This week’s post about a recommended plugin is really a two-in-one… we’re also announcing a new, free plugin that should be useful to everyone. It’s a new two-factor authentication plugin that we’ve just released on wordpress.org.
Two factor authentication
What’s two-factor authentication (TFA)? Wikipedia’s article is here… but basically, it’s to do with securing your logins, so that there’s more than one link in the chain needing to be broken before an unwanted intruder can get in your website. By default, your WordPress accounts are protected by only one thing: your password. If that’s broken, then everything’s wide open.
Is this really important?
Rather than me blather on about this, just read this: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ Frighteningly easy for the attackers to erase his digital life, was it not?
There are various solutions on WordPress for securing your login. They’re all about lowering the percentages – minimising risk. Anything that lowers the percentage at all has some value. One that helps a lot is a previously recommended plugin, BruteProtect, which blocks any logins at all from known-to-be-bad IP addreses, using the power of the cloud. Others are in my personal view less useful – e.g. adding a captcha to your login form, or making the visitor answer a maths question. Every little helps, but some of these will only help until the attackers tool-up, and then you’re back to square one again.
To some extent, we’re always in an arms race. But genuine “two factor” security is about adding another layer entirely: not just inconvenience, not just the need to tool up, or attack from a new IP address, but something that the attacker can’t have. The most popular form of “two factor” is a security token of some sort (usually 6 numbers), that’s delivered to a device you have…. and which only lasts for a short amount of time (e.g. 30 seconds – after which, the device will display a new code). The only way then to log in legitimately whilst the plugin is active then becomes to physically get hold of the security token or mobile phone (as well as knowing the password).
We weren’t content with the existing solutions…
There are some decent two-factor WordPress plugins out there. We’ve used and recommended some. However, none of them hit all of the sweet spots that we wanted:
- Protects the WooCommerce login form as well as the WordPress dashboard’s login form. (Plugins not supporting this form will fail in one of two ways: either effectively have no two-factor authentication, or will not allow anyone to log in).
- Allow each user at a certain level (e.g. admin, editor, ordinary user) to decide for themselves whether to enable two-factor authentication.
- Have a reasonably straighforward user interface
- Allow the user to configure TFA on the front-end of the website – i.e. without them needing to be able to see the WordPress dashboard
- Support standard protocols, allowing any TFA app to be used (e.g. Google Authenticator, Authy, or even… yes! … an app for my beloved Nokia).
- Display graphical QR codes (i.e. codes that your phone can scan)
- Have well-written code that follows WordPress standard practices (including security mechanisms). You’d be surprised how easy it is to find WP plugins for *security* that don’t do this. (Mistakes is one thing – we all make mistakes… but not using the mechanisms at all… that’s just nuts).
… so we made our own
So, what to do? Since this is WordPress, with the wonders of open source, we forked one that was decent enough, and made our own.
And here it is… “Two Factor Authentication”, free on the wordpress.org directory. We hope you like it – it’s just been launched. We recommend it to you all; there’s no good reason to not lock down your website, and in our view, TFA plus BruteProtect is the best straightforward way to do it in 2015.
Oh, and… you might by now have guessed where this is going. Two-factor authentication for customers will be coming to UpdraftPlus.Com!
David Anderson (founder, lead developer, UpdraftPlus).