WordPress announced over the weekend that they were pausing plugin updates and initiating a force reset on plugin author passwords to prevent additional website compromises due to the ongoing Supply Chain Attack on WordPress plugins.
Supply Chain Attack
Hackers have been attacking plugins directly at the source using password credentials exposed in previous data breaches (unrelated to WordPress itself). They are looking for compromised credentials used by plugin authors who employ the same passwords across multiple websites, including those exposed in prior data breaches.
WordPress Takes Action To Block Attacks
Some plugins have been compromised, prompting the WordPress community to rally and clamp down on further plugin compromises by instituting forced password resets and encouraging plugin authors to use two-factor authentication.
WordPress also temporarily blocked all new plugin updates at the source unless they received team approval, ensuring that a plugin is not updated with malicious backdoors. By Monday, WordPress updated their statement to confirm that plugin releases are no longer paused.
The WordPress announcement on the forced password reset:
“We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches. This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset.
You will receive an email from the Plugin Directory when it is time for you to reset your password. There is no need to take action before you’re notified.”
A discussion in the comments section between a WordPress community member and the author of the announcement revealed that WordPress did not directly contact plugin authors identified as using “recycled” passwords. There was evidence that the list of users found in the data breach list whose credentials were safe (false positives). Additionally, WordPress discovered that some accounts assumed to be safe were indeed compromised (false negatives). This led to the current action of forcing password resets.
Francisco Torres of WordPress answered:
“You’re right that specifically reaching out to those individuals mentioning that their data has been found in data breaches will make them even more sensitive, but unfortunately, as I’ve already mentioned, that might be inaccurate for some users and there will be others that are missing. What we’ve done since the beginning of this issue is to individually notify those users that we’re certain have been compromised.”
Read the official WordPress announcement:
Password Reset Required for Plugin Authors
Featured Image by Shutterstock/Aleutie
