Opened 7 weeks ago
Closed 7 weeks ago
#7851 closed defect (bug) (fixed)
Theme Submissions should require 2FA
Reported by: | dd32 | Owned by: | dd32 |
---|---|---|---|
Milestone: | Priority: | normal | |
Component: | Theme Directory | Keywords: | has-patch |
Cc: |
Description
As part of increasing security, Theme Authors are required to have 2FA active on their accounts.
As part of submitting a new version of a theme, the user should be required to validate their 2FA details.
I'm not sure how best to handle this for initial theme submissions. The user doesn't require 2FA until they've got a published theme, but since we don't differentiate between upload new theme
and upload update for theme
- there's just a single form.
Perhaps we should simply require that the user sets up 2FA in order to submit a theme? This would increase the barrier to submission, but doesn't seem too burdensome.
A question is raised on themes.svn direct access though; as this won't validate their 2FA (For plugins, we use Release Confirmation) - perhaps we can rely upon using a SVN password here.
Related: #7704
Change History (4)
This ticket was mentioned in PR #438 on WordPress/wordpress.org by @dd32.
7 weeks ago
#3
- Keywords has-patch added
Trac Ticket: https://meta.trac.wordpress.org/ticket/7851
Requires https://github.com/WordPress/wporg-two-factor/pull/322
Example of uploading a non-theme through the form:
https://github.com/user-attachments/assets/5efe43b4-176c-420c-927d-33843503bd51
Note: The upload form button needs a better state for during submissions, with the old theme the disabled state of the button on theme submit was obvious something was happening, but the new theme doesn't include that state.
Thank you for creating this ticket.
That would not be a burden from the security perspective. We can add information about mandatory 2FA when submitting the theme on the themes upload page. So, my recommendation is to enable the required 2FA setup for submitting the theme.
Thank you
KafleG