WordPress.org to require two-factor authentication for plugin developers
Developers rejoice: WordPress.org will be beefing up default security practices by requiring accounts to enable two-factor authentication if they have direct access to the codebases that power plugins and themes.
The move, which will take effect Oct. 1, is aimed at preventing hijacked developer accounts from spreading malicious code to the likely hundreds of millions of sites using the free blogging software, the organization announced.
WordPress.org — which is the open source, self-hosted version of the blogging platform — is also introducing specific passwords for Apache Subversion, a popular, open-source version control system. The Subversion-specific passwords separate commit access from main account credentials, giving developers an additional layer of protection.
WordPress.org noted the current code base doesn’t allow for two-factor authentication on existing code repositories.
Making two-factor authentication a default option has been a major talking point for the Biden administration. The Cybersecurity and Infrastructure Security Agency went so far as to embark on a public campaign dubbed “More Than a Password” to tout 2FA as a basic cyber hygiene step that could dramatically reduce security incidents.
Supply chain hacks through abandoned WordPress themes or hacked plugin accounts is a common tactic among cybercriminals.
