two step authentication - chris la nauze wordpress meetup presentation
TRANSCRIPT
2 Step Authentication
For Self Hosted WordPress sites
Chris La Nauzehttps://chrislanauze.com/go/2FA-wp-talk-nov-2016/
WPScan Vulnerability Database
To date there are 2407 vulnerabilities.
1305 WordPress Plugins. (54%) of the vulnerabilities
344 (14.3%) WordPress theme vulnerabilities
758 (31.5%) WordPress core vulnerabilities
https://wpvulndb.com/
Types of Vulnerabilities
The most popular vulnerability types in WordPress core,
Plugins and Themes are Cross-site Scripting and SQL Injection.
This is not surprising considering these 2 vulnerabilities have been listed in the OWASP Top 10 since its inception.
What is Security?
Hardening
Addition of extra layers, to protect the penetration
WordPress - relatively secure platform. If you have auto updates enabled, auto patch security vulnerabilities in the core for you. It's only when you start adding plugins, themes and custom code, the more chance it has of been hacked, and the more users you have exponentially increases the risks of an attack.
Security is like an onion, needs lots of layers of protection working together.
Popular WordPress Security Plugins
Ithemes Security
WordFence
BulletProof Security
Securi Security
BBQ - Block Bad Queries
Caveat: They aren’t 100% secure, they are prone to vulnerabilities too. All four here have been listed in https://wpvulndb.com/search? But being paid services, they are very quick to patch and fix over free alternatives.
IIs Two Factor Authentication the silver bullet?
No! 2FA is not the silver bullet. It’s just one of the many layers to help protect your sites.
What is 2 step Authentication?
“Unlike passwords, two-factor authentication (2FA) is a two-step process that asks for two of three possible factors: things you are, things you have, and things you know, to prove your identity. Current implementations of two-factor authentication utilize the something you know (passwords) and something you have/possess (such as a mobile phone, email account, hardware token, etc.)
WordPress do offer two-factor authentication via free plugins, which offer various ways to two-factor, including OTP (one-time password) via SMS, phone call, OTP via email, QR code, authenticators, push notification, and hardware-based key makers such as Yubikey, SolidPass, etc.”
Ref: http://www.hongkiat.com/blog/wp-plugins-2-factor-authentication/
https://www.google.com.au/landing/2step/
Examples for 2FA in everyday life● Drawing money from the ATM - card | PIN ● Paying with a credit card - card | signature OR card | PIN OR card | security code● Entering a foreign country - passport | biometric data
https://twofactorauth.org/
3 Two Factor Authentication Plugins for WordPress
● Duo Security
● Clef
● Google Authenticator
Duo.comThe Steps that happen when Authenticating with WordPress
1. WordPress connection initiated2. Primary authentication3. WordPress connection established
to Duo Security over TCP port 4434. Secondary authentication via Duo
Security’s service5. WordPress receives authentication
response6. WordPress session logged in
https://duo.com/docs/wordpress
Google Authenticator
https://wordpress.org/plugins/google-authenticator/
Censored For Security.
2 Step Authentication
For Self Hosted WordPress sites
Chris La Nauzehttps://chrislanauze.com/go/2FA-wp-talk-nov-2016/