How to Enhance WordPress security with two-factor authentication plugins
With the development of WordPress the security issues also increasing, so first of all make sure that you’re running the most up-to-date and secure version, upgrade to the latest release as soon as you can. Outdated version can support malicious attacks and can increase the vulnerability to hacker attempts. Most WordPress security failures occur when a user is running an outdated version of WordPress on his Web site.
With WordPress plugins you can add a second level of protection to you blog and can give additional protection to your WordPress sites with latest version. You can use these pluings while login from your mobile devices and via email or SMS.
I found these plugins for securing your WordPress site, check out the following plugins: [Ref. Digging Into WordPress]
This plugin prevents logged in users from doing anything on your wordpress.org blog until they have verified their second factor of authentication. The process goes like this:
- A user logs into your blog.
- Behind the scenes a bunch of cryptographic stuff happens and a key is generated and attached to that user. The key is overwritten with a new one every single time they log in. This key is emailed to that user (via the email address the user is registered under.)
- The user gets the email with the code.
- The user then enters the code at the page which is now presented to them when they are trying to access your blog
- Behind the scenes the token is checked for validity, and a cookie is added to the users session. They are now allowed access to your blog. If the key changes (the user logs out, or is required to log in again) the cookie that they may have been using will no longer be valid and they will be asked to enter the new one that they get via email.
SimpleAuth is a simple and secure multi-user PHP login system. No database required. No php knowledge needed to implement this login system. You can secure all kind of pages : customer area, administration interface, member page or any private page.
The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.
This plugin enables Duo Security’s two-factor authentication for WordPress logins.
Duo provides simple two-factor authentication as a service via:
- Phone callback
- SMS-delivered one-time passcodes
- Duo mobile app to generate one-time passcodes
- Duo mobile app for smartphone push authentication
- Duo hardware token to generate one-time passcodes
This plugins allows a WordPress administrator to quickly add strong two-factor authentication to any WordPress instance without setting up user accounts, directory synchronization, servers, or hardware.
I expect plugins like this to rise in popularity soon or even become a part of the core. We are soon adding similar support to our ManageWP.com users as well.
SABRE is an acronym for Simple Anti Bot Registration Engine. It’s a set of counter measures against spam registration on your blog. Your visitors are granted permission to register freely on your blog and now you are plagued by fake users automatically created by spammers? Sabre is the solution to stop definitely these robotized visitors!
List of available features Visit plugin site.
Do not show password, during login, on an insecure channel (without SSL).
Deny automated spambots access to your PHP-based Web site. Before downloading Bad Behavior, check the installation instructions for your platform, as some platforms require a separate download or have special installation procedures.
Advanced Security: Password Protection, Anti-Spam, Anti-Exploits.
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code