How to Keep Hackers Out of WordPress

What’s SMS-based two-factor?

Basically we send an SMS with a randomly generated 6-digit password whenever the user hasn’t logged in for a while, or if he’s logging in from an unknown device.

In other words: Even if hackers got your username/password, it’s useless to them without them also having physical access to your mobile phone! You would even know if anyone broke the first part, as you would receive an SMS with an authorisation code that you didn’t ask for.

The mental overhead of SMS-based two-factor is really low – especially in comparison to the alternatives; the authenticator-app based approaches requires the user to configure a security app and then open it every time they want to login somewhere.

In contrast, our text based approach works on all cellphones, even non-smartphones! As long as the device can receive a text, you’re home safe

But is it less safe than an authenticator app? No, not at all! While we don’t device lock, as the app-based approaches do, we instead lock to your phone number. You can even argue that this may have the advantage of not relying on the safety of an app and the integrity of your phone, but instead relying on the phone operators. You must admit, they are pretty good at getting texts safely delivered to the right devices! Furthermore, you would know if somebody was trying to hack you, as you would get a text message once they got past the username/password-step.

Adding SMS-based two-factor hardens your installation. And it hardens it a lot! Arguably comparably or even better than harder-to-use app-based alternatives.

Did you ever think that this ol’ Nokia could be used to secure your WordPress-sites?

Quick recap: GatewayAPI for WordPress

If you didn’t know, we offer a completely free and open sourced WordPress-plugin for GatewayAPI. Actually, we have been offering it for more than two years now and we continue to develop and support the plugin.

Features of the WordPress-plugin

• Once installed, you can build a list of recipients, group them and text everybody or just a subset.
• It supports personalising the texts, importing/exporting recipients from spreadsheets and much more.
• It even has short codes for creating signup/unsubscribe/update subscription forms, as well as integration with the popular and free Contact Form 7-plugin.
• It can also respond to incoming texts, ie. it stores and replies to texts being sent to your WordPress!
• You can also install it and disable the user interfaces, if you want to just send texts from your code, or handle incoming texts that way.

So easy EVERYBODY can figure it out!

Once enabled, when you or your users log in the first time, they will be prompted to enter their phone number. Then they’ll receive a code and once entered, the pairing is complete. This means that in the future, the user will – from time to time – need to re-authorise via SMS. It’s just a matter of entering the digits from the immediately dispatched SMS, so the overhead is really minimal.

Low cost + high safety

You may be thinking: Won’t this cost me, as a site owner, money every time somebody logs in? Sorry, but yes. Our SMS-prices are very competitive though! And depending on the amount of users and their login frequency, the costs of the texts could of course add up.

That’s why you can configure the plugin to remember devices for up to 30 days, as well as limiting roles that two-factor applies to, thus minimising the amount of texts being sent.

Opting to remember a device for a time period, makes the plugin save a cookie on the user’s device. If the user switches to another device, the user will then have to re-authorise, but otherwise the two-factor step is ignored until the cookie expires. Despite being slightly less safe than forcing two-factor on each login, for a hacker to steal and use this cookie is still extremely difficult. Most sites where you can use two-factor, including Google, offers to remember devices for up to 30 days, so it’s pretty much an industry wide standard.

Limiting the user roles affected by two-factor could also be used to cut costs. It would definitely be a security trade-off, so as a bare minimum, Administrators and Editors should have two-factor enabled.

Do I still need a web-application firewall/firewall plugin?

Definitely yes! Our plugin does nothing to secure all other aspects of WordPress, and there’s a lot to secure. While hacking the login prompt is the most common approach nowadays for hackers to gain access, there are still numerous other ways of hacking or abusing a WordPress-based site.

We have successfully tested our plugin with the free versions of iThemes Security and WordFence. Our approach is pretty safe and should work with most firewall plugins. We can highly recommend both of these firewall-solutions, as they do a really good job of protecting your sites in general.

I want it, and I want it now!

Just search for GatewayAPI in the plugins section of your WordPress backend, or check out our plugin page here. Source code is on Github