WordPress.org Introduces New Security Measures for Plugin and Theme Authors – WP Tavern
Beginning October 1st, 2024, WordPress.org will roll out new security measures aimed toward enhancing the protection of accounts with commit entry to plugins and themes. This was introduced by the Automattic-sponsored developer Dion Hulse.
Necessary Two-Issue Authentication
Starting subsequent month, WordPress.org will make two-factor authentication (2FA) obligatory for all plugin and theme authors. Authors can configure 2FA by visiting their WordPress.org profiles, and the platform has already began prompting them to take action.
Dion Hulse emphasised the significance of securely storing backup codes, as shedding entry to each 2FA strategies and backup codes might complicate account restoration.
SVN Passwords for Commit Entry
WordPress.org may also introduce SVN passwords for committing adjustments to plugins and themes. This characteristic separates commit entry from the principle WordPress.org account credentials, providing an additional layer of safety. Authors can generate SVN passwords by way of their profiles, guaranteeing that their predominant account passwords are protected. These utilizing deployment scripts, like GitHub Actions, might want to replace their saved passwords with these new SVN credentials.
For these questioning why the Plugin Evaluation Group will not be utilizing 2FA with SVN, Dion defined, “As a consequence of technical limitations, 2FA can’t be utilized to our present code repositories, that’s why we’ve chosen to safe WordPress.org code by way of a mix of account-level two-factor authentication, high-entropy SVN passwords, and different deploy-time safety features (equivalent to Release Confirmations).”
For extra data, authors can consult with the guides on Configuring Two-Factor Authentication and Subversion Access and Chris Christoff’s submit on Keeping Your Plugin Committer Accounts Secure
Neighborhood Response
The group has reacted positively to those adjustments, with some expressing that these updates have been lengthy overdue. “At the least we have been sooner than somebody stepping on Mars, ” joked developer Toma Todua.
Lately, the WordPress Plugin Group has ramped up efforts to reinforce platform safety. In June, they briefly halted plugin releases and compelled all plugin authors to reset their passwords after 5 WordPress.org consumer accounts have been compromised.