Support » Requests and Feedback » Please, Improve WP.org account’s security

  • Resolved Thomas Lartaud

    (@tlartaud)


    Hi,

    Could WP.org account’s security be improved?

    If in any way, an attacker stole your WP.org password, he can then:
    – Connect to your account without any verification (you won’t even know that)
    – Connect to your account without requiring any 2FA verification (either phone or Google Auth)
    – Change your password (you won’t even receive a notification)
    – Change your email (you won’t even receive a notification to confirm, WP just sends a confirmation to the NEW email set, is that a joke?)
    – Upload new updates for your own plugin using your own account
    – Update translations without verification if you are a verified translator

    Wow, seriously?
    That’s really scary.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Could WP.org account’s security be improved?

    Probably. For your own site you can and should use multifactor authentication if you feel the need. I recommend this one.

    https://wordpress.org/plugins/two-factor/

    There are others. That one support time based tokens and FIDO.

    If in any way, an attacker stole your WP.org password, he can then:

    [ List of things to do that active users do on WordPress.org ]

    Wow, seriously?
    That’s really scary.

    A little sense of proportion maybe? For this site WordPress.ORG:

    1. WordPress.org is an open source project staffed 100% by volunteers.
    2. There are no missile launch codes or systems here. That I know of.
    3. Accounts do occasionally get compromised. It’s happened.
    4. The only result was some spam that was picked up and dealt with. The account here was banned.
    5. Could a plugin author account get compromised? Sure. I think that either happened or a developer turned to The Dark Side. It was found and dealt with too.
    6. The original account holder who cared emailed forum-password-resets[at]wordpress.org about it.
    7. They got their account back and was asked to take care re account passwords.
    8. WordPress, and this place runs WordPress can support up… 4096 characters for a password? It’s up there.
    9. Email remains the worst, most unreliable method for notifying about account updated. It’s what the Internet has but due to the fact this site sends a lot of email, sometimes some email systems deem it spam. Including important emails like “Head up, your email and password changed”.

    No one here can use multifactor authentication.

    Multifactor authentication for this site was looked at but with that comes an administrative overhead. Who handles a scenario when a developer loses their one time codes? Is an email sufficient or a text message? And what happened when they lose access to the email or phone? Does this site also support FIDO hardware authenticators? What happens when casual users turn that on and lose their MFA and can’t log into the forums?

    This site is 100% volunteer staffed so there is no one to handle that administrative overhard.

    Strong passwords are now (or supposed to be, it may still be being tested) are enforced here and people are encouraged to maintain good password practice.

    https://wordpress.org/support/article/password-best-practices/

    For your own site, look at installing a multifactor authentication, enforcing strong passwords and make sure email works on your site.

    Thread Starter Thomas Lartaud

    (@tlartaud)

    You’re referring a lot to the headache required for security improvments, but I think it’s false.
    Email change sent to the new account is not aimed to security, but it’s just built to make sure the email account actually exists. What about 2 emails sent? That would be quite simple to implement for someone used to the WP core architecture. I understand that a lost email account would require contactiing WP support to allow email change, but that would be more secure.

    I’m not saying that the scenario I listed is something that will often happen, I’m just saying that the current architecture actually allows this scenario. E-mail notifications would be sufficients. It’s way harder to compromise a gmail account (which would be secured by 2FA, phone, password changes notifications), than just a WP.org single password that can be stolen and then allow everything to be done on the site.

    Anyway, thank you for your answer and tips. I’m not trying to secure my own site, I was just asking for recommendations about the WP.org’s side. I was just hoping for some hidden features I would have missed.

    Best regards.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.