WordPress needs protection even though it is strong

WordPress plugins and themes are a potential weak point but passwords are the weakest link by far. Using 2FA to protect WordPress accounts is necessary.

Passwords are bad ideas

You have always protected your wordpress login with your username and a really strong password right?  The problem with this is that we have seen more and more password compromises recently. Passwords are based on the concept of being something that is easy for you to remember but difficult for someone else to guess.  That doesn’t really work and this is why:

  • Humans have lousy memories: This causes us to create passwords that are less than ideal. The old saying is that if you can remember it, it isn’t strong enough. Hackers leverage tools that “guess” massive numbers of passwords in very short periods of time and they always start with passwords that easily remembered.
  • Online fatigue – Because we have too many online accounts, we fail to have unique passwords for each and every one of them. This causes us to reuse passwords.  Hackers use their tools to test thousands of stolen passwords at popular sites. If a password is recycled, it is likely that it will gain them access to other valuable sites.
  • Security fatigue is a real thing. Creating more and more complex passwords is exhausting. Therefore users tend to give up and use an arsenal of regular passwords shared across multiple accounts.

Compromises can be a disaster

When a hacker gets your wordpress logins, they can gain access to your site and use it to send spam and hack other sites. But this isn’t the worst. Any hacker that gains access to a site will immediately install backdoors that allow them back in should you discover and fix their intrusion. They will harvest information on your users and attempt to gain access to their accounts as well.

Once you clean the hacker out of your site, they will just trigger another backdoor and start the process over again. They are like a visiting relative that won’t leave.

2FA is the answer

Two factor authentication adds a second layer to the conventional password.  After entering your name and password, you are then required to enter a another piece of information that is based on something that you have in your possession like a cell phone. This piece of information is generally short lived and expires every thirty seconds or so. So even if someone gets your password, it is unlikely they will have access to to the second factor that is required to log in.

The most common 2FA solution

Software token based 2FA is the easiest and most widely adopted solution. You download an app on your phone and install a plugin in wordpress that uses it when logging in.  Here are several of the most popular 2FA apps:

Authy – https://authy.com/download/
Duo – https://duo.com/product/multi-factor-authentication-mfa/duo-mobile-app
Google Authenticator – https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_US&gl=US
Google Authenticator in Apple App Store – https://apps.apple.com/us/app/google-authenticator/id388497605

There are many wordpress plugins that enable 2FA but we recommend only one:

Wordfence – https://wordpress.org/plugins/wordfence/

Install Wordfence using Duo

If you have a wordpress site, you really MUST be using a 2FA solution like Duo. We can set that up for you Contact us here and request that service. If you are the Do It Yourself type, here are the steps to install Wordfence, enable 2FA and configure Duo.

Install Wordfence Plugin

First log into your wordpress dashboard and install and activate the “wordfence” plugin. We will not cover that here. It is a basic WordPress function and is covered by other web tutorials.

Second, install Duo or one of the other authenticators on your phone.  Again, we will not cover that process here.

After installing Wordfence, give them your email address and accept the license terms. The mailing list is optional but it pays to be kept in the loop.

Enter the premium key

Enter the premium key if you have bought it or click “No Thanks.”  We highly recommend the premium version.  If you purchase it through us, we will install and manage it for you including monitoring the scans and firewall issues. Purchase it from us here: https://www.webquarry.com/client/cart.php?a=add&pid=43

Entering the wordfence premium key

Require 2FA for admin users

In the WordPress dashboard, go to the Wordfence login security settings and tell it that 2FA is required for admin users:

enabling 2FA in wordfence login settings

You can choose to require it, make it optional, or disable it for all roles. We recommend that you require it for all Admin users and make it optional for everyone else. Click Save.

Add your website to Duo on your phone

Pull out your phone and launch the Duo or Google Authenticator app.  Click the Add button then tell it to use the QR code. Scan the QR code that you see on your computer screen with your cell phone camera.   It will add an entry in Duo or Google Authenticator for your website.

scan the QR code

Save the scratch codes

Download the scratch codes. If you lose access to your phone, these codes will get you back in. Keep them in a secure place.

Confirm the 2FA code displayed in your phone

After scanning the QR code, your phone will be displaying a six digit code for your website that changes every 30 seconds. Enter the currently displayed code into the confirmation field and click Activate to prove that you have it correctly set up in Duo.  Your website is protected by 2FA.

That’s it!

Congratulations! You have protected your site with 2FA logins. As a consequence, logging in will be a little different. You must provide your username and password as usual. After you enter the username and password correctly, you will see a new window that asks for your 2FA code. Open Duo or Google Authenticator on your phone and find the entry for your website to see the current six digit code number and enter it in the 2FA Code window on your computer.

You are in! This is a great first step toward making your website more secure. Webquarry’s Managed WordPress hosting is what you need to make sure your site stays secure and operational. We recommend the Premium version of Wordfence and will install and manage it for you:

https://www.webquarry.com/client/cart.php?a=add&pid=43

Have questions?