To fully secure your WordPress site, you need a way to identify the devices that you and other users use to login. Why? Because session hijacking is a real threat.
What is Session Hijacking?
In a nutshell, session hijacking is a method of taking over a web user session by obtaining, against a valid user’s permission, their session ID and pretending to be the authorized web user.
For example, WordPress generates a session cookie every time you log into your website. Let’s say that you have a browser extension that has been abandoned by the developer and is no longer releasing security updates. Now the neglected browser extension has a vulnerability. The vulnerability allows bad actors to hijack your browser cookies, including your WordPress session cookie. Now an attacker can exploit the extension vulnerability to piggyback off your login and start making malicious changes with your WordPress user.
Because most WordPress admins aren’t aware of the risk of session hijacking, we created a way to protect your account, even when bad actors can find and exploit other vulnerabilities.
Using Trusted Devices in iThemes Security Pro
The Trusted Devices feature in the iThemes Security Pro plugin works to identify the devices that you and other users use to login to your WordPress site. After your devices are identified, we can stop session hijackers and other bad actors from doing any damage on your website. Any logins from unknown devices will be blocked, adding another strong layer of security to your site.
Now, let’s take a look at how to get started with Trusted Devices in iThemes Security Pro.
After downloading and installing iThemes Security Pro, you’ll see it listed in your installed plugins. You’ll also see a new dashboard menu item called security, hover over it and click on Settings. From the features menu, toggle on Trusted Devices, then click the settings gear.
In the Trusted Devices settings, enable Restrict Capabilities.
Now iThemes Security will watch for when a user has logged in on an unrecognized device. If that happens, Trusted Devices will also restrict their administrator-level capabilities. This means that if an attacker were able to break into the backend of your WordPress site, they wouldn’t have the ability to make any malicious changes to your website.
Next, enable the Session Hijacking Protection feature. This setting will monitor if a user’s device changes during a session. If it does change, iThemes Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins.
Click the Save button to finalize your settings.
Now, click the User Groups link to enable Trusted Devices for specific users. Toggle on the setting for each user group you want to use Trusted Devices. We recommend enabling this setting for any user can make changes to your site, especially admin users.
Let’s also take a look at notification settings. After enabling the new Trusted Devices setting, users will receive a notification in the WordPress admin bar about pending unrecognized devices. Navigate to the Notifications menu and select “Unrecognized login.” If not already enabled, enable this notification. From here, you can customize the subject and the message your users will see if there is a login for their user from an unrecognized device.
Now, let’s take a look at how users will set up and approve their Trusted devices. From now on, you’ll receive a notification in the WordPress admin bar if a login occurs with an unrecognized device. You’ll see this new menu item as Login Alerts” in the top admin bar.
If your current device hasn’t been added to the trusted devices list, click the the Approve link to send the authorization email. Check your inbox, then click the Confirm Device button in the Unrecognized Login email to add your current devices to the Trusted Devices list.
If this wasn’t you, immediately click the block button. You can also block a device from the email notification that is designed to alert you of a new login from an unrecognized device. Clicking this was not me will automatically log all your sessions and force you to change your password.
Users can then manage devices from their WordPress User Profile page. From this page, you’ll see a list of all devices that have been used to login with your user. Now you can approve or deny devices from the Trusted Devices list.
And, there you have it. Trusted Devices are just one of the many ways iThemes Security works to lock down your WordPress site and stop automated attacks. You deserve peace of mind when it comes to your WordPress website, so iThemes Security is designed to provide you with the maximum amount of security without slowing your site down. And, if you build or manage WordPress sites for clients, iThemes Security has client-driven features designed to make your work easier.