Yesterday I went to work at a data center in NJ. I don't often go as the round trip is more than 5 hours on the road. I had to do some heavy lifting and I wasn't sure if I had access to the last place I needed. So my pal walked me to the man trap there so I could check.
Man traps worked like this: I badged into the trap, the first door closed me into a small room. I badged to a second door, added another type of mandatory authentication and the second door would open. If it didn't work then the first door will unlock and I would have had to exit and try again. Or I just didn't have access and I wasn't getting in.
I did this. The second door opened. Sweet! I walked through and waited for my friend to join me.
Once I closed the second door on the data center side, the LCD panel lit up RED and the speaker started loudly repeating these words.
PIGGY BACK ALERT! AN ATTEMPT TO PIGGY BACK INTO THE DATA CENTER WAS MADE!
That happened. It was loud. It did not stop, it just yelled at me on a loop.
The stern recorded voice just kept repeating that. I was in the data center and the door would not open to let me exit. There was an emergency open door exit button for safety but there was no way I was going to set off that alarm too. I was not in any danger.
I had to call my pal on his cell. He was on the other side of the man trap and he could not come in either. The speaker was on both sides and we were both getting yelled at by a recording.
In short, I put that section of the data center into lock down mode.
What happened was that the first door's handle was not quite in the fully reset position. The door was locked magnetically (I checked) but it wasn't considered fully closed. When I went past the second door pandemonium was the result.
A security guard came and reset the system. He was a good sport about it and it happened to other people before. I tried a couple more times just to be safe. It was all good now.
I'm just glad the local cops weren't called. That would not look good on my next employee review.
I am in the process of handing over a site to someone who's not used WordPress before and doesn't necessarily know where what lives and how. I thought it would be a good idea for me to document how to use the free UpdraftPlus plugin.
I use the commercial version of this plugin because it is fire-and-forget for my multisite installation. But if you are running a standalone installation of WordPress then the free version is a good suitable option.
Does email work with your WordPress installation? When someone leaves a comment on your blog or your WordPress installation automatically updates to a minor version number such as 4.4 to 4.4.1 do you get that email?
Now that you have done that, on the top right corner of your dashbaord is a “Howdy, User” link. Click that and select Edit My Profile. Scroll down on your profile page and enable the first two options. That’s “Email” and “Time Based One-Time Password (Google Authenticator)”.
I made the Google Authenticator my primary means of logging in. I keep the app on my password protected iPhone, it’s a one-time password (OTP) generator and it doesn’t need access to Google to work. It’s time based after all.
What is two factor authentication (2FA)?
2FA is a means to increase the confidence when you log in that you are in fact who you say you are.
When you log into WordPress, you use an ID and password. The security is in the password and should be along the lines of “gHJjgbtjXa9FLyGkhaHR0o” which I got courtesy of my 1Password app. That password is one factor of authentication. Your password is something that you know.
The second factor is what you have in your possession. In my case it’s my Google Authenticator app on my iPhone.
When I log into my WordPress site I am prompted for my username and password. Once that is successful I am then asked for my authentication code.
Which I get from my app. If that does not work then I click on the backup method and soon get a code via email. I enter that code and I am in, which is why I asked if mail works at the beginning of this post.
Mail needs to work. So does good time keeping.
My multisite installation is on a VPS and I run NTP. I have to because on a VPS the time will drift (on anything really) and if my server’s time is far enough out of sync then my OTP will not work. Or my phone could be dead but I still can access my email.
By configuring the email as a fallback I have another way to get into my installation. That email code is good till it’s used or is replaced and can get you out of a bind.
2FA needs to be built into core
Having 2FA in WordPress as a built-in option moves the security bar farther. It increases the security posture for users and if it is an option, if it’s easy to setup then it will be adopted by users.
Yes, it will take some education for people to use it properly but that is not insurmountable.
In the past, users would install WordPress and forget to maintain them. The other day I came across a 3.5.2 installation. That was released in July 2013. In Internet years that’s ancient and there are several known exploits out there. The 3.5.x code isn’t maintained.
As of version 3.7 minor release updates are turned on automatically by default. If you installed 3.7 and did not do anything else then as of today you are or will be running 3.7.12 shortly. Major version upgrades are not automatic so 3.7.x will not update to 3.8 or even to the current 4.4.1. The major versions need to be updated by the user initiating that upgrade, although some forward thinking hosts will do it for you anyway.
Automatic updates are a result of the developers wanting the environment to become more secure. Unpatched WordPress installations were the cause of compromised sites that sent spam, spread spammy links and made the Internet neighborhood a worse place to be.
It also gave WordPress an unjustifiable reputation for being insecure because users did not maintain their code.
Having 2FA is similar to enabling TLS on your WordPress installation. If your server supports HTTPS just update your Site URL and WordPress Address, perform a little search and replace for the old http:// references to their TLS versions and you are done. More and more sites are defaulting to https because it’s easy.
2FA is like that, it’s a step in the direction of users taking their security into their own hands. It’s educational too, meaning that once it’s setup and working you’ve learned something new.
What about the Support Team’s concerns?
Mika Epstein, myself and others expressed reservations not about having 2FA built into WordPress. We like this idea. Our concerns were along the lines of “How can we walk the user through disabling 2FA if they bork it badly?”
The idea we expressed was that this should be enabled by editing the wp-config.php file by hand, just as you have to do when you enable multisite. If you can do that successfully then you are technical enough for 2FA. The words I used were “you need to be this tall to enable this feature”.
I don’t think that anymore. If someone’s email is working then they can get back into their installation with the emailed access code.
Manual password resets is difficult for regular users. If they can enable 2FA and have a not too difficult way to disable it then any reservations I’ve had are gone. I know this is being worked on and I would really like to see this properly put into WordPress 4.5.
It’s something that can make the Internet neighborhood a more secure place to be.
Reviewing a male IT candidate to hire, in the closed room meeting where someone said “Don’t hire him, he’s about the right age for having a baby”?
Or that time in another closed room meeting someone else said “I’m going to remove points from that candidate because he’s a man“?
Or that time someone else said “I don’t like his attitude, he’s bossy”?
Or that time the women crowded around the one man in the room and talked over him? His idea was eventually the one that solve the problem but a week was wasted because he was a man. You remember that time, right?
Or the time a women got in a man’s face at work and started screaming at him because in her native culture men don’t talk to women with authority?
Or that time at work when women questioned a man’s sexual preferences behind his back because he was effective and managed his project well?
Or that time when an extremely well qualified man with certifications, training and experience came to present his company’s product and all the women did was fawn over his looks? That meeting where the women could not even remember the product name or function?
Or my favorite, where a man and all of his work was dismissed with a one syllable word that’s not ever used in polite company? You have to remember that time.
None of that ever happened, you have to replace all the above male references with female.
Once you’ve done that, then you have to realize that it happens all the time. I’ve seen it and I’ve almost always replied with “Stop and take that back. I’m not kidding, you will be reported to HR.” The one time I didn’t was when another two coworkers beat me to the punch.
The amount of bullshit professional women deal with is exhausting to look at. To. Look. At. I can’t imagine what it must be like to live with that nonsense day in and day out.
No actually, I can imagine it. I married the smartest woman I know. I do that weird thing where I like to listen to women and I talk to her all the time.
I’ve heard what it was like for her to be a professional with a) an MBA in International Business, b) a second MBA degree in Advanced Accounting, c) being a CPA and d) many years of experience in corporate america managing a department of 40 people. It wasn’t easy for her ever and the misogynistic nonsense was a constant drag. It was a real and tangible component of every work day.
How different would the world be if the playing field removed that nonsense? What else could women accomplish if they didn’t have to deal with the weight of this crap and microaggression?
*Re reads Lily’s education and experience*
Wow. Did I marry up.
I’m a man in an industry that caters to, coddle and promotes men. I get the benefit of that just by showing up. I’m not diminishing my accomplishments. But I have to acknowledge that another group has to work harder than I do to get to the same place. By default. That’s just stupid and stamping that out has to continue.
This whole post is because I read the comments. I do not think that a few vocal trolls replying in large volume indicates how a community is in reality. But it is the trolls that will cost any group of people members from joining or staying just to avoid that bullshit. That would be the worst and I do not ever want to see that in any community I associate with.
So it began innocently with this Tweet/Foursquare check in.
I checked in with Foursquare which is something I do on a regular basis. I do this every time I visit the store. It’s a form of advertising in my not so humble opinion.
The store then got a call from someone named “James” asking for me. When I picked up the phone I was asked if I’d locked my key in the car. Naturally I asked who is this and a short game of “Don’t you know?” which ended with Lily saying “That’s nice, everything is fine now, goodbye.” and hanging up.
I thought the call was from a customer so I gave the phone to Lily. “James” claimed to have met her yesterday.
Here’s what happened: either the Tweet or the Foursquare check in matched a search. Somone saw that the store has a web site, the phone number is there and the rest is history. Or it could have been one of my followers (I’d like to think that’s not the case) or I’m on a Twitter list.
Now as stories go this is creepy and definitely stalkerish but it could have gone much worse. There was no swearing, no shouting and we didn’t get a call back (the number was marked private of course). But that really was my own personalized PSA about casually posting some details online.
I’ve been using social media (that’s a great term isn’t it? It beats “online extrovert”) and I am always aware of the risks. We’ve all read about or even know someone who has been harassed and stalked. I’ll try and be more circumspect about details like that in the future. It’s unfortunate but it’s the reality of this media. The world is more connected and that fellow could have been calling from anywhere.
If someone’s reading this and getting a chuckle then thanks for the wake up call. I’ll adjust accordingly.
What really irks me is that I’ve been trying to get Lily to use Twitter. This little episode really cements her opposition to that. It’s not that she has anything against Twitter it’s just that that medium doesn’t interest her. This small event pretty much means her social interactions will remain squarely in the real world.