Over the weekend, WordPress took significant action to address a supply chain attack impacting its plugins. The company paused all plugin updates and initiated a force reset on plugin author passwords to prevent further website compromises linked to this attack.

Supply Chain Attack

The attack involves hackers targeting plugin authors directly, using credentials exposed in previous unrelated data breaches. By exploiting these compromised credentials, hackers have been able to infiltrate plugins and potentially insert malicious code.

WordPress’s Response

In response, WordPress has:

1. Forced Password Resets: All plugin authors and users identified in data breaches have had their passwords reset to prevent unauthorized access.
2. Blocked Plugin Updates: New plugin updates were temporarily blocked unless approved by the WordPress team to ensure no backdoors or malicious code were being introduced.
3. Promoted Security Measures: Plugin authors are encouraged to enable two-factor authentication (2FA) to further secure their accounts.

Update on Actions

By Monday, WordPress confirmed that the block on new plugin updates had been lifted. The announcement regarding password resets clarified:

“We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches. This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset. You will receive an email from the Plugin Directory when it is time for you to reset your password. There is no need to take action before you’re notified.”

Further Details

In a related discussion, WordPress acknowledged that not all users identified in the data breaches were contacted individually. Some lists contained false positives, where users’ credentials were actually safe, and others had false negatives, where compromised accounts were missed. Francisco Torres of WordPress addressed these concerns:

“We’ve opted not to directly contact users about potential breaches due to inaccuracies in the data. Instead, we are notifying only those users we are certain have been compromised.”

These proactive measures are designed to mitigate risks and bolster the security of WordPress plugins.