We’re releasing iThemes Security Pro 7.3.2 today. This maintenance update will initiate a phased rollout that encrypts 2FA secret codes in the WordPress database by default.
Historically, iThemes Security didn’t encrypt the random secret codes for two-factor authentication in the database. This could mean that if an attacker is able to leverage a hypothetical read-only SQL injection vulnerability, and if the attacker also had compromised a user’s password, they could bypass the 2FA protections available for that user.
In October 2022, we added support for encrypting 2FA secrets. At the time, encryption was enabled by default for all new installs. Since then, existing installs have been shown a temporarily (30-day) dismissible notice prompting users to enable encryption in the Security Message Center. Our intention then was to automatically turn this feature on as a default setting for existing installs when we were confident it wouldn’t be disruptive.
We haven’t seen bug reports since the initial release. So now we’re doing a staged rollout using our Feature Flag system for Security Pro users.
If you’ve already enabled encryption, great job! There isn’t any other action you need to take. If you’d like to enable encryption right now, you can do so from the iThemes Security Tools page. Look for the option called “Set Encryption Key.” If you’re a user of the free version of iThemes Security, a future update will automatically enable encryption for your site as well.
Over the next few weeks, iThemes Security Pro sites will check in to determine if it’s their turn to set up encryption. When encryption is enabled for your site, a new ITSEC_ENCRPYTION_KEY constant will be added to your wp-config.php file. The next time you log in using the Mobile App Two-Factor method, iThemes Security will attempt to transparently encrypt the secret key. If this isn’t possible, you’ll continue to log in as normal.
While we highly recommend setting up 2FA code encryption by default, if you’d like to opt out you can do so by setting the ITSEC_FF_enable_encryption constant to false in your wp-config.php file. If Write to Files is disabled in Security settings, the staged rollout will not take place.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.
