The best security fix for any website: 2FA

How many times have I read on one forum or another about people wanting to secure their website and are resorting to one extreme measure or another. In the case of WordPress, it’s either a complete security plugin or renaming their admin login screen (in both cases: please don’t)?

Yet, the best, simple solution is rarely first on the list – add 2FA and enforce it.

It doesn’t matter if someone finds your login screen or even cracks a user’s password – without that Two Factor Authentication code, they’re getting no further.

There are 2 things you should be doing…

1. Enforce it. At the very least, on all users with any kind of edit access (and hook this onto capabilities, not roles – if you do it by role then this means it may get missed if a new role is created). This is the default for WordPress VIP.
2. Push users to use the RIGHT method. I’ll explain this next…

Which method of 2FA should I use?

There are usually 4 ways that are offered up to authenticate 2FA…

1. SMS
2. Email
3. Authentication apps
4. Security keys

So many people use one of the first 2, and you should really shouldn’t recommend them – advise users against using them and, if you can, lock them out from using them entirely. Email and SMS is both insecure (things such as SIM cloning are real things) but regularly liable to failure. By allowing your users to use these methods, you’re putting yourself at the mercy of the reliability of a third party (SMS’ go through third parties usually, such as Twilio, although it’s often less their problems and more of the individual network providers).

Security keys are going to be impractical for a lot of people. A lot of people swear by them, but I find the need for something that will plug into all my devices, and have it with me at all times to be a pain. On top of that, you risk it being stolen.

In comparison, if I loose my phone then they’d have to get into both that and my 2FA app to get my codes from that. And phone apps (and they often have desktop apps to go with them too) are just 100% more practical.

Needless to say, I use app authentication and would recommend that to anyone else.

User enumeration in WordPress

User enumeration is the ability to work out a username. In WordPress it’s really easy to do, so there are plugins and various articles advising you how to prevent it. But whether it’s via the author page that WordPress automatically creates for every user, or via the public information available from a site’s WP CLI, it’s not considered a vulnerability, except by security firms wishing to sell you a solution to it.

WordPress VIP often get queries about this when customers run third-party Penetration tests, as it usually gets a mention in the results.

The reason it’s considered a security risk is because it’s part of the login process – your user name is the first stage to gaining access to a site. Except it’s useless without the password. Just as knowing your login page is the equivalent of knowing your home’s address, the user name is just identifying one of the home owners. The password is the key, and without it, knowing the 2 other pieces of information doesn’t get you into the house – it just gets you to it. Yes, you can use the user name to request a password reset, but if the email is sent to the genuine owner, nothing is lost. Of course, your email could be compromised but, if you’ve combined it with 2FA, there’s still no issue here.

Yes, changing CLI end-points or putting in redirects for your author pages will limit this information being available, but you have to question why it’s a bad thing in the first place.

What about passkeys?

If you’ve not come across them, passkeys are an extension to the standard that is used for security keys. However, it adds in other forms of authentication, where the encryption is held on individual devices, and not a central location. So, for example, if you device supports it, Face ID or fingerprint identification.

And what’s particularly good about passkeys is that it negates the need for the password too – put in a user name or email address and then you provide passkey authentication to gain access.

Apple’s built-in Keychain feature, as well as 1Password, already support passkeys. Personally, I’ve found Keychain to be the better solution, which is what I use.

But, here’s the thing – they are a secure way of replacing the password and, it could be argued, 2FA as well, but not everybody has access to a solution. For this reason, you should continue to offer 2FA as well. In fact, some website seems mighty confused about all of this and, when you sign in via a passkey, then ask for your 2FA as well (which makes it very secure, I’ll give it that). For that reason, it doesn’t add anything over 2FA right now, and the latter is available for all users, rather than a subset.

WordPress plugin recommendations

My own solution is to use both – 2FA and passkeys. If you’re using WordPress these are the plugins I recommend…

• 2FA: Two Factor
• Passkeys: WP-WebAuthn

---

This post was first published on January 2 2024. It was updated January 3 to add Passkeys to it. On March 2 it was further updates to be made more generic and to add WordPress recommendations to it.