In the second episode of WordPress Development Corner, we talk to WordPress developer Timothy Jacobs about the new Trusted Devices feature for iThemes Security Pro, our WordPress security plugin.
Michael: Hi everyone. Welcome to this edition of the Developers Corner. Today we have with us Timothy who is a developer on the iThemes Security Pro plugin, and today he’s here with us to talk about the new Trusted Devices feature. Timothy can you please tell us how you came up with the trusted devices feature?
Timothy: The idea for Trusted Devices came out of another popular feature request which is to remember the current device you’re using for two-factor authentication. One of the things that’s annoying about two-factor authentication or a bit of a hassle is that every single time you log in, you have to enter in your authentication code. You have to do it again and again, and for using something like email, that might take a while. So when we were building out remember devices for two-factor authentication, we expanded our scope a bit to include something called trusted devices as a whole.
Trusted devices lets you manage the devices you’ve logged in with before, and it will alert you if you haven’t logged in from this device. We use that trusted device to help power remembering the device for two-factor.
Michael: Well that sounds great. Can you tell us why we should use this new feature?
Timothy: So trusted devices is great for two different kinds of users. One of the users that can really may benefit are users who can’t or don’t want to use two-factor authentication using two-factor authentication. We greatly recommend because it highly strengthens the security of your account but some users aren’t gonna be able to use that or they find it too complicated. So a trusted device works if you’re logging in from a device that you haven’t logged in from before it will send you an email that will let you know that that happened and you can stop the attacker from making any further progress by locking them out of that account. In the future we met expand this to having a sort of two-factor substitute forcing users to confirm the device before that can happen any further and so we hope that for users who don’t want to enable two-factor it’ll be a somewhat added security protection for them. There’s like four users like administrator users who should hopefully already have two-factor authentication enabled because of its strength benefits.
We also have a feature called session hijacking protection, and the way that session hijacking protection works is that when WordPress logs you in, it gives you a session cookie. This session cookie is super important. It’s what lets you do anything in your WordPress website and once that cookie is set that lets you bypass things like your recaptcha and you entering your two-factor code, so if the attacker is able to compromise that session cookie, kind of like what happened to Facebook earlier this year, you can wind up in a lot of trouble and it’s one of the things that session hijacking protection does. It locks down that session to the particular device that you used it on. The goal is that if you move around like on your phone it should still remember that’s their current device but if that device strays too much will force you to log in again and you can even then block the device completely and change your password.
Michael: That is really amazing. I really like that and then what are the best practices for the trusted devices feature?
Timothy: There’s two ways that trusted devices works. One is through a toolbar notification in your WordPress admin bar and the other is through an email. The email is optional it’s not enabled by default but we highly recommend enabling it and what happens with the email is that whenever a new device logs in, that email gets sent out immediately, so we recommend keeping it on and keeping an eye on your inbox for emails from that, and making sure that whenever you see one, that you take action on it immediately.
Michael: What are the benefits of using the max Mind API?
Timothy: So one of the ways that iThemes Security implements trusted devices is by looking at the user’s IP address. One of the ways that we could have done this is, just if the IP address changes at all, we count this as a non-trusted device, but we didn’t find that particularly ideal, particularly for mobile users or people are on the go. They’re going from one different Wi-Fi point to another different Wi-Fi point and their IP address might change, so one of the things that we do is we use something called geolocation to constrain this to users who are in a particular area or within a number of miles of a particular area, and we use that in conjunction with a number of other factors like the browser they are using. iThemes Security uses a number of free geolocation APIs, and these have ok API limits, but they might not be the most accurate or the most up-to-date that’ll work out of the box. What we recommend users do is use one of the MaxMind APIs. So we have the MaxMind database API which is what most users might want to use right out of the box. It’s pretty simple to set up. You just click the button and it downloads and you should be ready to go, and the benefits are you’re not sending an IP address to another server, it doesn’t take any time and it’s reasonably accurate. So for people who are more concerned about the privacy implications, we would highly recommend them enabling the MaxMind DB option just by clicking that download button. For users who want the highest degree of accuracy, we recommend that they use the MaxMind API.
MaxMind offers a number of APIs we need to make use of something called the city level position and it’s fairly cheap and affordable especially for the use case that we’re using in iThemes Security and if you enable that you’ll make sure you’re having the most up-to-date accurate information about IP addresses so that you can keep users geo-located correctly and accurately.
Micheal: That is awesome. This is one thing that we always say about Timothy. The reason why we love his is everything is just so well thought out to the detail. Always impressed.
So how will restricting capabilities of an unrecognized session increase accuracy?
Timothy: So this is another great optional feature that we recommend using. So one of the concerns is when an attacker gains access to your account, they can use that to gain access to your server and install malicious code. So if they gain access to an administrator account on WordPress, they might be able to install a malicious plugin, they might be able to edit files, create new administrator account so they can get back in later things like this. What restrict capabilities does is whenever a user has successfully logged in from an unrecognized device, it restricts a number of these administrator level capabilities so they can’t install anything anymore. They can’t manage files. They can’t even manage iThemes Security. We also prevent them from editing the WordPress users email address or their password and so this is great for both administrator level users or for subscribers or e-commerce customers so that they don’t have their account further compromised and not be able to get in. One quick note about this option is that you will have to enable the email notification to enable the actual option.
Michael: When I first load this feature, I was in love at first sight. It’s very very cool. The remember my device feature request is even more impressive to me. I love the restriction capabilities of unrecognized devices and mitigating the chances of going in there and making a muck of your site.
Timothy: Exactly. It’s one of the reasons that we make sure that you have that notification required is so that you don’t get locked out yourself. Do that if this says that hey that you’re a non-trusted device and you log into your web host site and you’re saying whoa this looks different I can’t do all these different things. Check your email you probably got an email saying that hey we recognized and unrecognized login and you just click that one button and all your access will be back to normal.
Michael: Very cool. I really like this a lot. Now, why is enabling the remember me setting not recommended for privileged users?
Timothy: So remember my device is the setting for two-factor authentication that lets you remember your device for 30 days and while we’ve implemented this as securely as we can, it sets a cookie every single time you lose it that’s a long and randomly generated value. There’s still a difference when you’re using two-factor authentication. You’re needing to open up your mobile app or open your email address and provide that generated token in addition to your password. We’re generating what’s is essentially a one-time token for 30 days, and so that’s slightly reduced security, and so we recommend for administrator users not to use this. You can change the roles that are allowed for. The recommended is to enable it for non privileged users for things like your users, your customers particularly, if you’re doing like a membership-based website where people might be talking about things are important to them or their privacy is important. For those types of users, we recommend enabling trusted devices always. A user might as well use the best practices that are recommended just for the highest level security whatever is inconvenient to you at the moment. I promise you will never be as inconvenient as repairing your site and repairing the trust of your customers after your site’s been compromised.
Michael: Again I just love this feature very very much. I love the restrict admin capabilities on unrecognized devices because if you have a new device and you log in you quickly go to your email and you’re fixed and you’re good to go.
Timothy: Even if you’re using a strong password and two-factor authentication, the likelihood of your site getting compromised or your personal email or account being used in a brute force attack is slim, but if it does happen, for whatever reason now they can’t really do anything.
Michael: Awesome, awesome feature. Great work. All of this came from a remember my device feature request and then Timothy went above and beyond. I am really excited to see what you’re doing next.