Beginning on October 1st, 2024, WordPress will mandate two-factor authentication (2FA) for plugin and theme creators as a new security measure.
Themes and plugins that are used by millions of WordPress websites worldwide can be updated and changed by accounts that have commit access.
To stop illegal access and preserve the security and confidence of the WordPress community, these accounts must be kept secure.
Two-factor authentication serves as an additional layer of defense to prevent unauthorized third parties from accessing your accounts.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Configuring Two-Factor Authentication
Set Up A Security Key
When logging into your WordPress.org account, security keys offer an extra degree of protection by utilizing digital cryptography, hardware keys, or biometrics.
- Go to your profile at https://profiles.wordpress.org/me/profile/edit/.
- Click on the Account & Security tab.
- Click Two-factor security Key
- Click Register new key
- Input a key name in the Name field and click Register.
- Follow the steps specific to your browser to add your security key.
Set Up A Time-Based One-Time Password (TOTP)
Time-Based One-Time Passwords (TOTPs) are temporary codes created by an authentication app on your mobile device. These codes are used to confirm your identity when logging in. They change every 30 seconds.
- Visit your profile at https://profiles.wordpress.org/me/profile/edit/.
- Click on the Account & Security tab.
- Click Two-factor app.
- Scan the QR code with your authenticator app.
- If you cannot scan the QR code, click the “Can’t scan the QR code?” link to get a one-time code to enter into your authenticator app.
- A six-digit number code will appear in your authenticator app. Type the code in the field provided.
- Click Enable.
Generate Backup Codes
When you lose access to the configured app or second-factor security key, you can utilize backup codes, which are one-time use codes.
- Visit your profile at https://profiles.wordpress.org/me/profile/edit/.
- Click on the Account & Security tab.
- Click Two-factor backup codes.
- Ten backup codes will be generated.
- Print, copy, or save the backup codes.
- Click I have printed or saved these codes checkbox.
- Click All Finished.
“If you have access to any of our internal tools, are a committer, plugin author, theme author, manage WordCamp websites, or have any other other trusted role you should have two-factor authentication enabled”, reads the notification
Some access / capabilities which are assigned to your account may be limited if you do not have two-factor enabled.
It is also mentioned that due to technical constraints, 2FA cannot be applied to code repositories that already exist.
Consequently, a combination of high-entropy SVN passwords, deploy-time security features (like Release Confirmations), and account-level two-factor authentication has been used.
Introducing SVN Passwords
In addition to required 2FA, WordPress.org announced the introduction of SVN passwords, which replace your user account password with an SVN-specific password when committing changes.
This password works similarly to a user account password or application password. It shields your primary password from attackers and makes it simple to revoke SVN access without requiring you to change your WordPress.org credentials.
Therefore, WordPress.org recommends that two-factor authentication be set up for everyone. Along with offering several advantages, this extra layer of security will aid in preventing security breaches.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar