Starting October 1st, 2024, WordPress.org will roll out new security measures aimed at enhancing the safety of accounts with commit access to plugins and themes. This was announced by the Automattic-sponsored developer Dion Hulse.
Mandatory Two-Factor Authentication
Beginning next month, WordPress.org will make two-factor authentication (2FA) mandatory for all plugin and theme authors. Authors can configure 2FA by visiting their WordPress.org profiles, and the platform has already started prompting them to do so.
Dion Hulse emphasized the importance of securely storing backup codes, as losing access to both 2FA methods and backup codes could complicate account recovery.
SVN Passwords for Commit Access
WordPress.org will also introduce SVN passwords for committing changes to plugins and themes. This feature separates commit access from the main WordPress.org account credentials, offering an extra layer of security. Authors can generate SVN passwords through their profiles, ensuring that their main account passwords are protected. Those using deployment scripts, like GitHub Actions, will need to update their stored passwords with these new SVN credentials.
For those wondering why the Plugin Review Team is not using 2FA with SVN, Dion explained, “Due to technical limitations, 2FA cannot be applied to our existing code repositories, that’s why we’ve chosen to secure WordPress.org code through a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations).”
For more information, authors can refer to the guides on Configuring Two-Factor Authentication and Subversion Access and Chris Christoff’s post on Keeping Your Plugin Committer Accounts Secure
Community Reaction
The community has reacted positively to these changes, with some expressing that these updates were long overdue. “At least we were earlier than someone stepping on Mars, ” joked developer Toma Todua.
Recently, the WordPress Plugin Team has ramped up efforts to enhance platform security. In June, they temporarily halted plugin releases and forced all plugin authors to reset their passwords after five WordPress.org user accounts were compromised.
