WordPress recently made an important announcement regarding the security of plugins on their platform. Due to an ongoing Supply Chain Attack, WordPress has decided to pause plugin updates and implement a forced reset on plugin author passwords to prevent further website compromises.
What is a Supply Chain Attack?
In this type of attack, hackers target plugins directly at the source by using password credentials that have been exposed in previous data breaches. These breaches, unrelated to WordPress itself, have exposed compromised credentials used by plugin authors who may also use the same passwords across different websites.
WordPress Takes Swift Action
Although some plugins have already been compromised, the WordPress community has taken action to prevent further attacks. They have initiated a forced password reset and are encouraging plugin authors to enable 2 factor authentication for added security.
Furthermore, WordPress has temporarily blocked all new plugin updates unless they receive approval from the team to ensure that malicious backdoors are not being added to plugins. As of Monday, WordPress has lifted the pause on plugin releases.
The official announcement from WordPress regarding the forced password reset:
“We have started to force reset passwords for all plugin authors and other users whose information was discovered in security researchers’ data breaches. This may affect some users’ ability to interact with WordPress.org until their password is reset. You will receive an email notification when it is time to reset your password. No action is required until you are contacted.”
A discussion in the comments section revealed that WordPress did not directly contact all plugin authors using “recycled” passwords due to potential inaccuracies. Some accounts presumed to be safe were actually compromised, leading to the decision to force password resets.
Francisco Torres of WordPress explained:
“Reaching out to those individuals whose data has been found in data breaches may not be accurate for all users. We have notified those we are certain have been compromised since the beginning of this issue.”
For more information, read the official announcement from WordPress:
Password Reset Required for Plugin Authors
Featured Image by Shutterstock/Aleutie