Team Introductions and Roadmap Updates for iThemes Security

A few months ago I became lead developer of the iThemes Security project. Security as you know is a complex subject and we are committed at iThemes to providing the best security plugin possible to protect you and your WordPress sites. As such, I wanted to introduce myself and our iThemes Security team as well as give you a couple of updates on the plugin and some rationale and background for what’s next.

Introducing Your iThemes Security Team

First and foremost, I want you to know who’s involved in building and supporting iThemes Security. As I mentioned, I took over the project in February after the departure of the original plugin author and developer. I’ve been with iThemes for 7 years now (I started with Cory in our first office, a 350-square-foot one room space a couple blocks from our headquarter). I have developed and collaborated on projects like iThemes Builder, iThemes Sync and many more throughout the years. I’m a contributor to WordPress and have spoken at several WordCamps and presented in our community here a number of times. Recently, Aaron D. Campbell joined on the project to help with development. Before joining iThemes in June 2014, Aaron co-founded Range, an enterprise services agency and co-lead the WordPress 3.6 release. In addition to being a very talented WordPress developer, Aaron has also been a WordPress core security team member for the last two years and has helped us as a company keep track of and stay in line with WordPress developments. Last but certainly not least is Gerroald Barron, our awesome support lead. Gerroald handles all support for iThemes Security, in addition to helping with bug fixes and new features.

Our Goals and Mission for iThemes Security

Our goal and mission with iThemes Security is to provide an easy to use tool to secure and protect WordPress sites everywhere. WordPress sites have increasingly become a target, but there are security strategies that you can implement using iThemes Security to provide an extra layer of protection for your site.

In addition to the iThemes Security plugin, our goal is also to help educate WordPress users about best security practices so you can be informed about steps you can take to protect yourself and your website beyond using the plugin.

Reviewing the iThemes Security Roadmap

Over the past few weeks, our team revisited the iThemes Security roadmap with short-term milestones and long-term goals with the goal of building iThemes Security to be an even stronger tool for our community. We’re excited to get details about these new milestones and goals to you and will be sharing them very soon. 

One roadmap update we wanted to let you know about today is the GeoIP Banning feature request. This feature has been widely requested and was previously announced as a future feature. After numerous discussions within our team, we have decided that GeoIP Banning will not be part of our roadmap and is unlikely to be implemented in the future. I know that this is a disappointment to some of you, so please let me explain how we came to this decision.

5 Reasons GeoIP Banning Will Not Be Part of Our Roadmap

1. Blocking a country does not block that country’s attackers.

The primary idea behind a GeoIP Banning feature is that it protects your site against attackers. The theory is that some countries have more hackers than other countries, so blocking those countries will significantly reduce the potential of a successful attack against the site. The biggest flaw with this idea is that hackers are not limited to using IPs from just their country; they have IP addresses around the globe to use for their attacks. In other words, even if an attacker lives in a certain country, most of their requests are likely to come from outside that country. The reason that this is the case is that only the unskilled hackers use their own connections to launch attacks. Hackers with low budgets use anonymizer and free proxy services to launch their attacks. Such services are hosted all over the world and can be cherry picked to launch attacks from specific regions of the planet. Hackers with medium budgets can afford a variety of private VPN services, private proxies, and hosting with providers that are friendly to hackers. Successful hackers typically have hundreds of thousands to millions of hacked systems (referred to as a botnet) spread around the globe to use for their attacks.

2. Nearly half of the IPs are in the United States.

While it is true that blocking the majority of the world’s countries from logging into your site could potentially block a significant percentage of login attempts, it simply will not block enough to make it viable. To give some numbers, according to MaxMind, the go to source for GeoIP databases, they are tracking 3,615,573,718 IP addresses by country, 44% of which are associated with the United States. Assuming that we made this feature, if you allowed logins from the United States, you would instantly allow logins from just shy of half of all the possible IP addresses being tracked by country, including some of the most commonly used proxies and botnet addresses.

3. GeoIP Blocking provides less security than a slightly improved password.

Warning: I’m about to get fairly technical, and there will be math ahead! Let’s create a best case scenario for GeoIP blocking. At its absolute best it can block a percentage of attacks. If you allow IPs only from within the United States, that percentage is likely no more than 56%. Thus in an absolute best case scenario, where an attacker and their system are not smart enough to actually figure out that they need to use US based IPs (which is unlikely, but let’s give it the benefit of the doubt here), it will take them a little over twice as long to break your password with brute force as it would without the banning. Let’s compare that to lengthening your password. If your password is made of upper and lower case letters, numbers, and symbols, you have approximately 88 characters to choose from. Thus, extending your password by a single character will multiply the number of attempts needed to brute force it by 88. That’s right, adding a single character to your password is likely 44 times more effective at stopping a classic brute force attack than blocking all non-US IPs. Adding two characters to your password will require 7,744 times more attempts (88 × 88). This is roughly 3,872 times better than the best case scenario for Geo IP Banning, and again it only requires that you lengthen your password by two characters! This all basically boils down to something called password entropy. Password entropy is how password strength is measured. You can further increase the benefit here by making sure your password isn’t on a worst passwords of the year list or one of the top 100 passwords from the Adobe breach and that it is a long, random password that includes all the different types of characters listed previously.

4. Limiting access by states or cities is not a viable option.

Some may wonder then, if focusing on areas smaller than a country would be the solution. For example, rather than allowing all of the United States to log in, what if login access was limited to just a single state or city? The problem with this approach is that accuracy drops significantly when focusing on smaller areas. Based upon MaxMind’s own stats, country accuracy is 99.8%, state accuracy is 90%, and city accuracy is 81%. Accuracy rates of 81-90% are not good enough to build a feature like this. Imagine if one in every five to ten times you tried to log into your site you were blocked because your IP address wasn’t reporting accurately. However, even these accuracy rates are optimistic as the listed 81% city accuracy is only for the United States cities within 50km of the true location. By looking at the city database accuracy page, it can be seen that stats for exact city matching in the United States is just 53% with some countries having much lower accuracy, such as Australia which has an accuracy of just 15%. When considering that more and more people access their sites from mobile devices, things get worse. Accuracy rates for mobile devices are not listed, they are simply noted as being “lower” (see footnote #1). Being locked out of your site because of an inaccuracy in the GeoIP database, because you went out of town without updating your site’s settings first, because your connection keeps getting misidentified as another nearby city, or because you are on a mobile connection would make for a very poor feature.

5. Adding GeoIP Banning code would increase server load.

A GeoIP Banning feature comes with a cost. This isn’t a monetary cost; rather, it’s a server load cost. Every additional bit of code that has to run in order to create a page will increase the CPU load on the server. If you have a strong password and two factor authentication, you still have to fear a brute force attack. The fear isn’t that the attack will result in a compromised account; rather, it’s that the increased load on the server could compromise the stability of the site. And if the load on the server goes too high, the site will start to slow down for visitors. Depending on the hosting plan and server configuration, such load increase could also cause the site to break on some visits and could cause problems with your hosting provider. While the increase from this feature would be relatively small, it is still an increase which could make a very big difference to a site experiencing a brute force attack.

In Summary

There are a few specific reasons why we decided that GeoIP Banning was not the right feature for us to focus on:

1. Blocking IPs from a specific country does not block attackers from that country.
2. Allowing logins from the United States, which a significant number of iThemes Security users would, leaves almost half of all IPs as usable.
3. A strong password provides much more protection than a GeoIP Banning feature possibly can.
4. Allowing logins based upon states or cities is not a possible solution due to unacceptably low accuracy rates.
5. Adding this feature to a site would increase the load on the site when processing a login, magnifying the effect of a distributed brute force attack.

As we carefully considered all of the above, we realized that the benefit of GeoIP Banning was largely only perceived benefit, not standing up to actual scrutiny. We found that the only reason we tried to keep the feature on the list was because of the user demand for the feature rather than any actual benefit offered by the feature itself. While we have no doubt that many users would be happy if we added this feature, we decided that we needed to focus on features and enhancements that offered the most security benefit without requiring constant attention by the user (such as not having to remembering to change the settings to account for new users or for travel plans). Unfortunately, under those criteria, GeoIP Banning simply could not find a place on our roadmap.

Best Practices for WordPress Login Security

In the next week or two, we are starting a series of security-specific blog posts to talk about what security is and how to protect yourself in this world full of security threats. For now, these are our top recommendations to protect yourself against attacks on your login:

1. Use a strong password. While there isn’t a one-size-fits-all way of making a strong password, I highly recommend generating a random password with a minimum of 40 characters. An attacker could try to brute force that password all day, every day and still not succeed before the earth is swallowed by the sun. (With iThemes Security Pro, you can even Enforce Strong Passwords for all your users.)
2. Use a Password Manager like LastPass or 1Password. Most people cannot remember long, generated passwords. It’s for that reason that we highly recommend using a password manager. While there are many different managers to chose from, here at iThemes we are fans of LastPass. With LastPass, having very long, randomly-generated, unique passwords for every one of your sites and accounts is very easy to do. LastPass will even generate the password for you. LastPass also supports password sharing so that you can share specific passwords with coworkers, family, and friends. Just make sure to create a secure password for your LastPass account as it secures all your passwords. Setting up two-factor authentication on LastPass is also a must for that extra layer of security.
3. Enable two-factor authentication, one of our favorite features of iThemes Security. Setting this up for your user greatly increases security as even those with your username and password can’t log in as you without having access to your phone. This feature is so important that we are making it a big focus in a short term milestone. The goal is to greatly increase the number of two factor providers supported while making it as simple as possible for anyone to properly set it up for their user.
4. Enable iThemes Security’s Brute Force Protection feature. With this feature, your site joins a network of other sites, all watching for brute force attackers. When the network identifies an IP address being used to launch brute force attacks, all the sites on the network automatically block that IP address.

While we will have more recommendations and helpful details coming in future blog posts, doing the above will increase the security on your site well beyond what a GeoIP Banning feature is capable of offering.