Starting October 2024, WordPress requires plugin and theme authors to enable two-factor authentication (2FA) and use SVN-specific passwords for commit access, boosting security for millions of websites and developers worldwide.
WordPress, the content management system (CMS) platform powering more than 478 million websites worldwide, is taking steps to improve the security of its user base and developer community. To prevent unauthorized access and modifications to plugins and themes, the platform will be implementing new login security protocols starting in October 2024.
WordPress plugins play a vital role in keeping websites up to date with new features. However, over the years, they have also become a major cybersecurity threat. From zero-day vulnerabilities to malware in plugins, millions of websites have been compromised in recent years. It was about time the company introduced new security authentication options.
2FA Coming to WordPress
The change focuses on WordPress site owners, authors and administrators who have commit access, allowing them to make alterations to widely used website components. These individuals will now be required to activate two-factor authentication (2FA) on their accounts. 2FA adds an extra layer of protection, requiring users to provide a second form of verification, such as a code from a smartphone app, in addition to their password.
SVN password
But WordPress.org isn’t stopping there. They are also implementing a new security feature: SVN (Subversion) passwords. This separates the author’s commit access from their primary WordPress.org account credentials. This SVN password adds a layer of security, allowing authors to revoke commit access without compromising their main account.
The explanation behind this decision is to provide a strong defence against potential breaches. By separating code access from general account credentials, WordPress effectively limits the damage possible from a single compromised login.
According to the company’s announcement on Wednesday, while the platform considered integrating 2FA with the code repository system, they opted against it due to technical limitations with their current code management infrastructure.
These new requirements are good news for WordPress users and play a big role in securing hundreds of millions of websites from scams, security breaches, defacement, and other security issues.