Does email work with your WordPress installation? When someone leaves a comment on your blog or your WordPress installation automatically updates to a minor version number such as 4.4 to 4.4.1 do you get that email?
You did get those emails? Great! Now go, install and activate the Two Factor Authentication plugin maintained by George Stephanis. I’ll wait.
Now that you have done that, on the top right corner of your dashbaord is a “Howdy, User” link. Click that and select Edit My Profile. Scroll down on your profile page and enable the first two options. That’s “Email” and “Time Based One-Time Password (Google Authenticator)”.
I made the Google Authenticator my primary means of logging in. I keep the app on my password protected iPhone, it’s a one-time password (OTP) generator and it doesn’t need access to Google to work. It’s time based after all.
What is two factor authentication (2FA)?
2FA is a means to increase the confidence when you log in that you are in fact who you say you are.
When you log into WordPress, you use an ID and password. The security is in the password and should be along the lines of “gHJjgbtjXa9FLyGkhaHR0o” which I got courtesy of my 1Password app. That password is one factor of authentication. Your password is something that you know.
The second factor is what you have in your possession. In my case it’s my Google Authenticator app on my iPhone.
When I log into my WordPress site I am prompted for my username and password. Once that is successful I am then asked for my authentication code.
Which I get from my app. If that does not work then I click on the backup method and soon get a code via email. I enter that code and I am in, which is why I asked if mail works at the beginning of this post.
Mail needs to work. So does good time keeping.
My multisite installation is on a VPS and I run NTP. I have to because on a VPS the time will drift (on anything really) and if my server’s time is far enough out of sync then my OTP will not work. Or my phone could be dead but I still can access my email.
By configuring the email as a fallback I have another way to get into my installation. That email code is good till it’s used or is replaced and can get you out of a bind.
2FA needs to be built into core
Having 2FA in WordPress as a built-in option moves the security bar farther. It increases the security posture for users and if it is an option, if it’s easy to setup then it will be adopted by users.
Yes, it will take some education for people to use it properly but that is not insurmountable.
In the past, users would install WordPress and forget to maintain them. The other day I came across a 3.5.2 installation. That was released in July 2013. In Internet years that’s ancient and there are several known exploits out there. The 3.5.x code isn’t maintained.
As of version 3.7 minor release updates are turned on automatically by default. If you installed 3.7 and did not do anything else then as of today you are or will be running 3.7.12 shortly. Major version upgrades are not automatic so 3.7.x will not update to 3.8 or even to the current 4.4.1. The major versions need to be updated by the user initiating that upgrade, although some forward thinking hosts will do it for you anyway.
Automatic updates are a result of the developers wanting the environment to become more secure. Unpatched WordPress installations were the cause of compromised sites that sent spam, spread spammy links and made the Internet neighborhood a worse place to be.
It also gave WordPress an unjustifiable reputation for being insecure because users did not maintain their code.
Having 2FA is similar to enabling TLS on your WordPress installation. If your server supports HTTPS just update your Site URL and WordPress Address, perform a little search and replace for the old http:// references to their TLS versions and you are done. More and more sites are defaulting to https because it’s easy.
2FA is like that, it’s a step in the direction of users taking their security into their own hands. It’s educational too, meaning that once it’s setup and working you’ve learned something new.
What about the Support Team’s concerns?
Mika Epstein, myself and others expressed reservations not about having 2FA built into WordPress. We like this idea. Our concerns were along the lines of “How can we walk the user through disabling 2FA if they bork it badly?”
The idea we expressed was that this should be enabled by editing the wp-config.php file by hand, just as you have to do when you enable multisite. If you can do that successfully then you are technical enough for 2FA. The words I used were “you need to be this tall to enable this feature”.
I don’t think that anymore. If someone’s email is working then they can get back into their installation with the emailed access code.
What I’d like to avoid is the situation that exists with password resets. If you look at the WordPress Codex article about resetting your password then you may understand.
For manual password resets I encourage users to add a line to their theme’s functions.php file but that can be dicey. If they typo that file they can break their whole site. That’s still more appealing for me than trying to walk a user through using phpMyAdmin.
Manual password resets is difficult for regular users. If they can enable 2FA and have a not too difficult way to disable it then any reservations I’ve had are gone. I know this is being worked on and I would really like to see this properly put into WordPress 4.5.
It’s something that can make the Internet neighborhood a more secure place to be.