New WordPress Security Requirements To Counter Supply Chain Attacks

Beginning October 1st, WordPress will require two-factor authentication for accounts that can update plugins, themes, and other security requirements. Ravie Lakshmanan reports in Hacker News that the new WordPress security requirements are designed to counter scenarios where a bad actor takes control of a publisher’s account and inserts malicious code into legitimate plugins and themes to facilitate large supply chain attacks.

“Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes,” says security researcher Ben Martin. “Weak admin passwords are a gateway for attackers.”

Sucuri Security has warned of ongoing ClearFake campaigns targeting WordPress sites. The campaigns aim to distribute the RedLine information stealer. They have also used infected PrestaShop e-commerce sites to steal financial information entered on checkout pages with a credit card skimmer.

Besides requiring mandatory two-factor authentication, WordPress is introducing dedicated passwords for making changes called SVN passwords to create another layer of security. These passwords protect users’ primary passwords from exposure and allow easy revocation of SVN access without changing WordPress.org credentials.

According to Hacker News, WordPress says that technical limitations have prevented two-factor authentication from being applied to existing code repositories. Therefore, it opted for a “combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations).”

Users are cautioned to keep their WordPress security requirements, plugins, and themes up-to-date, deploy a web application firewall, periodically review administrator accounts, and monitor website files for unauthorized changes.