Cyber Defense Advisors

WordPress plugin and theme developers told they must use 2FA

Developers of plugins and themes for WordPress.org have been told they are required to enable two-factor authentication (2FA) from October 1st.

The move is intended to enhance security, helping prevent hackers from gaining access to accounts through which malicious code could be injected into code used by millions of websites running the self-hosted version of WordPress.

The threat posed by supply-chain attacks against third-party WordPress.org plugins and themes is considerable, as an estimated 40% of the world’s websites are using the open-source edition of the WordPress platform as their content management system.

One of the things that has made WordPress such a popular platform for websites is its configurability and customisability – through add-ons (known as plugins) and themes.

However, WordPress’s popularity amongst web developers has also made the platform a target for attackers. If a developer’s account is successfully compromised, a malicious update can be pushed out to countless websites – which could lead to malicious hackers planting backdoors to gain remote access to systems, take over admin accounts, stealing information, spreading spam, or injecting malware or cryptominers into webpages.

The problem is compounded by the fact that the vast majority of website administrators are highly unlikely to screen WordPress’s third-party plugin and theme updates for malicious code, considering them to be from a trusted source. Indeed, many sites will have chosen to automatically roll out updates without any manual interaction at all.

“Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide,” WordPress.org said in a blog post announcing the introduction of mandatory 2FA for plugin and theme developers. “Securing these accounts is essential to preventing unauthorised access and maintaining the security and trust of the WordPress.org community.”

Recognising the threat, WordPress.org has been busily prompting plugin and theme authors to enable 2FA on their accounts. Options exist to either adopt 2FA via an authenticator app or via a hardware key.

Once enabled, 2FA means a hacker will need more than just a username and password to log into an account. They would need an additional “factor” (such as a key or a one-time code generated by an app on their smartphone) to gain access.

Multi-factor authentication does not make it impossible to break into accounts. But what it does do is make it much much harder to compromise accounts, meaning a hacker will need to invest much more effort if they are going to have a chance of being successful.

Passwords alone don’t do enough to protect anyone’s online accounts. Add another layer of protection to all of your online accounts that allow it, by enabling two-factor authentication.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.