WordPress To Mandate 2FA for Theme And Plugin Developers

12 September 2024

Beginning on October 1st, 2024, WordPress will mandate two-factor authentication (2FA) for plugin and theme creators as a new security measure.

Themes and plugins that are used by millions of WordPress websites worldwide can be updated and changed by accounts that have commit access. 

To stop illegal access and preserve the security and confidence of the WordPress community, these accounts must be kept secure.

Two-factor authentication serves as an additional layer of defense to prevent unauthorized third parties from accessing your accounts.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Configuring Two-Factor Authentication

Set Up A Security Key

When logging into your WordPress.org account, security keys offer an extra degree of protection by utilizing digital cryptography, hardware keys, or biometrics. 

Set Up A Time-Based One-Time Password (TOTP)

Time-Based One-Time Passwords (TOTPs) are temporary codes created by an authentication app on your mobile device. These codes are used to confirm your identity when logging in. They change every 30 seconds.

Generate Backup Codes

When you lose access to the configured app or second-factor security key, you can utilize backup codes, which are one-time use codes. 

“If you have access to any of our internal tools, are a committer, plugin author, theme author, manage WordCamp websites, or have any other other trusted role you should have two-factor authentication enabled”, reads the notification

Some access/ capabilities which are assigned to your account may be limited if you do not have two-factor enabled.

It is also mentioned that due to technical constraints, 2FA cannot be applied to code repositories that already exist.

Consequently, a combination of high-entropy SVN passwords, deploy-time security features (like Release Confirmations), and account-level two-factor authentication has been used.

Introducing SVN Passwords

In addition to required 2FA, WordPress.org announced the introduction of SVN passwords, which replace your user account password with an SVN-specific password when committing changes.

This password works similarly to a user account password or application password. It shields your primary password from attackers and makes it simple to revoke SVN access without requiring you to change your WordPress.org credentials. 

Therefore, WordPress.org recommends that two-factor authentication be set up for everyone. Along with offering several advantages, this extra layer of security will aid in preventing security breaches.

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

The post WordPress To Mandate 2FA for Theme And Plugin Developers appeared first on Cyber Security News.



>>More