WordPress is making plugin developers use 2FA
2FA will soon be standard for WordPress devs
Two-factor authentication (2FA) will soon be standard for all WordPress admin accounts, the company has confirmed.
All accounts with the ability to push updates and make changes to site content on the website building platform, such as themes and plugins, will be subject to the new security measure.
"Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community," a company announcement said.
Time for 2FA
The 2FA measure will come into force on October 1st and is aimed at preventing hackers with stolen credentials from logging into accounts, pushing dodgy or modified themes and plugins live, and then using these as a backdoor to spread malware or attack other networks further in the supply chain.
2FA provides an extra layer of account security by requiring an additional method of verification through a separate app, text message or physical security key, helping to shore up weak passwords and protecting against phishing, social engineering and brute force attacks. WordPress provided instructions for activating 2FA here.
WordPress is believed to be the platform behind around half of all websites online today, which means that when new security flaws in plugins are found, hundreds of thousands to millions of websites are put at risk.
WordPress is also introducing an SVN password feature as an additional measure to secure accounts since 2FA cannot be applied to existing WordPress code repositories, which is why the platform is introducing "a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
More from TechRadar Pro
- Take a look at some of the best password managers
- Thousands of WordPress sites potentially at risk from plugin security flaw
- These are the best VPNs with antivirus
Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division). Benedict then continued his studies at a postgraduate level and achieved a distinction in MA Security, Intelligence and Diplomacy. Benedict transitioned his security interests towards cybersecurity upon joining TechRadar Pro as a Staff Writer, focusing on state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.