On June 23 and 24, 2024, five WordPress.org The community site where WordPress code is created and shared by the users. This is where you can download the source code for WordPress core, plugins and themes as well as the central location for community conversations and organization. https://wordpress.org/ user accounts were compromised by an attacker trying username and password combinations that had been previously compromised in data breaches on other websites. The attacker used access to these 5 accounts to issue malicious updates to 5 plugins those users had committer access to.
The affected plugins have had security updates issued by the Plugins Team to protect user security.
The Plugins Team would like to use this opportunity to spread awareness around best practices for WordPress.org accounts, particularly those with plugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party committer and owner level access.
As a reminder, Plugin Owners can set a WordPress.org user to have a special permission role for their plugin which include:
– Owner: a plugin has one Owner which grants that user the ability to perform destructive actions such as to permanently close or transfer the plugin, as well as the ability to issue plugin updates and manage support for that plugin on WordPress.org. For company owned plugins, this should be a company branded WordPress.org account that only the company’s owner, CEO or CTO (or a single person in a similar role) has access to, which uses an email address only that individual has access to (ie not support@{companyname}.com)
– Committer: this role grants the user the ability to manage support for that plugin on WordPress.org as well as the ability to issue new plugin versions by updating the plugin’s code in SVN Short for "SubVersioN", it's the code management system used to maintain the plugins hosted on WordPress.org. It's similar to git..
– Support Rep: this role grants the user the ability to manage support for that plugin on WordPress.org only.
You can also acknowledge users who contributed to the plugin without giving that user any special abilities for the plugin on WordPress.org by using your plugin’s readme.txt to mark them as a Contributor.
Limit the Number of and Audit Your Plugin’s Committers Regularly
As we’ve mentioned in the past, plugin commit access, which is the ability to issue updates on behalf of your plugin should only be given to developers, and more specifically, only the developers who are actively responsible for issuing plugin updates for your plugins.
Committer accounts should not be shared by more than one user, and should not use an email address that more than one person has access to. We’ve seen developers in the past use emails such as a support@ for their wp.org account with Committer or Owner access, which would mean anyone with access to your support tool can click on reset password, get the password, change it, and blow up your plugin (or permanently close it). Obviously that’s a major security issue (and could also be a Guidelines violation that gets your plugin pulled from the repository if it sends back an auto-responder email).
Additionally, the Plugins Team sends emails to all committers for a plugin if we ever need clarification on Guideline issues with your plugin or have a reported security vulnerability for your plugin. So the best practice is to limit the number of committer users you have on a plugin to the minimum number of developers possible, and have those developers ensure that emails from plugins@wordpress.org
do not go to spam in their email client.
Users who do not need commit level access should instead be given Support Rep access, which allows them to respond to and manage support topics for your plugins on WordPress.org. This account level does not allow those users to issue plugin updates.
We recommend routinely auditing the committers for each of your WordPress plugins on a regular basis, removing commit access (or downgrading them to Support Rep access) when they don’t need active commit access. The owner of the plugin can manage the committers for the plugin on the Advanced tab of the plugin’s WordPress.org page.
Enable Release Confirmation For Your Plugins
In April, 2021, the Plugins Directory introduced opt-in support for Release Confirmations.
Release Confirmations, when opted-in for a WordPress.org plugin, allows for a second factor of security against the ability for an unauthorized user to issue plugin updates.
After opting in, a plugin committer wishing to issue a new version of the plugin would commit and tag the plugin update in SVN as normal. Once the tag has been pushed to the WordPress Plugins Directory, the Directory then emails a unique tokenized link to all plugin committers for that plugin which brings the committers to a special dashboard that allows them to confirm the new release. Only once the version is confirmed will the update then be issued.
For additional security, the Plugin Directory also supports the ability to require 2 plugin committers to confirm the release in order to issue the update — if you’re interested in requiring that for your plugin, please email plugins@wordpress.org with your request.
You can see which that you have Committer (or Owner) access to have Release Confirmations enabled on the Release Confirmations dashboard.
Use Secure Passwords and 2FA
If you are the owner or a committer of a WordPress plugin, it is imperative you use a unique password that is complex and not re-used on any other website.
As mentioned in WordPress’s Password Best Practices guide, we recommend using a password that is:
– is at least 20 characters (preferably substantially more)
– uses lowercase and uppercase letters as well as numbers
– contains special characters such as `!”#$%&'()*+,-./:;?@[]^_{}|~
– does not contain names, words or years that are easily linked to you
This password should not be used on any other site.
To make it easy to use secure, complex passwords, we recommend using a password manager to generate and store this password in. This helps avoid the temptation of password re-use and makes it easy to generate unique, complex passwords for each website that you use.
We also strongly recommend all accounts on WordPress.org setup and use two-factor authentication (2FA) which has been supported since May, 2023. This helps keep your WordPress.org account secure by requiring a second piece of evidence to login to your account such as a rotating 6 digit TOTP code using an authenticator app or a hardware key. To setup 2FA for your WordPress.org account, follow this step-by-step-guide.