer accounts and another for code commit access. This separates the author security credentials from the code committing environment.
1. Two-Factor Authorization
The first security enhancement is the mandatory implementation of two-factor authorization for all plugin and theme authors, effective from October 1, 2024. WordPress is already encouraging users to adopt 2FA, and users can configure their two-factor authorization on their profiles.
2. SVN Passwords
Another announcement includes the use of SVN (Subversion) passwords, adding an extra layer of security for authenticating developers as part of a version control system. SVN ensures that only authorized individuals can make code changes, providing another security layer to plugins and themes.
The WordPress announcement states:
“We’ve introduced an SVN password feature to separate your commit access from your main WordPress.org account credentials. This password functions like an application or additional user account password. It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials. Generate your SVN password in your WordPress.org profile.”
WordPress highlighted that technical constraints prevented them from applying 2FA to existing code repositories, necessitating the use of SVN instead.
Takeaway: Vastly Improved WordPress Security
These updates will significantly enhance the security of the entire WordPress ecosystem, ensuring that all plugins and themes remain trustworthy and uncompromised at their source.
Read the announcement: Upcoming Security Changes for Plugin and Theme Authors on WordPress.org
Featured Image by Shutterstock/Cast Of Thousands
