WordPress announced a major clampdown to protect its theme and plugin ecosystem from password insecurity. These improvements follow a flurry of attacks in June that compromised multiple plugins at the source.
Improves Plugin Developer Security
This WordPress security update fixes a flaw that allowed hackers to use compromised passwords from other breaches to unlock developer accounts that used the same credentials and had “commit access” enabling them to make changes to the plugin code right at the source. This closes a WordPress security gap that allowed hackers to compromise multiple plugins beginning in late June of this year.
Double Layer Of Developer Security
WordPress is introducing two layers of security, one on the individual developer account and a second one on the code commit access. This separates the author security credentials from the code committing environment.
1. Two-Factor Authorization
The first improvement to security is the imposition of a mandatory two-factor authorization for all plugin and theme authors that will be enforced beginning on October 1, 2024. WordPress is already prompting users to use 2FA. Users can also visit this page to configure their two-factor authorization.
2. SVN Passwords
WordPress also announced it will begin using SVN (Subversion) passwords, an additional layer of security for authenticating developers as a part of a version control system. SVN ensures that only authorized individuals can make changes to the code, adding a second layer of security to plugins and themes.
The WordPress announcement explains:
“We’ve introduced an SVN password feature to separate your commit access from your main WordPress.org account credentials. This password functions like an application or additional user account password. It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials. Generate your SVN password in your WordPress.org profile.”