In a move to enhance security measures for millions of websites and developers worldwide, WordPress has announced that starting October 2024, plugin and theme authors will be required to enable two-factor authentication (2FA) and use SVN-specific passwords for commit access.
With WordPress currently powering over 478 million websites globally, the platform recognizes the importance of safeguarding its user base and developer community against potential cyber threats. Plugins and themes within the WordPress ecosystem serve as essential components for website functionality and enhancements, but they have also become targets for malicious activities over the years. From zero-day vulnerabilities to malware infiltrations, numerous websites have fallen victim to security breaches linked to plugins.
To address these ongoing security challenges, WordPress is introducing new login security protocols that will impact site owners, authors, and administrators with commit access privileges. The key requirement will be the activation of two-factor authentication (2FA) on their accounts, adding an extra layer of protection by mandating users to provide a second form of verification, such as a smartphone app code, in addition to their password.
In addition to the implementation of 2FA, WordPress.org will also be introducing SVN (Subversion) passwords as a new security feature. This measure aims to separate an author’s commit access from their primary WordPress.org account credentials, enhancing security by enabling authors to revoke commit access independently without compromising their main account.
The decision to enforce these new security measures stems from the platform’s commitment to fortifying its defenses against potential breaches. By segregating code access from general account credentials, WordPress intends to mitigate the impact of a single compromised login and limit the extent of damage in case of unauthorized access.
While WordPress considered integrating 2FA with the code repository system, technical constraints within the existing code management infrastructure led the platform to opt for SVN passwords as a standalone security feature. This strategic approach underscores WordPress’s dedication to prioritizing security enhancements while ensuring the smooth functioning of its ecosystem.
The enforcement of these new security requirements signifies a significant step forward in bolstering the protection of hundreds of millions of websites from various threats, including scams, security breaches, defacement, and other security vulnerabilities. WordPress users can now rest assured that their online platforms are better shielded against potential risks, thanks to these proactive security measures.