WordPress.org, a platform millions of websites use worldwide, introduces important security updates for plugin and theme developers. These changes, which will take effect on October 1, 2024, aim to strengthen the security of the WordPress ecosystem by mandating two-factor authentication (2FA) and introducing SVN-specific passwords for all contributors. Since WooCommerce, a popular e-commerce plugin, is built on WordPress, these updates will also impact WooCommerce developers.
Key Changes for Developers
Mandatory Two-Factor Authentication (2FA)
Starting October 1, 2024, all plugin and theme authors on WordPress.org must enable 2FA for their accounts. This extra layer of security helps protect sensitive contributor accounts that have the ability to push updates and changes to live WordPress websites. The implementation of 2FA is essential for preventing unauthorized access, thus ensuring the safety of millions of websites that rely on WordPress and its plugins.
Setting up 2FA is straightforward. Developers can choose between using a security key, such as a Passkey or YubiKey, or a time-based one-time password (TOTP) through an authenticator app. Both options provide robust protection, with security keys offering additional phishing-resistant measures. Backup codes are also generated for emergency access in case of device loss or failure, which developers are strongly encouraged to store securely.
New SVN Passwords for Commit Access
In addition to 2FA, WordPress.org is rolling out a new system for managing commit access through Subversion (SVN), a version control system used by the platform. Developers will no longer use their main WordPress.org password for committing changes to repositories. Instead, an SVN-specific password will be required. This high-entropy password is designed to reduce the risk of brute-force attacks or password reuse vulnerabilities.
SVN passwords can be generated directly from a user’s WordPress.org profile and are separate from the main account password. Importantly, these SVN credentials cannot be used for other WordPress.org services. Developers using automated deployment tools, such as GitHub Actions, will need to update their stored credentials with the newly generated SVN password to avoid disruptions.
Why 2FA Isn’t Applied to SVN
Although 2FA is required at the account level, it cannot currently be applied to SVN repositories due to technical limitations. To compensate for this, the platform is securing SVN commits through the combination of 2FA, SVN-specific passwords, and other security measures, such as release confirmations during deployment.
The goal of these updates is to secure the WordPress ecosystem without compromising functionality. Plugin and theme authors, along with WooCommerce developers, are urged to prepare for these changes ahead of the October deadline to ensure compliance and maintain smooth operations.
Preparing for the Transition
For developers, transitioning to these new security measures should be a top priority. Configuring 2FA and generating an SVN password are both essential steps to take before October 1. WordPress.org has provided extensive documentation and support, guiding users through the process of setting up 2FA with either security keys or authentication apps.
It is also crucial to store backup codes in a safe place to prevent account lockouts, as regaining access without them may be difficult. For those who may encounter issues, WordPress.org offers support through forums and direct assistance for resetting passwords.
Impact on the WordPress and WooCommerce Communities
While these changes may require some adjustment, they reflect a broader effort to enhance security across the WordPress platform. Given the widespread usage of WooCommerce for e-commerce sites, these updates also affect the security of online stores, making it more important than ever for developers to comply.
Ultimately, these security measures are designed to protect developers and users alike, contributing to a more secure and trusted WordPress ecosystem.
In our blog, we post technology-related articles bi-weekly. Follow us on Facebook and Instagram to get notifications about updates.