WordPress is making plugin developers use 2FA

News
By published

2FA will soon be standard for WordPress devs

Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
(Image credit: Shutterstock/monticello)

Two-factor authentication (2FA) will soon be standard for all WordPress admin accounts, the company has confirmed.

All accounts with the ability to push updates and make changes to site content on the website building platform, such as themes and plugins, will be subject to the new security measure.

Latest Videos From

Time for 2FA

The 2FA measure will come into force on October 1st and is aimed at preventing hackers with stolen credentials from logging into accounts, pushing dodgy or modified themes and plugins live, and then using these as a backdoor to spread malware or attack other networks further in the supply chain.

2FA provides an extra layer of account security by requiring an additional method of verification through a separate app, text message or physical security key, helping to shore up weak passwords and protecting against phishing, social engineering and brute force attacks. WordPress provided instructions for activating 2FA here.

WordPress is believed to be the platform behind around half of all websites online today, which means that when new security flaws in plugins are found, hundreds of thousands to millions of websites are put at risk.

WordPress is also introducing an SVN password feature as an additional measure to secure accounts since 2FA cannot be applied to existing WordPress code repositories, which is why the platform is introducing "a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features."

More from TechRadar Pro

Benedict Collins
Benedict Collins
Senior Writer, Security

Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.

Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.

Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.