This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

Peak Performance.

Limitless Scalability.

  • 0

    Days

  • 0

    Hours

  • 0

    Mins

  • 0

    Sec

Off For 4 months
+40 free Migrations

Secure Any CMS With Ease with Our Malware Protection Add-On! LEARN MORE→

WordPress Halts Plugin Updates to Counter Supply Chain Attacks

Updated on July 3, 2024

2 Min Read
WordPress Halts Plugin Updates to Counter Supply Chain Attacks


WordPress announced over the weekend that they were pausing plugin updates and initiating a force reset on plugin author passwords to prevent additional website compromises due to an ongoing supply chain attack on WordPress plugins.

Hackers have been targeting plugins directly at the source, using exposed password credentials from previous data breaches (unrelated to WordPress). They exploit compromised credentials used by plugin authors who reuse passwords across multiple websites, including those exposed in past breaches.

In response, WordPress has taken action by implementing a forced password reset and encouraging plugin authors to use two-factor authentication. They also temporarily blocked all new plugin updates unless approved by their team to ensure no malicious backdoors were added. By Monday, WordPress confirmed that plugin releases were no longer paused.

In their announcement, WordPress stated, “We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches.

This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset. You will receive an email from the Plugin Directory when it is time for you to reset your password. There is no need to take action before you’re notified.”

A discussion in the comments section between a WordPress community member and the announcement’s author revealed that WordPress did not directly contact plugin authors using “recycled” passwords due to false positives and negatives in the breach list. Francisco Torres of WordPress explained, “What we’ve done since the beginning of this issue is to individually notify those users that we’re certain have been compromised.”

via GIPHY

These measures underscore WordPress’s commitment to enhancing security and preventing future compromises. By taking proactive steps, they aim to protect the integrity of their platform and ensure a secure environment for all users.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Start Growing with Cloudways Today.

Our Clients Love us because we never compromise on these

Abdul Rehman

Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.

×

Thankyou for Subscribing Us!

×

Webinar: How to Get 100% Scores on Core Web Vitals

Join Joe Williams & Aleksandar Savkovic on 29th of March, 2021.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!

Want to Experience the Cloudways Platform in Its Full Glory?

Take a FREE guided tour of Cloudways and see for yourself how easily you can manage your server & apps on the leading cloud-hosting platform.

Start my tour

CYBER MONDAY SAVINGS

Limitless Scalability.

  • 0

    Days

  • 0

    Hours

  • 0

    Mins

  • 0

    Sec

Off For 4 months
+40 free Migrations

Claim Now