Security Alert

Various attacks on WordPress user accounts have led to several plugins being compromised, allowing access to thousands of sites.

Remember that you can listen to this program from Pocket Casts, Spotify, and Apple Podcasts or subscribe to the feed directly.

Program transcript

Hello, I’m Javier Casares, and you’re listening to WordPress Podcast, bringing the weekly news from the WordPress Community.

In this program, you’ll find the information from June 24 to 30, 2024.

Is WordPress secure? The answer is clear and simple: yes. However, the users or individuals behind the entire Community are often the weakest link when it comes to IT security.

Earlier this week, some users experienced an attack on their accounts using usernames and passwords previously published in data breaches. At least five plugin developer accounts were compromised due to using the same password as on other hacked sites.

It’s important to note that in April 2021, the Release Confirmation system was launched. This system sends an email each time a change is attempted in the plugin’s repository data, which must be visited and confirmed for the new version to be released.

Additionally, for over six months and following an extended testing period, the option to activate two-factor authentication has been available to users. This means that even if passwords are leaked, a temporary second factor will always be required.

As an additional security measure, an email has been sent to all developers prompting them to “reset their password” when attempting to access WordPress, as passwords have been reset for security reasons.

Regardless of whether you are a developer or not, given the current situation, the best option is to visit login.wordpress.org, click on recover password, follow the process, and change it to a new one you have not used before. If you haven’t already, visit the edit your profile section where you can activate 2FA.

And speaking of security, WordPress 6.5.5 is the headliner for minor versions ranging from WordPress 4.1 to 6.5, addressing up to three vulnerabilities.

It’s important to remember that minor version updates do not change or break the functionalities of that WordPress version, so updating is crucial for the well-being of your site.

Speaking of new versions, the first release candidate for WordPress 6.6 is now available. This version should include all the final features of this release, so it is highly recommended to start testing to validate the compatibility of your site, plugins, and themes with a version scheduled to be released on July 16. This release also freezes text strings for translation and opens the WordPress 6.7 working branch.

With the arrival of this release candidate, the WordPress 6.6 Field Guide has also been released, a document that includes all the technical ch