Could WP.org account’s security be improved?
If in any way, an attacker stole your WP.org password, he can then:
– Connect to your account without any verification (you won’t even know that)
– Connect to your account without requiring any 2FA verification (either phone or Google Auth)
– Change your password (you won’t even receive a notification)
– Change your email (you won’t even receive a notification to confirm, WP just sends a confirmation to the NEW email set, is that a joke?)
– Upload new updates for your own plugin using your own account
– Update translations without verification if you are a verified translator
That’s really scary.
- You must be logged in to reply to this topic.