Beginning October 1st, 2024, WordPress.org will implement mandatory two-factor authentication (2FA) for all plugin and theme authors. In addition, new SVN passwords have been introduced to enhance security.
Automattic-sponsored contributor Dion Hulse explained the need for this implementation as follows: “Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide. Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community.”
From Opt-in to Mandatory Two-Factor Authentication
The introduction of Two-Factor Authentication on WordPress.org began in 2018, followed by a significant update in 2022. In May 2023, two-factor authentication (2FA) on WordPress.org was available for users to test as an opt-in feature, which later saw the addition of a security key feature.
Steve Dufresne, an Automattic-sponsored contributor, noted back in 2023 that 2FA would eventually become mandatory for certain accounts, “ In the near future, we plan to begin requiring it for accounts with special access, core contributors, theme and plugin developers, and so on.”
Now, From October 1, 2024, the team has decided to make two-factor authentication on WordPress.org mandatory rather than opt-in for plugin and theme authors.
You can set two-factor authentication from your WordPress.org profile. As with 2FA, ensure that you safely store the backup codes. Dion cautioned, “Please ensure you store your backup codes securely. If you lose access to your two-factor authentication method and your backup codes, the process to regain access to your account may not be easy.”
If you have any questions about setting up 2FA, please refer to the setup guide for assistance.
New SVN Passwords Introduced
The new SVN (Subversion) passwords have been implemented for plugin and theme authors. This will be used for committing changes to your plugins and themes, instead of using your main WordPress.org account password. If you’re using a deployment script, like a GitHub Action, be sure to update your stored password to include this SVN password. A quick guide on setting up an SVN password has also been published.
Dion has also highlighted why they are not using 2FA with SVN, “ Due to technical limitations, 2FA cannot be applied to our existing code repositories, that’s why we’ve chosen to secure WordPress.org code through a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations).”
The Community Response
Jeff Chandler on X tweeted, “I support this decision “mandatory two-factor authentication (2FA) for plugin and theme authors, starting on October 1st, 2024.” Ajay D’Souza also supports this implementation, “Yes. It’s a good move. I had an issue the last time with SVN but having two credentials works well now.”
A few months ago, several WordPress.org plugins were compromised in a supply chain attack. These two new implementations will provide additional security to help prevent such incidents in the future. This attack also set forth a chain of reaction from the WordPress plugin review team, such as issuing forced password resets for plugin authors and publishing guidelines to keep your plugin committer accounts secured.