WordPress has announced a new security measure for accounts, which will require mandatory activation of two-factor authentication (2FA) for accounts with the ability to update plugins and themes.
This countermeasure that WordPress has decided to take is most likely due to recent security flaws that have then proved to be harmful to users, often exploiting plugin vulnerabilities: the LiteSpeed Cache case is extremely emblematic.
The application of this measure is expected to start from October 1, 2024.
WordPress and its new 2FA countermeasure to protect accounts
“Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites around the world.“, they have declared the maintainers of the open-source, self-hosted version of the content management system (CMS), who later added: “Protecting these accounts is essential to prevent unauthorized access and maintain the security and trust of the WordPress.org community.“
An additional countermeasure to prevent account theft
In addition to making two-factor authentication mandatory, WordPress.org has announced the introduction of so-called SVN passwords, which are dedicated passwords for submitting changes..
This, they explained, is an attempt to introduce a new level of security by separating access to code commits from users’ WordPress.org account credentials.
“This password works like a password for an application or an additional user account.“, the team explained. “Protects your master password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org account credentials..”
WordPress.org also noted that technical limitations prevented 2FA from being applied to existing code repositories, which is why a “combination of account-level two-factor authentication, high-entropy SVN passwords, and other security features at release (such as Release Confirmations).”
In summary, two distinct passwords will be introduced: one for traditional access and one specifically for submitting changes.
The Reasons Behind This Countermeasure of the Website and Blog Creation Platform
These measures are intended as a countermeasure to prevent scenarios where a cybercriminal (or a group of cybercriminals) could take control of a publisher’s account, injecting malicious code into legitimate plugins and themes, causing large-scale supply chain attacks (or supply chainwhatever you want to call it).
The announcement comes as Sucuri has warned of ongoing ClearFake campaigns, which target WordPress sites with the aim of distributing an infostealer called RedLine, tricking site visitors into manually running PowerShell code to fix a web page display problem.
Some cybercriminals have also been observed exploiting infected PrestaShop-based e-commerce sites to distribute a credit card skimming system and steal financial information entered on checkout pages.
“Outdated software is a prime target for attackers who exploit vulnerabilities in old plugins and themes“, has declared security researcher Ben Martin. “Weak administrative passwords are a gateway for attackers.”
Users are advised to keep their plugins and themes up to date, implement a web application firewall (WAF), Periodically review administrative accounts and monitor for any unauthorized changes to site files; while in many cases (especially professional ones) using two-factor authentication (2FA) should already be a standard for almost everyone by now.
WordPress and the Power of Open Source
One of the reasons why the WordPress platform is able to solve problems of this type It’s precisely its open source nature; this allows experts, as soon as a problem occurs, to solve it practically in real time or almost.
This is very important for the digital future on the platform and highlights first of all how very often the use of very strong credentials is often an underestimated factorbut also that Open Source could become much more of a part of digital daily life in the near future than it already is.
#WordPress #Protection #System #Horizon #2FA
