WordPress recently announced a series of measures to combat ongoing supply chain attacks targeting WordPress plugins. These measures include pausing plugin updates and forcing a password reset for plugin authors to prevent further website compromises.
Understanding the Supply Chain Attack
Hackers have been targeting plugins by exploiting password credentials exposed in previous data breaches unrelated to WordPress itself. The attackers seek compromised credentials used by plugin authors who reuse passwords across multiple sites, including those revealed in prior breaches.
WordPress' Immediate Response
To mitigate these attacks, WordPress has taken several proactive steps:
Forced Password Reset: WordPress initiated a mandatory password reset for all plugin authors and other users identified by security researchers as having credentials exposed in data breaches. This move aims to ensure that compromised passwords are no longer in use.
Encouraging Two-Factor Authentication: Plugin authors are strongly encouraged to adopt two-factor authentication to enhance account security.
Temporary Block on Plugin Updates: WordPress temporarily halted all new plugin updates unless they received explicit approval from the WordPress team. This precautionary measure was intended to prevent plugins from being updated with malicious backdoors. By Monday, WordPress confirmed that plugin releases were no longer paused.
Official Announcement
WordPress detailed their actions in an official announcement:
“We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches. This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset. You will receive an email from the Plugin Directory when it is time for you to reset your password. There is no need to take action before you’re notified.”
Addressing False Positives and Negatives
A discussion in the comments section between a WordPress community member and Francisco Torres, the author of the announcement, shed light on the complexities involved:
- False Positives: WordPress discovered that some users identified in data breaches were actually using safe credentials.
- False Negatives: Conversely, some accounts assumed to be safe were found to be compromised.
This led to the decision to force password resets for all identified users, ensuring a comprehensive approach to security.
Conclusion
WordPress’ decisive actions against supply chain attacks highlight the platform’s commitment to security. By enforcing password resets, encouraging two-factor authentication, and temporarily halting plugin updates, WordPress aims to protect its community from potential threats and maintain the integrity of its plugins.
