In today’s digital landscape, safeguarding data and infrastructure from malicious actors is critical. One significant threat that organizations face is the supply chain attack. The Committee on National Security Systems defines a supply chain attack as:
Attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle.
Supply Chain Attack – Glossary CSRC
In other words, a supply chain attack targets a company’s software and data by compromising a trusted partner or vendor. Hackers exploit this vendor’s authorized access to gain a foothold within the company’s system rather than targeting the system directly.
How does that apply to WordPress.org Plugins?
A recent supply chain attack was discovered in the WordPress.org plugin directory.
The Wordfence Threat Intelligence Team discovered an incident that WordPress plugins would infect websites with malware through regular plugin updates to the WordPress plugin repository. The attacker found exposed passwords for WordPress.org developer accounts, which are part of the supply chain providing 3rd-party plugins to millions of WordPress websites. When a plugin from the approved WordPress list has a code update, it sends an alert to every website with the plugin that an update is available. Even worse, some websites have plugins set to automatically update. When an attacker has access to the plugin developer accounts, they can add malicious code to the plugin and release it to every website with it installed. This is what happened and affected thousands of websites.
Further details about the attack can be found at Wordfence’s Website: Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack.
Response
After the threat had been discovered, WordPress paused all plugin updates and required a password reset on all developer accounts, helping to prevent any further attacks with exposed developer accounts:
We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches. This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset.
Moving Forward
Looking ahead, WordPress has emphasized the importance of securing accounts by implementing measures such as two-factor authentication (2FA) and minimizing account access levels.
WordPress released an informative article on keeping your accounts secure. Some of the key takeaways include:
- Limiting the number of committers and regularly pruning accounts that no longer require access.
- Accounts should be granted the minimum necessary access to perform their assigned functions. This would mean giving a content writer access to creating new posts instead of full admin access.
- Enable two-factor authentication (2FA) on all accounts.
- Enable Release Confirmation Emails. This would require code updates on plugins to remain in a pending state until a confirmation email approves the release.
These practices not only fortify WordPress accounts but also serve as valuable guidelines for securing most online accounts. By enabling two-factor authentication (2FA), ensuring least privileges, and regularly pruning accounts, additional layers of security protect against unauthorized access in the event one of the other methods become compromised.