🐴≠🔒 If there is one sad story we hear over and over, then it’s that somebody got their WordPress-installation hacked. Often times, hackers got your password because it was guessable or it was released in a password leakage. Sorry, but you shouldn’t have used the same password on your favourite horse-forum, as for the administrator account on your WordPress 😏.

We could spend all day talking about how you could make long random passwords and not use the same password twice etc., but in all fairness, this just shows how problematic it is that most systems are relying solely on a username/password-prompt as the last line of defense.

You may have noticed that many premium WordPress firewall-plugins now have two-factor security that you can buy for a few bucks each month. Or you’ve fiddled with some of the free do-it-yourself plugins, which requires a lot of tinkering… And in both cases, requires all users to install and pair their accounts with an app. If you came that far, maybe you’ve considered if it’s really worth all the running costs and all the hassle, not to mention the mental overhead forced upon your poor users.

Well, that’s where we come in! We can strengthen your login prompt by just one extra click in your GatewayAPI-plugin settings! It’s extremely easy to setup and use, and you only pay the low cost of the SMS’es involved! It’s easy, it’s safe and it just works.

Login screen

This is the new login flow after our plugin has been activated.

What’s SMS-based two-factor?

Basically we send an SMS with a randomly generated 6-digit password whenever the user hasn’t logged in for a while, or if he’s logging in from an unknown device.

In other words: Even if hackers got your username/password, it’s useless to them without them also having physical access to your mobile phone! You would even know if anyone broke the first part, as you would receive an SMS with an authorisation code that you didn’t ask for.

The mental overhead of SMS-based two-factor is really low - especially in comparison to the alternatives; the authenticator-app based approaches requires the user to configure a security app and then open it every time they want to login somewhere.

In contrast, our text based approach works on all cellphones, even non-smartphones! As long as the device can receive a text, you’re home safe

But is it less safe than an authenticator app? No, not at all! While we don’t device lock, as the app-based approaches do, we instead lock to your phone number. You can even argue that this may have the advantage of not relying on the safety of an app and the integrity of your phone, but instead relying on the phone operators. You must admit, they are pretty good at getting texts safely delivered to the right devices! Furthermore, you would know if somebody was trying to hack you, as you would get a text message once they got past the username/password-step.

Adding SMS-based two-factor hardens your installation. And it hardens it a lot! Arguably comparably or even better than harder-to-use app-based alternatives.

Nokia screen

Did you ever think that this ol’ Nokia could be used to secure your WordPress-sites?

Quick recap: GatewayAPI for WordPress

If you didn’t know, we offer a completely free and open sourced WordPress-plugin for GatewayAPI. Actually, we have been offering it for more than two years now and we continue to develop and support the plugin.

Features of the Wordpress-plugin

  • Once installed, you can build a list of recipients, group them and text everybody or just a subset.
  • It supports personalising the texts, importing/exporting recipients from spreadsheets and much more.

  • It even has short codes for creating signup/unsubscribe/update subscription forms, as well as integration with the popular and free Contact Form 7-plugin.
  • It can also respond to incoming texts, ie. it stores and replies to texts being sent to your WordPress!
  • You can also install it and disable the user interfaces, if you want to just send texts from your code, or handle incoming texts that way.

So easy EVERYBODY can figure it out!

Once enabled, when you or your users log in the first time, they will be prompted to enter their phone number. Then they’ll receive a code and once entered, the pairing is complete. This means that in the future, the user will - from time to time - need to re-authorise via SMS. It’s just a matter of entering the digits from the immediately dispatched SMS, so the overhead is really minimal.

Low cost + high safety

You may be thinking: Won’t this cost me, as a site owner, money every time somebody logs in? Sorry, but yes. Our SMS-prices are very competitive though! And depending on the amount of users and their login frequency, the costs of the texts could of course add up.

That’s why you can configure the plugin to remember devices for up to 30 days, as well as limiting roles that two-factor applies to, thus minimising the amount of texts being sent.

Opting to remember a device for a time period, makes the plugin save a cookie on the user’s device. If the user switches to another device, the user will then have to re-authorise, but otherwise the two-factor step is ignored until the cookie expires. Despite being slightly less safe than forcing two-factor on each login, for a hacker to steal and use this cookie is still extremely difficult. Most sites where you can use two-factor, including Google, offers to remember devices for up to 30 days, so it’s pretty much an industry wide standard.

Limiting the user roles affected by two-factor could also be used to cut costs. It would definitely be a security trade-off, so as a bare minimum, Administrators and Editors should have two-factor enabled.

Do I still need a web-application firewall/firewall plugin?

Definitely yes! Our plugin does nothing to secure all other aspects of WordPress, and there’s a lot to secure. While hacking the login prompt is the most common approach nowadays for hackers to gain access, there are still numerous other ways of hacking or abusing a WordPress-based site.

We have successfully tested our plugin with the free versions of iThemes Security and WordFence. Our approach is pretty safe and should work with most firewall plugins. We can highly recommend both of these firewall-solutions, as they do a really good job of protecting your sites in general.

Oh, by the way…

… our latest release also fixes a few bugs and improvement are on the way on how we send texts to many recipients. The plugin now easily handles traffic to 10.000+ recipients, even on regular shared hosts.

I want it, and I want it now!

Just search for GatewayAPI in the plugins section of your WordPress backend, or check out our plugin page here. Source code is on Github