Mandatory Security Upgrades for WordPress Plugin and Theme Developers: 2FA and SVN Passwords Starting October 1, 2024

WordPress.org is dedicated to securing accounts that play a crucial role in the WordPress ecosystem. Accounts with commit access have the ability to push updates and changes to plugins and themes used by millions of WordPress sites worldwide. Ensuring the security of these accounts is vital for preventing unauthorized access and maintaining the trust and safety of the WordPress.org community.

Starting October 1, 2024, we are introducing a new security requirement: mandatory two-factor authentication (2FA) for all plugin and theme developers. This measure is part of our ongoing efforts to enhance account security and protect against potential breaches.

Setting Up Two-Factor Authentication (2FA)

If you haven’t yet set up two-factor authentication, please do so by visiting this link: Configure 2FA in Your WordPress Profile. Make sure to store your backup codes in a secure location. Losing access to both your 2FA method and backup codes could complicate the process of regaining access to your account.

Introduction of Separate SVN Passwords

To further bolster security, we are implementing a separate SVN password. This new password will be distinct from your main WordPress.org account password. It functions like an additional application password, helping to protect your primary account password and allowing you to revoke SVN access without changing your main WordPress.org credentials. Generate your SVN password from your WordPress.org profile.

If you use deployment scripts, such as GitHub Actions, remember to update your stored password with this new SVN password.

Why Not Apply 2FA to SVN?

Due to technical limitations, we cannot apply 2FA directly to our existing SVN code repositories. Instead, WordPress.org will use a combination of account-level 2FA, high-entropy SVN passwords, and other security measures such as Release Confirmations to safeguard our code.

These new security measures are designed to help developers better protect their accounts and contribute to the overall security of the WordPress ecosystem. Implementing these changes will enhance the security and reliability of WordPress plugins and themes, ensuring a safer experience for everyone involved.

Source: wordPress.org