Two-factor authentication (2FA) will soon be standard for all WordPress admin accounts, the company has confirmed.
All accounts with the ability to push updates and make changes to site content on the website building platform, such as themes and plugins, will be subject to the new security measure.
“Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community,” a company announcement said.
Time for 2FA
The 2FA measure will come into force on October 1st and is aimed at preventing hackers with stolen credentials from logging into accounts, pushing dodgy or modified themes and plugins live, and then using these as a backdoor to spread malware or attack other networks further in the supply chain.
2FA provides an extra layer of account security by requiring an additional method of verification through a separate app, text message or physical security key, helping to shore up weak passwords and protecting against phishing, social engineering and brute force attacks. WordPress provided instructions for activating 2FA here.
WordPress is believed to be the platform behind around half of all websites online today, which means that when new security flaws in plugins are found, hundreds of thousands to millions of websites are put at risk.
WordPress is also introducing an SVN password feature as an additional measure to secure accounts since 2FA cannot be applied to existing WordPress code repositories, which is why the platform is introducing “a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features.”
