Over the weekend, WordPress announced a temporary halt to plugin updates and implemented a mandatory reset of plugin author passwords. This measure aims to mitigate further website compromises stemming from the ongoing Supply Chain Attack affecting WordPress plugins.
Supply Chain Attack
Cyber attackers have been targeting plugins directly by exploiting password credentials leaked in prior data breaches, unrelated to WordPress itself. These attackers are specifically seeking compromised credentials used by plugin authors who have reused passwords across multiple websites, including those exposed in previous data breaches.
WordPress Takes Action To Block Attacks
The WordPress community responded swiftly to recent plugin compromises by implementing a mandatory password reset and advocating for plugin authors to adopt two-factor authentication.
Initially, WordPress temporarily halted new plugin updates unless approved by their team to prevent potential malicious activity like backdoors. However, by Monday, WordPress updated their stance, confirming that the pause on plugin releases had been lifted.
Regarding the forced password reset, WordPress stated:
“We have initiated forced password resets for all plugin authors and other users whose information was identified in security research related to past data breaches. This may temporarily affect some users’ ability to interact with WordPress.org or make commits until they reset their passwords.
You will receive an email notification from the Plugin Directory when it’s time to reset your password. Please wait for this notification before taking any action.”
In the comments section, a conversation between a WordPress community member and the announcement’s author revealed that WordPress did not directly contact plugin authors identified as using “recycled” passwords due to evidence suggesting inaccuracies in the data breach list, where some users’ credentials were falsely marked as safe (false positives). Conversely, WordPress also discovered that accounts assumed to be secure were actually compromised (false negatives). These findings prompted the current initiative of enforcing password resets.
Francisco Torres from WordPress clarified:
“You’re correct that directly notifying individuals whose data was found in data breaches could heighten sensitivity. However, as mentioned earlier, this approach might be inaccurate for some users and could miss others. Since the onset of this issue, our focus has been on individually notifying users we are certain have been compromised.”
Original news from SearchEngineJournal