2 Step Authentication

For Self Hosted WordPress sites

Chris La Nauzehttps://chrislanauze.com/go/2FA-wp-talk-nov-2016/

WPScan Vulnerability Database

To date there are 2407 vulnerabilities.

1305 WordPress Plugins. (54%) of the vulnerabilities

344 (14.3%) WordPress theme vulnerabilities

758 (31.5%) WordPress core vulnerabilities

https://wpvulndb.com/

Types of Vulnerabilities

The most popular vulnerability types in WordPress core,

Plugins and Themes are Cross-site Scripting and SQL Injection.

This is not surprising considering these 2 vulnerabilities have been listed in the OWASP Top 10 since its inception.

What is Security?

Hardening

Addition of extra layers, to protect the penetration

WordPress - relatively secure platform. If you have auto updates enabled, auto patch security vulnerabilities in the core for you. It's only when you start adding plugins, themes and custom code, the more chance it has of been hacked, and the more users you have exponentially increases the risks of an attack.

Security is like an onion, needs lots of layers of protection working together.

Popular WordPress Security Plugins

Ithemes Security

WordFence

BulletProof Security

Securi Security

BBQ - Block Bad Queries

Caveat: They aren’t 100% secure, they are prone to vulnerabilities too. All four here have been listed in https://wpvulndb.com/search? But being paid services, they are very quick to patch and fix over free alternatives.

IIs Two Factor Authentication the silver bullet?

No! 2FA is not the silver bullet. It’s just one of the many layers to help protect your sites.

What is 2 step Authentication?

“Unlike passwords, two-factor authentication (2FA) is a two-step process that asks for two of three possible factors: things you are, things you have, and things you know, to prove your identity. Current implementations of two-factor authentication utilize the something you know (passwords) and something you have/possess (such as a mobile phone, email account, hardware token, etc.)

WordPress do offer two-factor authentication via free plugins, which offer various ways to two-factor, including OTP (one-time password) via SMS, phone call, OTP via email, QR code, authenticators, push notification, and hardware-based key makers such as Yubikey, SolidPass, etc.”

Ref: http://www.hongkiat.com/blog/wp-plugins-2-factor-authentication/

https://www.google.com.au/landing/2step/

Examples for 2FA in everyday life● Drawing money from the ATM - card | PIN ● Paying with a credit card - card | signature OR card | PIN OR card | security code● Entering a foreign country - passport | biometric data

https://twofactorauth.org/

3 Two Factor Authentication Plugins for WordPress

● Duo Security

● Clef

● Google Authenticator

Duo.comThe Steps that happen when Authenticating with WordPress

1. WordPress connection initiated2. Primary authentication3. WordPress connection established

to Duo Security over TCP port 4434. Secondary authentication via Duo

Security’s service5. WordPress receives authentication

response6. WordPress session logged in

https://duo.com/docs/wordpress

Clef

https://getclef.com

Google Authenticator

https://wordpress.org/plugins/google-authenticator/

Censored For Security.

2 Step Authentication

For Self Hosted WordPress sites

Chris La Nauzehttps://chrislanauze.com/go/2FA-wp-talk-nov-2016/