WordPress has announced major security changes for its vast ecosystem of plugins and themes, which will be effective starting October 1, 2024.
These changes are in response to a series of attacks that targeted vulnerabilities in plugin developer accounts, potentially affecting millions of sites.
The new security measures are intended to strengthen protection at the source, ensuring that themes and plugins remain secure and reliable.
Every day, hackers took advantage of a flaw in WordPress's security system by using compromised passwords from previous breaches.
These attackers gained access to developer accounts with commit access, which enabled them to inject malicious code into plugins.
Once inside, they could compromise multiple WordPress sites by changing the code at the source level.
This demonstrates an obvious weakness in WordPress's security infrastructure, as developer accounts and plugin code access were not adequately protected.
To address this, WordPress is implementing a dual-layered security system that separates developer credentials from code access, preventing this type of attack from occurring again.
WordPress introduces two key security features to protect its plugins and themes:
Mandatory Two-factor authentication (2FA)
Beginning October 1, 2024, all plugin and theme developers must use two-factor authentication.
WordPress has already begun prompting users to enable 2FA as an extra layer of security for their accounts.
This plays a major part in preventing unauthorized access to developer accounts.
SVN Passwords
WordPress is also implementing Subversion (Subversion) passwords. These passwords provide a separate layer of security for developers with code commit access.
This means that even if an attacker gains access to a developer's main account, they will not have direct access to the plugin or theme code.
According to WordPress, SVN passwords work similarly to application-specific passwords, allowing developers to revoke access without changing their main WordPress.org credentials.
Developers can generate their SVN password from their WordPress.org profile.
Many people are relieved that these long-awaited changes are finally occurring. “Ouch, finally” one user commented, expressing frustration that this level of security was not implemented sooner.
However, some users remain doubtful, particularly given the system's limitations.
Due to technical limitations, 2FA cannot be applied directly to existing code repositories, so WordPress relies on SVN passwords instead.
These new security changes will also help to prevent ongoing malware campaigns such as the Balada Injector, which has been infecting WordPress sites since 2017.
According to security firm Sucuri, this campaign infected over one million websites by exploiting themes and plugin vulnerabilities.