Definition: 2-Factor Authentication

You have probably heard the words “2 Factor Authentication” (2FA), but do you understand the concept and the increased level of security they provide? (Even despite the mild annoyance factor.)  And do you know the preferred way to set it up for your WordPress website?

The basic idea is that logging in requires more than just your user/password combination.  User names can be fairly easy for a hacker to discover, and there are many tools available for them to obtain likely passwords – from brute force attacks to “dark web” sites which sell lists of user/password or email/password combos stolen during the unfortunately high number of breaches over the years.

So we add a second factor – something you HAVE, which the hackers probably don’t have: typically your phone or other device. You enter the code from your device as the last step of logging in.

Note: there are methods which involve sending a code to a designated email account or send an SMS text to your phone.  The downside is that the hacker may already have gained access to your email too.  And text messages can be intercepted, as happened in 2019 to the CEO of Twitter.  Yes, any 2FA is safer than no 2FA, but email and text messages are not the safest way. (see also Microsoft Warns Against SMS, Voice Calls for Multi-factor Authentication)

Right now (March 2020) the safest way to implement 2FA on your website is to use an Authenticator application – either on your phone or as a stand-alone device.

Some well known authenticators include:

Password managers 1Password and LastPass offer the service as well.

Rather than send you an SMS or email, each of these apps shows you a randomly generated six-digit code that refreshes roughly every 30 seconds, and stays constantly synced with whichever service you’re trying to log into. The benefits of tying those codes to a physical device rather than your phone number extend beyond security; apps like Google Authenticator generally continue to work even without an internet or cell connection. If 2FA has ever locked you out of Facebook on a flight, here’s some relief.

We suggest using one of the above Authenticators along with the 2FA available through Wordfence, which we install on all our clients’ sites.  Download the Authenticator of your choice to your phone/tablet, Log in to your web site as an administrator, go to the Wordfence menu in the left hand navigation, and go to Login Security.  

You should now see a QR code (with a text key below it).  Follow the instructions at https://www.wordfence.com/help/tools/two-factor-authentication/ to get it set up.

It would be wise to require all Administrator and Editor level users on your site to implement 2FA. You get used to the extra step pretty quickly.

 

Important note: Nearly all 2FA setups allow you to copy and store Backup Recovery Codes. Once you have set up 2FA through WordFence you’ll have the opportunity to generate, copy, and save new Backup Recovery Codes.  I highly recommend that you store them in your password manager or another high security location – they come in very handy if you drop your phone like I did last week and it goes in the shop!

 

If you want to get really hard core, Yubico’s YubiKey is a hardware-based 2FA solution. It’s a small card-like device with one end that slots into a standard Type-A USB port. It can verify authentication with a button press instead of manually entering a short code. YubiKeys are also very durable and waterproof making it difficult to ruin these devices. These are probably the most secure solution overall, but to my knowledge Wordfence does not yet support YubiKey.

 

 

 

Definition: Supply Chain Hack

Most people think of hacks as someone gaining access to their computer or their website directly and then adding malicious code or stealing personal information.  Many hacks do occur that way.

A scarier hack occurs when the attacker gains access to the source of a program you regularly use.  Say for instance they hacked into Microsoft and inserted their malicious code into MS Word.  You then download Word to your computer, trusting Microsoft. And when you start up the program the malicious code starts doing its damage.

This scenario is similar to what was discovered in late 2020 to a company named SolarWinds.  SolarWinds supplies software to a bunch of important governmental entities in the US.  Among the departments affected were U.S. Treasury, the U.S. Department of Homeland Security, and the U.S. Commerce Department.  It’s possible that as many as 18,000 SolarWinds customers have been affected. The extent of the damage is still unfolding at the time of this writing.

Another example of a supply chain hack occurred with several WordPress plugins in 2017.  The trusted longtime developer of the popular FastSecure Contact Form plugin was approached by another developer with a reasonably lucrative offer to buy the plugin, and the deal was made.  Several other plugins by other developers with a smaller installation base were also purchased by the same developer. That’s perfectly reasonable behavior on the part of the seller, and if the buyer was reputable that end would have been fine too. But he wasn’t. What happened next is that the malicious purchaser then released modified versions of those plugins containing spam backdoors, allowing him to use his victim’s sites to send boatloads of spam.

Supply chain hacks are very difficult to control by the end user of the software.  We place a lot of trust in our software sources, and though it doesn’t happen often it is always a possibility that what we download has been secretly compromised. The WordPress plugin repository team does an excellent job but with over 58,000 plugins, many being updated on a regular basis, there’s no way that they can check every new release.

Definition: Window of Vulnerability

A Window of Vulnerability in terms of the world of security research exists from the time that the security hole is discovered by someone – be it the software developer, a security researcher, or a malicious player – until the time in which a fix has been released.

During this time the ideal scenario is that the software vendor is made aware of the problem and feverishly works to fix it.

Software developers are typically very quiet about exploits for which there is no fix yet.

Definition: Zero Day

Zero Day exploits generally refer to a security hole in some software which someone has found and announced (or leaked, as the case may be) to the world, but the software developers don’t know about it yet or otherwise haven’t addressed the issue. They have literally had zero days to fix it before it becomes widely known.

The preferred course of action is that when a bug or exploit is discovered, the person or group who discovered it discreetly gets in touch with the developer, describes what they found and how it can be exploited, and gives the developer time to release a fix.