September 11, 2024 at 01:37PM
Starting October 1st, WordPress.org requires two-factor authentication for accounts that can push updates to plugins and themes. This decision aims to reduce the risk of unauthorized access and supply-chain attacks. The 2FA security feature needs to be activated, and SVN-specific passwords have been added for making code changes. Technical limitations prevent 2FA from applying to existing code repositories.
Key Points from the Meeting Notes:
1. Starting October 1st, WordPress.org accounts with commit access for plugins and themes will be required to activate two-factor authentication (2FA) to reduce the risk of unauthorized access and supply-chain attacks.
2. The decision aims to secure accounts to prevent unauthorized access and maintain the security and trust of the WordPress.org community.
3. Malicious actors compromising publisher accounts could alter code in themes or plugins, creating vulnerabilities or backdoors that grant privileged access to websites.
4. Account administrators can enable 2FA from the security menu of their accounts with step-by-step instructions available here.
5. WordPress.org has introduced SVN-specific passwords to separate code access from main account credentials, and plugin authors using deployment scripts need to update to use these new SVN-specific passwords.
6. 2FA will not be applied to existing code repositories due to technical limitations, and the approach combines “account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features” to enhance security.
Let me know if you need clarification on any of these points or if there are additional details you’d like me to include.