Website content management systems (CMS) have become more than just a feature in the development of web properties; they are arguable a necessity today. Replacing static websites with systems that provide more vectors for attack means that strong security is needed, not just at the application (CMS) level, but also at the user level as well. Passwords are just one part of WordPress security but adding another layer can greatly enhance the strength of WordPress user login process. Hello, two factor authentication (2FA).
Introducing Two Factor Authentication
In its various forms, two factor authentication has been around for years and today it can be seen in almost every aspect of banking, software as service offerings, and even your own email services such as Google. While there are hundreds of well-written deeply technical reviews of what 2FA does and why its mechanisms are so valuable, the general idea is that it’s compose of three parts and true to its name, 2FA requires of two of the following components together to authenticate your identity:
- Something you are (a piece of you such as a thumbprint, a vocal pattern – the best example of this is those ubiquitous retina scanners seen in many spy flicks)
- Something you have (AKA “the possession factor” which could be your smart phone, another device/laptop, etc… that has the ability to either generate or to receive and display a code which must be entered as part of an authentication scheme)
- Something you know (“the knowledge factor” or more simple terms, your password!)
As you can imagine, requiring both the knowledge factor combined with the possession factor (i.e. a text or email to your cell phone/email account) can prevent instructions by virtual of the separation of authenticating parts.
Why Does WordPress Need Two Factor Authentication?
WordPress has taken and maintained a strong lead as the most popular content management system today, powering 25.9% of all websites and leading the pack among CMS platforms with a market share of 59.3% as of February, 2016, according to web technology surveys reporter, W3Techs. As such, one could argue that thanks to its high adoption rate, WordPress is a more attractive target for hackers than its counterparts just by virtue of its heavy usage in the wild (much like Microsoft Windows operating systems have been a focus for hackers and malware distributors over Apple’s operating system which had a very low adoption rate for many years).
Assuming that the application layer of a website is secure (well-written plugins, proper protection against injection techniques, good administrative practices, etc…), WordPress still relies on the integrity of its own user accounts as a weak point. Every good system designer knows that practically speaking, security is only as good as your weakest component, regardless of strong the rest of the system is. The WordPress plugin marketplace offers a variety of security tools that whitelist IP addresses, provide one-time use authentication mechanisms, and more, but these all must be sought out, installed, configured properly, and actually used to provide any meaningful benefit and they just aren’t available out of the box at the writing of this article.
Baking two factor authentication into the WordPress core balances the need for a significant security boost right at the outset of any installation with the annoyances having to deal with one more security-related hurdle for website account users. Website administrators and editors may complain that they have one extra step to take (i.e. open their email, find their phone, etc…) but while a hacker may be able to brute force or intelligently guess passwords for a WordPress website, the likelihood of a hacker possessing access to both your smartphone or your email address as well as your website password at the same time is not impossible but two factor authentication makes it all the more improbable.
We have already heard concerns from our St. Louis web design clients that 2FA would somehow add layers of arduous work on top of remembering strong passwords but rest assured, when implemented properly this is not the case and the security benefits here do exceed the annoyance of 2FA’s possession factor.
Coming Soon to St. Louis WordPress Websites Near You
WordPress.com users have enjoyed two factor authentication for quite some time and free plugins provide this functionality to the rest of the WordPress community however self-install versions of WordPress may benefit greatly with this built-in approach to security as part of the WordPress core. Follow the latest WordPress 2FA news for the discussion and evolving approach to making this a reality!