As a follow-up on the Andrew Wilder (NerdPress) and Chloe Chamberland (WordFence) reports that uncovered a limited number of compromised plugins, the Plugin Review team would like to provide more details about the case.
We identified that some plugin authors were reusing passwords exposed in data breaches elsewhere. The compromised accounts were not the result of an exploit on WordPress.org. Instead, the attackers used recycled passwords to add malicious code to a few plugins on the WordPress.org Plugin Directory.
First, out of an abundance of caution, additional plugin releases have been paused, and all new plugin commits temporarily need approval by the team. This way, we have the opportunity to confirm that the attackers cannot add malicious code to more plugins.
We have begun to force reset passwords for all plugin authors and some other users whose information was found by security researchers in data breaches. This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset.
**** Information about password deactivations ****
Your password was deactivated if you are a plugin author or committer. If you have an existing open session on WordPress.org, you will be logged out and need to reset your password.
To reset your password and regain access to your account, follow these steps:
1. Go to login.wordpress.org
2. Click on the link “Lost password?”
3. Enter your WordPress.org username
4. Click the “Get new password” button
5. Open your email and click the link to set a new password
Once you have reset your password, we encourage you to enable 2FA for your accounts and follow the recently outlined best practices.
<https://make.wordpress.org/plugins/2024/06/26/keeping-your-plugin-committer-accounts-secure/>
If you encounter any issues, please contact [email protected].
We will never ask you for your password via email.
The WordPress.org Team
[ad_2]