WordPress Declares War on Hackers: 2FA and SVN Passwords Will Become Mandatory

Friend

Professional
Messages
2,672
Reaction score
921
Points
113
Skeptics are already warning about the possible consequences of the innovation.

Starting October 1, 2024, WordPress introduces a new mandatory requirement for accounts with access to plugin and theme updates — enabling two-factor authentication (2FA). The move is aimed at strengthening security and preventing unauthorized access.

According to WordPress representatives, such accounts have the ability to make changes to plugins and themes that are used by millions of sites around the world, so protecting them is a priority to maintain the safety and trust of the community.

In addition to mandatory 2FA, WordPress.org introduced a new feature — SVN passwords. These are separate passwords for code changes, which allow you to separate access to repositories from the main user credentials. In fact, this is an additional layer of security that reduces the risk of leaking the master password and makes it easy to revoke access to SVN without changing credentials.

Technical limitations do not allow the implementation of 2FA for existing code repositories, so it was decided to use a combination of account-level two-factor authentication, SVN passwords with high strength, and other security measures, including release confirmation.

These measures are aimed at preventing attacks in which attackers can gain access to a developer account and inject malicious code into plugins and themes, which can lead to large-scale supply chain attacks.

The main risk that may arise with the introduction of mandatory two-factor authentication is the possible inconvenience for developers. Some users may find it difficult to set up 2FA, which can slow them down or cause them to temporarily lose access to their accounts. In addition, the implementation of the new SVN password system requires adaptation, which may raise additional questions for developers who are accustomed to standard authentication methods.

However, in the long run, these measures should significantly improve the overall security of the WordPress ecosystem. In fact, the negative consequences can only be associated with temporary inconveniences, while the benefits of increased account protection and prevention of attacks on the supply chains of plugins and themes are obvious.

The announcement comes amid recent warnings from Sucuri about an ongoing ClearFake malware campaign targeting WordPress sites. The attackers are spreading the RedLine malware, forcing users to manually launch PowerShell to "fix issues" with page rendering. In addition, cybercriminals use infected PrestaShop sites to steal credit card details on payment pages.

As noted by Sucuri researcher Ben Martin, outdated software and weak administrators' passwords are often targeted for attacks. To reduce risks, it is recommended to regularly update plugins and themes, use firewalls for web applications (WAF), check administrator accounts, and track changes to site files.

Source
 
Top