Summary: WordPress.org is enhancing its security measures by mandating two-factor authentication (2FA) for developers with direct access to codebases, effective October 1. This initiative aims to prevent malicious code dissemination from compromised developer accounts, protecting the vast number of sites using the platform.
Threat Actor: Cybercriminals | cybercriminals
Victim: WordPress users | WordPress users
Key Point :
- Two-factor authentication will be required for developers with direct access to WordPress codebases starting October 1.
- Specific passwords for Apache Subversion will be introduced to enhance security by separating commit access from main account credentials.
- The move is part of a broader push for improved cybersecurity practices, highlighted by the Biden administration’s campaign for 2FA adoption.
- Supply chain attacks via compromised WordPress themes and plugins are a prevalent threat among cybercriminals.
Developers rejoice: WordPress.org will be beefing up default security practices by requiring accounts to enable two-factor authentication if they have direct access to the codebases that power plugins and themes.
The move, which will take effect Oct. 1, is aimed at preventing hijacked developer accounts from spreading malicious code to the likely hundreds of millions of sites using the free blogging software, the organization announced.
WordPress.org — which is the open source, self-hosted version of the blogging platform — is also introducing specific passwords for Apache Subversion, a popular, open-source version control system. The Subversion-specific passwords separate commit access from main account credentials, giving developers an additional layer of protection.
WordPress.org noted the current code base doesn’t allow for two-factor authentication on existing code repositories.
Making two-factor authentication a default option has been a major talking point for the Biden administration. The Cybersecurity and Infrastructure Security Agency went so far as to embark on a public campaign dubbed “More Than a Password” to tout 2FA as a basic cyber hygiene step that could dramatically reduce security incidents.
Supply chain hacks through abandoned WordPress themes or hacked plugin accounts is a common tactic among cybercriminals.
Users can configure 2FA on existing accounts here.
Source: https://cyberscoop.com/wordpress-two-factor-authentication-supply-chain