New Security Measures Unveiled by WordPress.org for Plugin and Theme Authors
WordPress.org, the leading platform for website creation and management, is taking a significant step towards enhancing the security of its accounts. Starting from October 1st, 2024, new security measures will be implemented for plugin and theme authors, ensuring a safer environment for developers and users alike. This move was announced by Dion Hulse, a developer sponsored by Automattic.
One of the key changes being introduced is the mandatory use of two-factor authentication (2FA) for all plugin and theme authors. Two-factor authentication adds an extra layer of security by requiring users to provide two forms of identification before accessing their accounts. Authors can easily configure 2FA by visiting their WordPress.org profiles. In fact, the platform has already started prompting authors to enable this feature. Hulse stressed the importance of securely storing backup codes, which can be used to regain access to accounts in case both 2FA methods and backup codes are lost.
In addition to 2FA, WordPress.org is also implementing SVN passwords for commit access to plugins and themes. This new feature separates commit access from the main WordPress.org account credentials, providing an additional layer of protection. Authors can generate SVN passwords through their profiles, ensuring that their main account passwords remain safeguarded. It is worth noting that authors utilizing deployment scripts, such as GitHub Actions, will need to update their stored passwords with these new SVN credentials.
Some may wonder why the Plugin Review Team is not utilizing 2FA with SVN. Hulse explains, “Due to technical limitations, 2FA cannot be applied to our existing code repositories, that’s why we’ve chosen to secure WordPress.org code through a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations).” This multi-tiered approach ensures that the code repositories remain secure and protected.
The response from the WordPress community has been overwhelmingly positive. Many developers believe that these security updates were long overdue. Toma Todua, a developer, even jokingly remarked, “At least we were earlier than someone stepping on Mars.” These changes come in the wake of the WordPress Plugin Team’s recent efforts to enhance platform security. In June, plugin releases were temporarily halted, and all plugin authors were required to reset their passwords after five WordPress.org user accounts were compromised.
For more in-depth information, authors can refer to the guides on Configuring Two-Factor Authentication and Subversion Access. Additionally, Chris Christoff has written a comprehensive post titled “Keeping Your Plugin Committer Accounts Secure” that covers various security measures and best practices.
With these new security measures in place, WordPress.org is reinforcing its commitment to providing a secure environment for its users. By making two-factor authentication mandatory and implementing SVN passwords, the platform is taking proactive steps to safeguard the accounts of plugin and theme authors. As the WordPress community embraces these changes, the future looks brighter for the security of the platform and its millions of users.