WordPress to Enforce 2FA and Separate Credentials for Website Admin and Plugin Management

WordPress has announced that two-factor authentication (2FA) for plugin and theme authors will be enforced starting Oct. 1.

WordPress occupies a large swath of the market, powering up countless websites, which makes it a prime target for hackers. A primary weapon of the attackers is social engineering, persuading people to give up their credentials willingly. They also rely on a tried and true method of using credentials already leaked in other data breaches because they know people tend to reuse passwords.

2FA for the win

That’s why additional layers of security such as two-factor authentication (2FA) are a great addition for any online service. What’s interesting is that WordPress went a step further and separated the credentials needed for logging into the service from the credentials needed to push updates to plugins and themes.

“As part of this ongoing effort, we are introducing a new security requirement: mandatory two-factor authentication (2FA) for plugin and theme authors, starting on October 1st, 2024,” said the company. “In addition to mandatory 2FA, we’re introducing SVN passwords, replacing your user account password with an SVN-specific password for committing changes.”

“We’ve introduced an SVN password feature to separate your commit access from your main WordPress.org account credentials. This password functions like an application or additional user account password. It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials,” the company added.

WordPress plugins are often under attack

Plugins, in particular, are often targeted by hackers, who find vulnerabilities and exploit them to gain access. Man-in-the-middle attacks are also a real possibility, so any security measure that make the attackers’ job more difficult is welcome.

WordPress admins don’t have to wait until Oct. 1; they can start now to configure 2FA and to generate their high-entropy SVN passwords.