The default 2FA case for WordPress
Admin panel compromises are one of the most common attacks that WordPress website administrators face on a daily basis. We work with thousands of clients who have experienced attacks on their websites and I have long since lost count of how many times I have told clients that the entry point was their WordPress login page. Brute force attacks and compromised admin users are overwhelmingly the most common attack vectors for the CMS platform, which in 2022 accounts for over 40% of the whole. the Web.
WordPress has many security plugins and extensions that can greatly improve security, but it is up to the website administrator to install and configure it themselves. Security is not something that website administrators usually want to deal with from the start, it usually ends up being overlooked and is unfortunately often left to deal with only after a compromise took place.
I would like to advocate for multi-factor authentication by default or at least as an immediate post-installation option for the most popular CMS platform powering the web. It wouldn’t be an unprecedented move and would simply follow what the web has been doing for years, which is to make the web safer for everyone.
There are a few major default configurations in WordPress that put it at risk without the use of additional security plugins or a website firewall. To know:
- The admin panel login page is widely open to anyone on the web
- There is no limit to failed login attempts
- There is no multi-factor authentication
- By default, the “Show name publicly as” option is the same as the username unless the first name is also filled in, which helps attackers
All of this creates an environment very prone to brute force attacks.
A standard WordPress login page, open to the world
A predictable formula
Taking this into account, we saw very predictable behavior from attackers. A typical WordPress compromise will look like this:
- Brute makes its way into the WordPress admin dashboard
- Install a file manager plugin
- Download a backdoor or webshell
- Drop their payload
It’s all very simple, and a lot of these compromises can be avoided with a few very simple changes to the environment.
Security plugins to the rescue
We have written before on how to improve the security of a WordPress environment. There are many different security plugins and services that can make a website less prone to these types of attacks. Many are free, but none of them are included in a default WordPress installation.
Automattic, a great WordPress contributor, has an excellent open-source plugin called JetPack that fixes a number of the default configuration issues I described above. It is used by over 5 million websites and offers website administrators the ability to:
- Enable multi-factor authentication
- Mitigating Brute Force Attacks
However, JetPack is not included by default in WordPress and must be installed and configured by the administrator. The only two plugins present by default in a new installation of WordPress are:
- Hello Dolly
- Akismet (anti-spam)
The inclusion of the Akismet plugin was an attempt to address the chronic comment spam issues that WordPress admins deal with on a daily basis. Akismet has been included by default in all versions of WordPress since version 2.0 (released in 2005), but no such action has yet been taken to push users towards 2FA.
Security can be a nuisance and people often tend to avoid it unless they are forced into a situation where it can no longer be ignored. Adobe’s e-commerce CMS, Magento, has encountered similar issues with brute force attacks and other security issues. In 2020 they released a patch 2.4.0 where they’ve taken some steps to address the same chronic security issues that have plagued the platform for years:
Readers brave enough to have attempted to install Magento 2 from scratch will know that during the initial installation process, 2FA is enabled. automatically and a random string is generated and provided to the user to access the admin panel. Both of these can be changed after the fact if the admin wishes, but they are initially included whether they like it or not.
WordPress has already changed some default configurations and thankfully removed the standard as well”administrator” username, but have yet to follow suit on the other two points.
Concerns about lockdowns
We reached out to the WordPress.org team to hear their thoughts on this. It seems that this exact problem has been discussed before as early as 2015. There are valid concerns about usability and end-user lockout of their dashboards:
I’ll put it this way: we want users to be able to secure their sites with 2FA, not sit back and watch outdated abandoned sites pile up because they got locked out and just give up when… we mention FTP, database or SSH. .
Part of WordPress philosophy is to make things work “out of the box” and create as few barriers to usability as possible. Adhering to these fundamentals is one of the reasons WordPress has been so successful.
However, creating as few roadblocks as possible is a two-way street: it also means that you also create fewer roadblocks for attackers. While on the one hand there may be abandoned sites due to lockdowns, the alternative is that these same sites are instead compromised and used to spread malware. Even if a user is locked out of their admin panel, it’s easy enough to reverse that or (temporarily) disable 2FA to regain access.
Couldn’t it be said that the chronic issues of brute force attacks and compromised admin panels are themselves at odds with the “ease of use” philosophy, even more so than just 2FA?
Most people don’t want to worry about security until it’s too late, and a few very simple changes to the WordPress platform’s default configurations could mean that a lot fewer people find themselves in this situation to begin with. The best part is that the tools are Already availablejust implement them.
JetPack’s 2FA functionality is built into wordpress.com (rather than wordpress.org), so some adjustments would need to be made to the plugin to retain .com and .org legitimately separated, but it should be entirely possible. There are also other 2FA plugins available that could be used for this purpose instead.
The good folks at WordPress have made Akismet part of the default WordPress install to deal with chronic comment spam. They could also do the same with their JetPack software (or another multi-factor authentication plugin) and enable 2FA protection and brute force protection. by default. I might also recommend that they include random admin URL generation among the feature set it already has, and it should be included in the initial WordPress installation process, much like that of Adobe. Magento Platform.
Even a simple post-installation suggestion on enabling 2FA would make a huge difference.
This would be a great benefit to the entire web and make it a much safer place for everyone. If you’re a website owner and want to improve your site’s security, consider adding a few more things. protections to your administration page. You may also consider placing your website behind our firewall service and we can help you protect your website!