Making WordPress.org

Opened 7 weeks ago

Closed 7 weeks ago

#7851 closed defect (bug) (fixed)

Theme Submissions should require 2FA

Reported by: dd32's profile dd32 Owned by: dd32's profile dd32
Milestone: Priority: normal
Component: Theme Directory Keywords: has-patch
Cc:

Description

As part of increasing security, Theme Authors are required to have 2FA active on their accounts.

As part of submitting a new version of a theme, the user should be required to validate their 2FA details.

I'm not sure how best to handle this for initial theme submissions. The user doesn't require 2FA until they've got a published theme, but since we don't differentiate between upload new theme and upload update for theme - there's just a single form.

Perhaps we should simply require that the user sets up 2FA in order to submit a theme? This would increase the barrier to submission, but doesn't seem too burdensome.

A question is raised on themes.svn direct access though; as this won't validate their 2FA (For plugins, we use Release Confirmation) - perhaps we can rely upon using a SVN password here.

Related: #7704

Change History (4)

#1 @kafleg
7 weeks ago

Thank you for creating this ticket.

That would not be a burden from the security perspective. We can add information about mandatory 2FA when submitting the theme on the themes upload page. So, my recommendation is to enable the required 2FA setup for submitting the theme.

Thank you
KafleG

#2 @dd32
7 weeks ago

In 14254:

Theme Directory: Upload: Mark the file selection as required for theme submission, and hint we only want .zip files.

See #7851.

This ticket was mentioned in PR #438 on WordPress/wordpress.org by @dd32.


7 weeks ago
#3

  • Keywords has-patch added

Trac Ticket: https://meta.trac.wordpress.org/ticket/7851

Requires https://github.com/WordPress/wporg-two-factor/pull/322

Example of uploading a non-theme through the form:

https://github.com/user-attachments/assets/5efe43b4-176c-420c-927d-33843503bd51

Note: The upload form button needs a better state for during submissions, with the old theme the disabled state of the button on theme submit was obvious something was happening, but the new theme doesn't include that state.

#4 @dd32
7 weeks ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.