We’re releasing iThemes Security Pro 7.3.2 today. This maintenance update will initiate a phased rollout that encrypts 2FA secret codes in the WordPress database by default.
Historically, iThemes Security didn’t encrypt the random secret codes for two-factor authentication in the database. This could mean that if an attacker is able to leverage a hypothetical read-only SQL injection vulnerability, and if the attacker also had compromised a user’s password, they could bypass the 2FA protections available for that user.
In October 2022, we added support for encrypting 2FA secrets. At the time, encryption was enabled by default for all new installs. Since then, existing installs have been shown a temporarily (30-day) dismissible notice prompting users to enable encryption in the Security Message Center. Our intention then was to automatically turn this feature on as a default setting for existing installs when we were confident it wouldn’t be disruptive.
We haven’t seen bug reports since the initial release. So now we’re doing a staged rollout using our Feature Flag system for Security Pro users.
If you’ve already enabled encryption, great job! There isn’t any other action you need to take. If you’d like to enable encryption right now, you can do so from the iThemes Security Tools page. Look for the option called “Set Encryption Key.” If you’re a user of the free version of iThemes Security, a future update will automatically enable encryption for your site as well.
Over the next few weeks, iThemes Security Pro sites will check in to determine if it’s their turn to set up encryption. When encryption is enabled for your site, a new ITSEC_ENCRPYTION_KEY constant will be added to your wp-config.php file. The next time you log in using the Mobile App Two-Factor method, iThemes Security will attempt to transparently encrypt the secret key. If this isn’t possible, you’ll continue to log in as normal.
While we highly recommend setting up 2FA code encryption by default, if you’d like to opt out you can do so by setting the ITSEC_FF_enable_encryption constant to false in your wp-config.php file. If Write to Files is disabled in Security settings, the staged rollout will not take place.
Join us for the next Solid Academy Webinar!
Free weekly webinars that will help you master WordPress and increase your business's bottom line.
What is a WordPress Phishing Attack?
Learn how to identify and prevent phishing attacks on WordPress websites.
Kiki SheldonWebsite Protection: 5 Ways to Keep Your Website Safe
Robust website protection is the shield that stands between your business and relentless cyber attacks. Prioritizing website protection enables businesses to fortify defenses to safeguard their online presence and preserve the trust of their customers in the face of ever-evolving cybersecurity threats.
Kiki Sheldon23 Ideas To Grow Your WordPress Business in 2023
WordPress is the most popular website-building platform worldwide, trusted by numerous brands. WordPress enables you to build a user-friendly and highly reliable site, together with tools and plugins to enhance your marketing and work like a lead magnet. All these features make WordPress the platform chosen by more than 43% of businesses globally.
SolidWP Editorial TeamSign up now — Get SolidWP updates and valuable content straight to your inbox
Sign up
Get started with confidence — risk free, guaranteed
