For many who make their living online, the idea that a malicious individual could gain access to the administration area of their site is a nightmare. WordPress and the software stack that supports it is generally quite a secure platform. If administrators follow simple security procedures, like keeping the software up-to-date, and not installing unverified extensions, the chances of an intrusion are relatively small. However, WordPress administrators should also consider the human dimension and implement procedures that will help their users avoid creating vulnerabilities.
People are notoriously poor at creating secure passwords and ensuring that they don’t end up in the hands of third parties. Even when users are forced to choose sufficiently long and random passwords, they often either fail to remember them, requiring a reset, or write them down somewhere, creating a further vulnerability. Passwords are no longer a sufficient guarantee of identity, and it is in the interests of webmasters to implement a further layer of identity verification.
There are three types of authentication factors that are commonly used. They are often described as something the user knows (password), something the user has (ATM card, mobile device), or something the user is (biometric factors like finger prints). As the name suggests, two factor authentication makes use of two of these. In the case of web-based two-factor authentication, something the user knows is coupled with something the user has. Often the second factor is implemented by sending a time limited code to a mobile device via an SMS message or a dedicated application.
The second authentication factor can be added to WordPress through the use of extensions that make use of a third party service.
Google Authenticator
People who are regular users of Google services may already be familiar with the process that Google Authenticator uses. With this extension in place, upon logging in from a machine that has not been marked as secure, the user will be asked to enter a numerical code or scan a QR code with their phone, using the Google Authenticator app, which is available for iPhone, Android, and BlackBerry. The codes are strictly time limited, users have a short period in which to enter the code that appears on their device into the interface.
Duo Two-Factor Authentication
This extension from Duo Security offers the same sort of two-factor authentication as the Google Authenticator, but it’s a bit more flexible. Duo Two-Factor Authentication supports numerous authentication methods including a mobile app, SMS messages, phone calls, and hardware tokens (small devices that display the code). It’s free for personal use with up to 10 users, and costs $3 per user per month for up to 500 users.
Many users find that requiring extra security measures is inconvenient, and to some degree that’s true. However, the slight inconvenience to users results in a significant inconvenience to those who would take advantage of poor password hygiene to harm an online business, and it pales in comparison to the inconvenience to businesses of having their reputation and revenue damaged by attackers and data thieves.
About Graeme Caldwell — Graeme works as an inbound marketer for Nexcess, a leading provider of Magento and WordPress hosting. Follow Nexcess on Twitter at @nexcess, Like them on Facebook and check out their tech/hosting blog, http://blog.nexcess.net/.
It’s nice to see that leading companies in their respective verticals are giving users the perfect balance between security and user experience by implementing 2FA which allows us to telesign into our accounts. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I’m hoping that more companies start to offer this awesome functionality. This should be a prerequisite to any system that wants to promote itself as being secure.