WordPress announced over the weekend that they were pausing plugin updates and initiating a force reset on plugin author passwords to prevent additional website compromises due to an ongoing supply chain attack on WordPress plugins.
Hackers have been targeting plugins directly at the source, using exposed password credentials from previous data breaches (unrelated to WordPress). They exploit compromised credentials used by plugin authors who reuse passwords across multiple websites, including those exposed in past breaches.
In response, WordPress has taken action by implementing a forced password reset and encouraging plugin authors to use two-factor authentication. They also temporarily blocked all new plugin updates unless approved by their team to ensure no malicious backdoors were added. By Monday, WordPress confirmed that plugin releases were no longer paused.
In their announcement, WordPress stated, “We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches.
This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset. You will receive an email from the Plugin Directory when it is time for you to reset your password. There is no need to take action before you’re notified.”
#WordPress Takes A Bite Out Of Plugin Attacks. WordPress took significant steps to combat supply chain attacks by pausing plugin updates and resetting passwords #security #cybersecurity https://t.co/5RsLcwGnW5 via @martinibuster, @sejournal
— Marusti WebDesign (@marustiweb) July 2, 2024
A discussion in the comments section between a WordPress community member and the announcement’s author revealed that WordPress did not directly contact plugin authors using “recycled” passwords due to false positives and negatives in the breach list. Francisco Torres of WordPress explained, “What we’ve done since the beginning of this issue is to individually notify those users that we’re certain have been compromised.”
These measures underscore WordPress’s commitment to enhancing security and preventing future compromises. By taking proactive steps, they aim to protect the integrity of their platform and ensure a secure environment for all users.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.