Our lastest ShieldPRO 14.1 security plugin for WordPress brings a huge WordPress REST API integration along with some much-needed tweaks and enhancements.
Read on to discover everything we’ve included in your newest and favourite WordPress Securty Plugin.
Consider the work that’s involved with managing just 1 WordPress site and all its plugins, themes, updates, backups and, of course, security.
Now multiply that by the number of WordPress sites you run.
It’s a huge amount of work.
This is why we built iControlWP many years back and why we also integrated Shield Security into it to allow WordPress admins to manage their WordPress sites at scale, and also their WordPress security.
But not everyone wants to use iControlWP and that’s totally cool! But we still want to open up management of Shield to folk that need to scale their WordPress security.
This is where our new WordPress REST API integration comes in. It leverages the very thorough platform that the WordPress Core provides, letting us build a REST API that is powerful, secure and easy to maintain.
Many clients won’t have a need for our REST API directly, but you may use tools and services that could take advantage of if you asked them to.
This involved a major revamp of the UI and the tables that display the logs.
As you can imagine, these tables and data set can grow very large, particularly for busy websites.
Since we were loading a large dataset all at once, browsing these log tables became tedious and slow. For high traffic sites, it would unusable in some cases resulting in loading errors!
So we went back to our core implementation (again) and made the entire thing dynamic. Instead of loading all the records, we only load precisely what we need. This makes the initial loading near-instant.
The pagination will be a bit slower than what you’re used to – but this is because we’re loading just the log records you need, when you need them.
We’ve also adjusted the traffic log database table structure to help us speed all this along and provide more useful information right where you need it.
This is a major reworking and we hope you’ll love it!
#3 Run Shield As A “Must-Use” (MU) Plugin
If you’ve never heard of a must-use WordPress plugin, don’t worry, you’re not alone.
They’re installed in a different directory (/wp-content/mu-plugins/) instead of the default (/wp-content/plugins/).
So why would you want to switch Shield to be an MU plugin?
In much the same way as Shield offers the Security Admin module to protect against tampering, you could set Shield to be an MU plugin to prevent the plugin from being disabled accidentally, maliciously.
It’ll also ensure Shield executes before other plugins. While this won’t offer an advantage currently, we’ll soon adjust some Shield’s code to block malicious requests much earlier in the WordPress load.
What actually happens when you enable MU Mode?
The core of the Shield plugin will remain in the normal installation directory- /wp-content/plugins/.
Shield will then create a new file in the MU directory that loads the normal Shield plugin. When this happens you’ll see 2x Shield plugins installed on your site as shown below:
How can you disable Shield after enabling MU Mode?
Once MU mode is enabled, you can’t disable the normal Shield plugin from the WordPress dashboard. This is normal WordPress behviour.
However, you can simple revert the option within Shield’s settings to disable MU Mode, and then return the plugins screen and disable Shield like any other plugin.
The setting for MU Mode is found within the Security Admin module and doesn’t require a Security Admin PIN to be set.
Shield’s MU Mode plugin option
#4 Better Detection Of Incorrect Application Passwords
Until now Shield wasn’t correctly spotting when these application password login attempts were failing. We’ve added some new events and logging and we’ll even increase the offense counter for an IP address when the event is triggered.
We spotted these new events being triggered almost immediately after we put them live for testing.
#5 More Quick Access Data In Admin Bar
Some time ago we add a top menu to the WordPress admin bar to help indicate when Shield found some scan items that warrant further investigation.
The original WP Admin Bar addition by Shield Security
After prompting for some extra information by a client, we’ve made some new helpful additions to the menu (see image below).
Shield’s Additional WP Admin Bar Items
Each of these additions provide helpful links to the item in question, for example:
Recently Blocked IPs and Offenses link to the IP Analyse Tool for the specific IP in-question.
Recent Sessions links to the Shield Sessions table and the individual session item in the menu links to the profile of the given user.
On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “SiteGround Security”, a WordPress plugin that is installed on over 400,000 sites. This flaw makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.
Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022
After sending the full disclosure details to the SiteGround security team on March 10, 2022 a patch was released the next day on March 11, 2022. While the plugin was partially patched immediately, it wasn’t optimally patched until April 7, 2022.
Sites hosted on the SiteGround platform have automatically been updated to the patched version while those hosted elsewhere will require a manual update, if auto-updates are not enabled for the plugin. We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.
SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts.
When two-factor authentication is enabled, it requires all administrative and editor users to set-up two factor authentication. This requirement is triggered when the site’s administrative and editor users log into the site for the first time after 2FA has been enabled at which time they are prompted to configure 2FA for their account. This means that there will be a period of time between 2FA being enabled on a site and each user configuring it for the account.
During this interim period, attackers could hijack the 2FA set-up process. The plugin had a flaw that made it so that attackers could completely bypass the first step of authentication, which requires a username and password, and access the 2FA set-up page for users that had not configured 2FA yet.
It was as simple as supplying the user ID they would like to compromise via the sg-user-id parameter, along with a few other parameters to indicate that they would like to trigger the initial 2FA configuration process.
The following validate_2fa_login() function shows the process by which a user-supplied ID is validated. If the results from the check_authentication_code() function and the sg_security_2fa_configured user meta retuned false, which indicated that 2FA hasn’t yet been configured for that user, then the plugin would load the 2fa-initial-setup-form.php template which displays the QR code and 2FA secret needed to configure the authenticator app for the user supplied ID.
</pre><pre>publicfunctionvalidate_2fa_login( $user) {// Bail if there is no valid user authentication.if( ! isset( $_POST['sg-user-id'] ) ) { // phpcs:ignorereturn;}$result= $this->check_authentication_code( wp_unslash( $_POST['sgc2facode'] ), wp_unslash( $_POST['sg-user-id'] ) ); // phpcs:ignore// Check the result of the authtication.if( false === $result) {if( 0 == get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_configured', true ) ) { // phpcs:ignore// Arguments for initial 2fa setup.$args= array('template'=> '2fa-initial-setup-form.php','qr'=> get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_qr', true ), // phpcs:ignore'secret'=> get_user_meta( $_POST['sg-user-id'], 'sg_security_2fa_secret', true ), // phpcs:ignore'error'=> esc_html__( 'Invalid verification code!', 'sg-security'),'action'=> esc_url( add_query_arg( 'action', 'sgs2fa', wp_login_url() ) ),);} else{// Arguments for 2fa login.$args= array('template'=> '2fa-login.php','error'=> esc_html__( 'Invalid verification code!', 'sg-security'),'action'=> esc_url( add_query_arg( 'action', 'sgs2fa', wp_login_url() ) ),);}$this->load_form( wp_unslash( $_POST['sg-user-id'] ), $args); // phpcs:ignore}// Set the auth cookie.wp_set_auth_cookie( wp_unslash( $_POST['sg-user-id'] ), intval( wp_unslash( $_POST['rememberme'] ) ) ); // phpcs:ignore</pre><pre>
The authentication QR code and secret key displayed that would be displayed to potentially unauthorized users.
The returned QR code and secret key are the only things needed to connect the user account with an authentication mechanism, such as Google Authenticator. Attackers were able to use this to connect their authentication app with the account and successfully use a code to pass the “second factor of authentication.” This function would then set the user authentication cookies via the wp_set_auth_cookie() function using the user supplied ID from the sg-user-id parameter which effectively logs the attacker in as that user. Due to the default configuration of the plugin, this account would most likely be a privileged user like an administrator or editor. It’s also worth noting that the function returns the back-up codes which could be used via the weakness outlined in the next section.
To sum it up, there was no validation on the validate_2fa_login() function that the identity a user was claiming was in fact legitimate. As such attackers could bypass the first authentication mechanism, a username/password pair, which is meant to prove identity and successfully log in, due to a weakness in the second authentication mechanism, the 2FA process. When successful, an attacker could completely infect a site by exploiting this vulnerability.
In addition to the above outlined vulnerability, the method in which 2FA back-up code authentication was handled made it possible for attackers to log in if they were able to brute force a back-up code for a user or compromise it via other means such as SQL Injection.
Diving deeper, the plugin registered the validate_2fabc_login() function which validated the supplied backup code through the validate_backup_login() function using the user supplied user ID from the sg-user-id parameter along with the back-up code supplied via the sgc2fabackupcode parameter. If the back-up code was found in the array of stored back-up codes for that user, then the function would use the wp_set_auth_cookie() function to set the authentication cookies for the supplied user ID. If that user ID belonged to an administrator, the attacker would effectively be logged in as an administrator.
</pre><pre>publicfunctionvalidate_2fabc_login() {$result= $this->validate_backup_login( wp_unslash( $_POST['sgc2fabackupcode'] ), wp_unslash( $_POST['sg-user-id'] ) ); // phpcs:ignore// Check the result of the authtication.if( false === $result) {$this->load_form(wp_unslash( $_POST['sg-user-id'] ), // phpcs:ignorearray('template'=> '2fa-login-backup-code.php','action'=> esc_url( add_query_arg( 'action', 'sgs2fabc', wp_login_url() ) ),'error'=> esc_html__( 'Invalid backup code!', 'sg-security'),));}// Set the auth cookie.wp_set_auth_cookie( wp_unslash( $_POST['sg-user-id'] ), intval( wp_unslash( $_POST['rememberme'] ) ) ); // phpcs:ignore
Similarly to the previous vulnerability, the issue here is that there was no true identity validation for the authentication, which indicates an authorization weakness. The function performed no checks to verify that a user had previously authenticated prior to entering the 2FA back-up code, and as such they did not need to legitimately log in prior to being logged in while using a back-up code. This meant that there were no checks to validate that a user was authorized to use a back-up code to perform the second factor of authentication that would log them in.
Though the risk in this case is lower, the backup codes were 8 digits long and entirely numeric, so an attacker could potentially brute force one of the 8 back-up codes and automatically be logged in without knowing a username and password combination for an administrative user.
While this might not be practical to attempt on most servers, a patient adversary attacking a well-provisioned server capable of processing a large number of requests at once would have a high chance of eventually gaining access unless the brute force attempts were stopped by another mechanism, such as the Wordfence plugin’s built-in brute force protection or rate limiting rules.
Further, this vulnerability could be used in conjunction with another vulnerability, such as SQL injection, where an attacker would be able to compromise the 2FA back-up codes that are stored in the database and then subsequently use them to log in without needing to crack the password of an administrative user which would likely be significantly stronger. In both cases, the impact would be significant as an attacker could gain administrative access to the compromised WordPress site which could be used for complete site infection.
An Important Security Reminder: Audit Your WordPress Site’s User Accounts
This vulnerability serves as an important reminder to audit your WordPress site’s user accounts. This means identifying any old and unused user accounts that have been inactive for an extended period of time and/or are likely to never be used again and removing them or completely stripping the user’s capabilities. This vulnerability could easily be exploited on sites where the site owner enabled 2FA, which is required for all administrative and editor users, and had old inactive administrative/editor user accounts on the site that an attacker could target. Considering accounts that are no longer active are unlikely to log in after the 2FA setting has been enabled, the 2FA for those accounts would not be configured leaving the site ripe for exploitation by any attackers exploiting the vulnerability.
A situation involving a similar security issue involving insecure 2FA was reported by the CISA in conjunction with the FBI a few weeks ago, around the same time we discovered this vulnerability. In the Cybersecurity Advisory (CSA) by the CISA, it was disclosed that a threat actor was able to successfully brute force a dormant user’s account credentials, and due to a default 2FA setting that would allow dormant users to re-enroll a new device for 2FA during the next active log in, the threat actor was able to connect the 2FA secret to their own account and retrieve the code needed to pass the second factor of authentication. Once the threat actor gained initial access to the system they were able to escalate their privileges by exploiting the “PrintNightmare” vulnerability, which you can read more about here, and steal sensitive information from across the organization’s network. This goes to show that attackers are definitely looking for flaws like the one disclosed today to exploit and any site can be a target. As such, it’s important to actively maintain and validate the security of your site through regularly performed professional or self-conducted security audits and penetration tests, which is a service Wordfence provides. Security is an active and continuous process.
Timeline
March 10, 2022 – Conclusion of the plugin analysis that led to the discovery of two Authentication Bypass Vulnerabilities in the “SiteGround Security” WordPress plugin. We deploy firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response users. We send the full disclosure details to SiteGround in accordance with their responsible disclosure policy. March 11, 2022 – The CTO of SiteGround responds indicating that a patch has been released. We review the patch and inform them that it is insufficient. They release an additional patch. March 11, 2022 – A patched version of the plugin is released as version 1.2.3. We suggest further security enhancements to the functionality. March 16, 2022 – An update is made that reduces the security of the 2FA functionality, we follow-up again to suggest better security enhancements to the functionality. The CTO assures us that they are working on it. April 6, 2022 – A fully and optimally patched version of the plugin is released as version 1.2.6. April 9, 2022 – Wordfence Free users receive the firewall rules.
Conclusion
In today’s post, we detailed a flaw in the “SiteGround Security” plugin that made it possible for unauthenticated attackers to gain access to administrative user accounts in instances where 2-Factor Authentication was enabled, though not yet fully set up, and in cases where an attacker could successfully brute force a back-up code. This could easily be used by an attacker to completely compromise a site. This flaw has been fully patched in version 1.2.6.
We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.
Wordfence Premium, Wordfence Care, and Wordfence Response received a set of firewall rules on March 10, 2022 to provide protection against attempts by attackers to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on April 9, 2022
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both Wordfence Care and Wordfence Response include hands-on security support that provide you with ongoing assistance from our incident response team, should you need it.
Special thanks to the team at SiteGround, for responding swiftly and working quickly to get a patch out to protect their customers and working to further secure the 2FA component.
On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.
We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.
We released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on April 18, 2022. Sites still running the free version of Wordfence will receive the same protection on May 18, 2022. We recommend that all Wordfence users update to the patched version, 9.1.1, as soon as possible as this will entirely eliminate the vulnerability.
The Booking Calendar plugin allows site owners to add a booking system to their site, which includes the ability to publish a flexible timeline showing existing bookings and openings using a shortcode, [bookingflextimeline].
The flexible timeline includes the ability to configure viewing preferences and options when viewing the published timeline. Some of these options were passed in PHP’s serialized data format, and unserialized by the define_request_view_params_from_params function in core/timeline/v2/wpbc-class-timeline_v2.php.
An attacker could control the serialized data via several methods:
If a timeline was published, an unauthenticated attacker could obtain the nonce required to send an AJAX request with the action set to WPBC_FLEXTIMELINE_NAV and a timeline_obj[options] parameter set to a serialized PHP object.
Any authenticated attacker could use the built-in parse-media-shortcode AJAX action to execute the [bookingflextimeline] shortcode, adding an options attribute in the shortcode set to a serialized PHP object. This would work even on sites without a published timeline.
An attacker with contributor-level privileges or above could also embed the [bookingflextimeline] shortcode containing a malicious options attribute into a post and execute it by previewing it, or obtain the WPBC_FLEXTIMELINE_NAV nonce by previewing the [bookingflextimeline] shortcode and then using method #1.
Any time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice. If a “POP Chain” is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website. Fortunately, no POP chain was present in the Booking plugin, so an attacker would require some luck as well as additional research in order to exploit this vulnerability. Nonetheless, POP chains appear in a number of popular software libraries, so many sites could still be exploited if another plugin using one of these libraries is installed.
Despite the lack of a POP chain and the complexity involved in exploitation, the potential consequences of a successful attack are so severe that object injection vulnerabilities still warrant a “High” CVSS score. We’ve written about Object Injection vulnerabilities in the past if you’d like to find out more about how they work.
Timeline
April 18, 2022 – We release a firewall rule to protect Wordfence Premium, Care, and Response customers. We initiate the disclosure process. The plugin developer verifies the contact method. April 19, 2022 – We send the full disclosure to the plugin developer. April 21, 2022 – A patched version of the Booking Calendar plugin, 9.1.1, is released. May 18, 2022 – The firewall rule becomes available to free Wordfence users.
Conclusion
In today’s post, we covered an Object Injection vulnerability in the Booking Calendar plugin. Wordfence Premium, Wordfence Care, and Wordfence Response customers are fully protected from this vulnerability. Sites running the free version of Wordfence will receive the same protection on May 18, 2022, but have the option of updating the Booking calendar plugin to the patched version 9.1.1 to eliminate the risk immediately.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
Adesigner friend discovered a new website creation tool. It claimed to be super-easy to use. Just drag and drop. See results right away. No coding. What’s not to like about that?
She built her new website and worked hard to make the site exactly as she wanted. Then she launched it.
That’s when the makers of the website creation tool proudly announced version 2.0. All new, from the ground up. Even better. More features. Easier to use.
Just one hitch. A minor one. Hardly worth mentioning: There was no way to migrate a website built in the old version. That was bad. What made it really bad was that version 1 would shut down in a few months.
My friend’s new website suddenly had the lifespan of a mayfly. Pretty, but destined to disappear.Let’s face it, it’s quite a task to build a website — one that works well for you, is aligned with your business, and effectively connects with your ideal audience. Doing all that well takes time and effort. So, of course, we count on our new website serving us well for a long time to come.Let’s face it, it’s quite a task to build a website — one that works well for you, is aligned with your business, and effectively connects with your ideal audience. Doing all that well takes time and effort. So, of course, we count on our new website serving us well for a long time to come.
If you’ve had your website for several years, you now have lots of content created over that long time. It definitely would be disastrous to one fine day find out what powers the website has been end-of-lifed.
So how can we avoid ending up like my friend, with a new, but dead-on-arrival, website? Or with an existing website that can no longer be updated?
The 2 Key Components of Future-Proofing
It starts before we build anything on a new website and involves 2 key components:
Adopting a future-proofing mindset
Future-proofing the technology
It’s tempting to view future-proofing a website as a done-and-forget it action. Because it’s an ongoing process. As much mindset as technology.
First, let’s look at developing a future-proofing mindset. Then it will be easier to consider the tech impact of future-proofing.
1. Adopting a Future-Proofing Mindset
Web technology is constantly changing, as are best practices and security concerns.
If we don’t understand (and accept that), at some point any new website will be outdated. Obsolete. Probably sooner rather than later.
WordPress introduced a new blog post editor in 2018. A major upgrade that changed how we approached writing and posting new content.
Many website owners were upset. They didn’t want to change how they edited post content. Not that they liked the old editor. But they had found ways to work with it. It was familiar. They might even use plugins to improve the editing experience.
Now here was something new. A major change that upset existing workflows. It didn’t help that the first iteration still lacked some refinement.
Others, like me, switched to the new block editor early and found that it truly speeded up posting. Plus it really was easier to work with.
In this change WordPress gave us a choice: Adopt early or later, either is okay. They even told us we had several years before they’d shut down the old editor. The only choice that is not okay, is to never adopt.
Being aware of new developments and recognizing when they affect our WordPress websites
Years ago we designed websites for computer screens. The biggest arguments were about what size computer screen. Designers fretted about pixel-perfect alignment.
Those few people who insisted on visiting websites from their mobile phones were content with dumbed-down mobile versions of websites. But most website owners didn’t worry about mobile browsing.
Today 2/3 of all web browsing is from mobile devices. Google now bases their SEO ranking on how a website shows up on mobile devices. It’s no longer okay to have a dumbed-down website for mobile visitors. Or to ignore them by having a desktop-only website.
Yet I still regularly see websites that are desktop-only. Clearly some website owners haven’t gotten the message. They persist with websites that are not future-proofed. Gradually slipping into oblivion.A future-proofing mindset means paying attention to changes in the online world and recognizing when it’s the right time to adapt and adopt. Often when we do, we find that the new way is clearly better and we really would never want to go back to the old ways.A future-proofing mindset means paying attention to changes in the online world and recognizing when it’s the right time to adapt and adopt. Often when we do, we find that the new way is clearly better and we really would never want to go back to the old ways.
What we don’t want to happen is to one day find out that functionality we relied on has been obsoleted, turned off and now my website doesn’t work anymore. Which of course hurts the business relying on that website bringing in customers.
Fortunately, when a change is announced, there is often a planned a transition time until full implementation. We have time to learn how to master the new approach. We may even be able to approach a major change with a hybrid approach, combining the best of 2 worlds and takes some pressure off today while ensuring that we’ll be ready for the future.
Tips for developing a future-proofing mindset
Become friends with your website — it’s an integral part of your business.
Stay up-to-date with WordPress developments on the official Make WordPress blog.
Be curious and explore how changes in the online world can help your business grow.
Be open to change.
2. Future-Proofing the Technology of WordPress
Choose wisely, we must
It might be tempting to go for that brand-new website builder that has every bell-and-whistle imaginable. But will it be around for years to come?
WordPress has been with us for since 2003! All that time, updates and new versions have been released regularly.
However, WordPress is just one part of the puzzle. There are three main components we’ll need to consider:
Theme — controls what the website looks like and much of the functionality
Page Builder — makes design, layout and editing easier
Plugins — add specific functionalities and integrations
Together these components form the technical base of a website and must be regularly updated to ensure full functionality and keep the website safe and secure.
Let’s look how to future-proof each component of WordPress.
WordPress Core
WordPress started as a blogging solution. Then folks like me concluded that managing content for the entire website in a database would make life easier. It wasn’t long before WordPress grew into a great tool for powering entire websites.
If you could look at the very first version of WordPress core next to the current one, they would seem a world apart. Yet there has never once been a time when a new version was incompatible with older sites.
For example, in 2018 when WordPress released a new editing experience (block editor) for posts, they outlined a roadmap for several years, so we could all see where development was going. Nobody was being left behind. Yes, some features (like the old editor) will eventually be turned off, but there is ample time to upgrade.
For instance, once I started using the new block editor for my blogs, old posts just showed up in a classic block. For site visitors, nothing changed.
I can leave those classic block posts as is. Or turn them into blocks and get all the benefits of the new editor with one click.
That’s future-proofing at work.
In Spring 2022, WordPress took the next step by releasing full site editing. You can now use blocks to add and edit content anywhere on the website and do much layout and design that formerly could only happen through hands-on coding or in a page builder. Again, it’s your choice to start using this new feature right now or take some time to learn more about it.
This gradual roll-out of features and backward compatibility builds confidence that WordPress will continue to be a great website platform for years to come.
Tips for Future-Proofing WordPress Core
Stay up-to-date with WordPress developments on the official Make WordPress blog.
Be aware of the changes included in each new version of WordPress.
Embrace the block editor.
Themes
Once upon a time there were themes for just about every kind of site that could be imagined. They came with pre-made layouts and places to drop in content. You wanted to change the look of the website, you got a new theme.
Since the theme is at the heart of a website (2nd only to WordPress), we have to select carefully. If you switch to another theme, the entire design and layout of your website will go away. Yes, the content is still there, but you’ll have lots of work in the new theme to get things to show up where you want them to.
Fortunately, the days of those specialized, fill-in-the-blanks themes are gone. Today, a future-proof theme is really a framework that lets you create the site you want.
In 2021, I switched to using the Kadence Theme for all my website development work. It’s very lightweight and extremely customizable. You can start with a blank canvas. Or choose from a library of starter sites. Except you’re not limited to an entire starter site. Like one page? Pick that. How about just a row or an element of a starter design? Copy it to your own site and insert your content.
The result is a site that’s truly yours.
Kadence is built for block editing and comes with a library of blocks, letting you easily create even complex layouts. And customize them to your heart’s content.
In many ways, Kadence gave us full site editing with blocks before WordPress officially turned on the feature.
In fact, Kadence does a lot of things with blocks that I used to need a page builder for. That’s of course the ultimate promise of full site editing: Everything done with blocks and no need for page builders.
At the same time Kadence plays nice with page builders. Which means I can choose on a page by page basis to create with Kadence blocks or use a page builder. I have even built pages where part of the layout comes from a page builder and part from Kadence blocks or elements. Everything seamless to the website visitor.
Kadence is fairly new on the market, but is aggressively developed and I expect it to be around for a long time to come.
Tips for Future-Proofing Themes
Make sure your theme is being actively developed alongside the latest developments in WordPress core
Select/switch to a theme that is specifically ready for full site editing and block editing
Page Builders
Page builders have been with us for quite a while. They help us customize page design and layout without having to write code. Plus you can see the layout and design you’re creating as you go.
However, the future of WordPress is now full site editing, where you use blocks to build not just posts, but for content everywhere on the site. That means eventually, page builders won’t be needed.
How soon that day comes varies for each of us. There’s definitely a learning curve for full site editing. Because full site editing is new, it’s still rough around the edges. Controls can be confusing or lacking (meaning I’d have to add custom styling [CSS] or code to get the look I want).
For those reasons, the safe approach for now (in 2022) is to still use a page builder. Because we’re used to how they work.
It is, however, important to select the right page builder.
Some page builders are shortcode-based. Meaning if you were to turn off the page builder, there would be no content on the page. Just some shortcodes. Actual content is hidden inside the database and will stay there, unless you are a database geek and know how to extract it.
A better choice is a page builder that places actual content on the page, along with code needed for styling/layout. If you remove the page builder, everything is still on the page. While it won’t display as when the page builder was active, you can access the content and work with it.
All page builders add code to the website, increasing load time. But some page builders add a lot more code than others.
For future-proofing, select a page builder that is lightweight and that doesn’t rely on shortcodes for everything. Then content is still accessible if you were to remove the page builder one day. Or if that page builder were to become defunct.
Note that there is no direct migration path from page builder formatted content to full site editing. Or from one page builder to another page builder. But at least the content is still on the page.
My choice is BeaverBuilder. It adds less weight than many competitors and it doesn’t rely on shortcodes.
BeaverBuilder can also be used on a page by page basis. Meaning you only use it for pages where you need it. A website I recently built has 49 pages and about half use BeaverBuilder, while the others don’t (block editing). As a rule, I also don’t use the page builder at all for blog posts. Because block editing lets me handle content there with much less added code weight.
Tips for Future-Proofing Page Builders
Select a page builder that is light weight and that doesn’t rely on shortcodes for content placement. Then content is still accessible if the page builder is removed or becomes defunct.
To further future-proof your website, start now to learn how to build pages using blocks instead of a page builder. Remember, it’s a page-by-page choice.
Plugins
WordPress websites rely on plugins for a wide range of different purposes. Security, backup, adding specific functionalities, integrations with other services. Even page builders are plugins. And extended features of your theme could come in plugin form.
Plugins may be the hardest area to future-proof. Why? Because many plugin developers don’t publish roadmaps. And sometimes even plugins that have been around for a long time suddenly go away.
Fortunately, there are usually several options for plugins to provide a particular functionality. So we can switch to using an alternative.
Tips for Future-Proofing Plugins
On your website, make certain to update plugins regularly and remove any unused ones.
From time to time also review the plugins on your site and make sure you really still need them. Don’t let a plugin hang around just because it’s always been there.
Invest in premium plugins with active development and support.
Ready for the Future?
WordPress is a great platform to build your website on. One that has been with us for years and will be there for the long haul.
With a future-proofing mindset and care in selecting the tech, a WordPress website built today will still work next year or five years from now. Because there is a real path forward.
I have a couple websites originally built with WordPress in 2010. Everything about them has been updated multiple times. Today they run the latest version of WordPress. There was never a time that WordPress came out with a new version that didn’t include a way to upgrade older websites. Even when block editing came along, it didn’t mess anything up.
That’s how flexible and future-ready WordPress is. When applying best practices and keeping a future-focused mindset, we can rest assured that today’s website will be around for tomorrow and beyond.
No matter how big or small your WordPress site, unwanted WordPress spam in comments sections, site registrations and contact form messages are issues that you’ll need to address.
Left unchecked, WordPress spam comments and spam user registration issues can quickly take over your site with intrusive content that detracts from the message your site is intended to portray.
In this guide, we’ll take you step-by-step through the process of stopping WordPress comment spam. You’ll also learn the best ways to prevent spam registration WordPress messages, end spam user registration efforts, stop WordPress contact form spam, and a lot more. Let’s take a closer look.In This Guide:
Spam has been an annoying, and often serious issue since the Internet became a staple in our lives. In the early days of being online, we became familiar with spam when unsolicited messages started to overtake our email inboxes, promoting everything from car insurance to cheap vacations. In fact, you probably continue to deal with this kind of unwanted spam every time you log into your email.
When discussing the spam that bombards a WordPress website, it’s a more multi-faceted subject than traditional email spam.
In a nutshell, WordPress spam attacks happen in many forms. As a WordPress site owner, chances are that you’ve dealt with these 3 types of WordPress spam:
Comment spam
User registration spam,
Contact form spam
While these WordPress spam attempts are, of course, highly annoying to both you and your site visitors, it’s important to understand that there are also some major security components that are tied to the spam you’re experiencing.
While attacking and defeating WordPress spam head-on might seem like an overwhelming task, protecting your site actually isn’t that difficult. All you need is the right approach and the best tools.
With the many different types of spam attacks happening on WordPress, it’s important to understand the different approaches that spammers take. Then we’ll look at the specific tools and tips that will allow you to take full control of the problem.
WordPress Contact Form Spam Explained
For most websites, a contact form is an absolute necessity. Contact forms help facilitate communication between you and your site visitors in a way that’s streamlined and user-friendly.
However, spammers see your contact form as a way to further promote their agenda.
WordPress contact form spam is different than other types of spam that attack your site. This is because your contact form requires the use of a plugin, unlike site registrations and comments that are natively built-in to your WordPress core installation.
When employing a contact form, you can choose from popular WordPress forms plugins such as Gravity Forms, Ninja Forms, or Contact Form 7. Just as each of these contact form plugins has its own unique set of features, they also employ different ways of eliminating WordPress contact form spam.
The specific features to protect your site from spam will be found in the settings of the plugin you choose. In some cases, you may need to download and install a companion plugin for full spam protection.
More on that later.
How To Stop WordPress Contact Form Spam
While the annoyance factor of receiving contact form spam emails is high, the solution for stopping them dead in their tracks is quite simple.
The first thing you’ll want to do is install a WordPress spam blocker plugin like Askismet.
If you’re using WPBruiser or Akismet, it’s good to know that either one is ready to work in unison with a wide variety of WordPress contact form plugins. In fact, Akismet will work directly out-of-the-box with Jetpack, Ninja Forms, Gravity Forms and Contact Form 7.
Conversely, WPBruiser is a little different in the way it combats WordPress contact form spam. WPBruiser requires a commercial extension in order to work with your WordPress contact form plugin.
With that said, WPBruiser has a much wider range than Akismet for spam protection options on plugins such as Formidable Forms, Fast Secure Contact Form, and the other popular contact form plugins detailed above.
Additionally, you’ll get a free Jetpack contact form extension in the core WPBruiser plugin installation.
No matter the contact form plugin you’re using, Akismet and WPBruiser will use robust spam blocking tools to help keep your contact forms safe from unwanted spam messages.
WordPress User Registration Spam Explained
The WordPress user registration feature is built directly into WordPress core.
The user registration feature is extremely useful for:
Membership sites
Online communities
eCommerce site customer accounts
Unfortunately, spam user registration is an area where spammers can easily focus their bots on malicious spam attacks. To prevent spam registration WordPress issues, it’s important to look at the root of the problem. WordPress stop spam registrations begins there.
A spam user registration consists of a phony site registration by spam bots that intend on spreading their message throughout your site. These spam user registrations will often lead to spam comments in your blog. They can even lead to more malicious attacks involving site security or a cluttered site with an unwanted front-facing membership directory.
What’s more, many WordPress plugins and themes have security vulnerabilities that can allow low-level site users, such as subscribers, to garner access to the administrative settings on your site. This is an important reason to prevent spam registrations WordPress is infamous for.
While the security flaws in themes and plugins typically require a spammer to work in a roundabout method to exploit the built-in vulnerabilities, it’s important to understand that even the most dormant-looking WordPress user registration spam account could be waiting and ready to exploit your site at any time.
Understanding the need to prevent spam registration WordPress attacks is the first step to solving the issue. Then, it’s time to employ a robust spam user registration blocker to put the issue to rest.
The aforementioned WPBruiser plugin will go a long way toward preventing WordPress user registration spam. It’s your first layer of defense in the WordPress stop spam registrations game.
However, there are a few other simple steps you should take in the WordPress stop spam registrations battle. Make sure to read this guide until the end for full details.
WordPress Comment Spam Explained
When you use the built-in WordPress comment section on your website, you’re automatically inviting conversation from users and readers.
Unfortunately, you’re also inviting a bunch of unwanted spam comments. These spam comments distract users from meaningful conversations about your content and severely muddy the overall experience for the user.
As discussed, spambots are constantly looking to exploit vulnerabilities in your WordPress security, which is a major reason to download and install the best WordPress security plugin.
But these same bots also search out and exploiting your comments section in a very malicious way. If you leave your site unprotected, the spambots will litter your entire site with more nonsense comments than you can keep up with. And they can do it in an extremely short timeframe.
WordPress Comment Spam Examples
WordPress comment spam, aside from the obvious blatant advertisements or garbled-up characters that don’t make sense, should quickly stand out to you because they’re highly complementary, but don’t contain any specific information or questions.
For example, you may see WordPress spam comments that read something like:
“Great blog you’ve got here! Beyond that, your website loads quickly and is easy to use. What site host do you use? Would it be possible to get your affiliate link to the host you use? I really wish my site would load as fast as yours. This is great $4/month hosting with a free domain and SSL, if you’re interested.”
“It looks like you’ve really thought through all of what you’ve presented in this post. Your words are very convincing and I think they’ll work. Even still, the posts your write are perfect for newbies. I do think that you should lengthen your future posts a bit. But thank you for this one.”
“I’m a frequent blogger and sincerely appreciate the information you’ve presented. The article really piqued my interest from the very first word. I just bookmarked your site and will check back for new content once every week. I also subscribed to your RSS feed.”
As you can see, these types of comments are very general and don’t address anything specific about your content. Once you understand this very obvious WordPress comment spam technique, they become quite easy to spot.
You may also see lots of question marks in a spam comment. Lots of question marks are a good indicator of spam.
Is Having a Comment Section On WordPress Worth the Trouble?
The easiest and most effective way to immediately put a stop to WordPress comment spam is to simply turn off the commenting function. If you’re not committed to keeping up with user comments, this is the best way to be free from spam comments cluttering up your site.
To turn off comments on individual posts and pages, you can do so from Post or Page settings. Scroll down to the Discussion section.
There are also several comment disabling options from the WordPress dashboard > Settings > Discussion page. From this screen, you can enable additional settings that can help curb comment spam, like requiring users to register to comment.
The WordPress comment moderation field on this page also allows you to set certain words or even IP addresses that will flag a comment to be held in the comment moderation queue, meaning the comment won’t automatically go live on your site.
That said, there are many different types of WordPress sites that have a need for a live and active comments section. This is especially true for blog sites that are content-based and thrive with heavy user interaction.
If your website falls under that category, the first thing you need to do is stop the spam comments from overtaking your little slice of the online world.
Stopping spam comments is going to take a healthy combination of plugins, along with some common sense spam administrative practices.
To start out, the default WordPress settings for the comment section (Settings > Discussion) can easily be adjusted to limit the harm that comment spammers do. When you look under the “Other Comment Settings” heading, it’s important to check the box next to “Automatically close comments on posts older than ___ days,” and “Users must be registered and logged in to comment.”
These are fast resolutions that’ll cut down on your WordPress comment spam immediately.
How to Stop WordPress Spam Comments
If you’ve chosen to make your comments active, the next best thing to do is install a WordPress spam blocker plugin. The plugins you can use for this purpose typically require very little in terms of ongoing maintenance and are quite simple to use.
After the initial setup process, these tools will do their job to keep you from dealing first-hand with the spam that continually bombards your comments.
1. Use a Spam Blocker Plugin like Akismet
Akismet is the first spam blocker to look at for preventing spam comments. It’s one of the few default plugins that come in every installation of WordPress core. Because of this, many WordPress users find Akismet to be one of the best WordPress spam blockers for comment section spam.https://wordpress.org/plugins/akismet/embed/#?secret=2x8NVUsWwL#?secret=Mm1J0eHr1Y
The Askismet plugin works 24 hours per day to filter out any potential spam comments and set questionable ones aside for your moderation. But beyond that, Akismet has a discard feature that automatically blocks out all known spam, which saves you the time and hassle of ever seeing it.
While Akismet does offer a free spam comment blocking feature, it’s important to note that your protection is normally only as good as what you’re willing to pay for. If you’re running a personal site or blog with relatively low traffic, you should be able to get away with running on the free plan.
If, however, your site is for business and pulls in a lot of traffic and comments, it’s best to upgrade to one of the paid commercial protection plans. The paid plans for commercial and business sites begin at only $5 per month. That small fee is more than worth it when you consider the amount of spam that you’ll never need to deal with.
WPBruiser is another option for fully ridding your comments section of unwanted spam posts.
With the WPBruiser application, you’ll get a customizable and free WordPress comment spam blocker plugin that doesn’t rely on any other third-party services. In other words, you won’t need to fumble around with API keys or open your site up to additional privacy or security concerns.
This plugin creates a comment blacklist, which prevents spam bots from even submitting comments at all. You can also set the plugin to clear out your logs after a specified period of time, and it won’t slow down your site like some other spam plugins.
More Powerful WordPress Spam Protection Techniques
To prevent spam registrations WordPress gives us several more options. WordPress user registration spam, comment spam and contact form spam are all enemies of running a successful WordPress website.
1. WordPress CAPTCHA or reCAPTCHA
While we’ve already covered WordPress stop spam registrations techniques and know how to prevent spam registration WordPress is infamously famous for, putting a complete end to spam requires implementing a CAPTCHA.
The best way to do this is by using the iThemes Security Pro plugin to add a WordPress reCAPTCHA to all user comments, user registrations, password resets and logins. This is an incredibly effective tool that determines exactly what a bot is and who your real users are.
To get started using Google reCAPTCHA, enable the option on the main page of the security settings.
The next step is to select which version of reCAPTCHA you want to use and generate your keys from your Google admin.Note: We recommend using reCAPTCHA v3. We cover each of the 3 versions in more detail in the Understanding Different reCAPTCHA versions section.)
Now enable reCAPTCHA on your WordPress user registration, reset password, login, and comments.
Finally, set the number of failed reCAPTCHAs need to trigger a lockout with the Lockout Error Threshold.
Selecting different versions of reCAPTCHA will display different settings.
2. Honeypots
Another helpful idea for throwing bots off your tail is to create a “honeypot field.” This is a form that’s hidden within your page’s code and is invisible to any real people that browse your WordPress site.
However, it attracts spambots.
They view it as another contact form or field to clutter up with spam messages.
The idea with this technique is that the bots will fill out the honeypot field, unaware that it will immediately expose them as spam. The entry is immediately rejected and the message will never land your inbox or cause any other mayhem on your site.
The honeypot technique, in theory, is a simple way to filter spam out of your life. But the reality is that it can sometimes be hit-and-miss. Some of today’s more sophisticated bots may be capable of getting around your honeypot trap.
While a lot of WordPress security plugins and contact form plugins include built-in honeypot features, make sure it isn’t the only solution you use. When you combine it with CAPTCHA and a spam filter plugin, you’ll have robust, multi-layered protection from spam attacks.
It’s also critical to employ a powerful WordPress backup plugin such as BackupBuddy. With the sophistication of today’s spambots, they can wreak all kinds of havoc on your site without warning. If and when that happens, the BackupBuddy plugin will automatically have a fully-functioning backup copy of your WordPress site ready to go, that you can get online immediately.
Make Spam on WordPress a Problem of the Past
WordPress stop spam registrations is a process that none of us want to deal with. However, to prevent spam registration WordPress has given us powerful tools to use.
As we’ve covered in this guide, spam on WordPress comes in many different forms, including emails, comments, and spam registrations. Fortunately, the techniques and tools discussed in this article will give you a strong upper hand on reducing spam on WordPress to an absolute minimum.
Remember, spam is a constant nuisance and, unfortunately, part of our everyday lives. It’s safe to say that none of us, or our websites, are immune to the problem. As such, we have to limit its impact.
Today, many companies are facing the challenge of digitalization, moving their physical commerce to the online world. This is not as easy as it seems, because depending on the type of store and the way it makes sales or contacts with customers, it will need one type of platform or another. Some opt for a classic website, while others opt for CMS functionalities such as WordPress.
In order to make these decisions, it is important to have IT and sales expertise or, failing that, a specialized consultancy.
Many companies recognize that they need to work digitally, but lack the resources to bring in full-time specialists. It seems that the usual format of companies is inflexible when it comes to incorporating this talent that makes periodic rather than daily contributions. To counteract this, the freelance format appears. Thanks to various platforms, it is possible to find different professional profiles and agree on a project-based collaboration, with a fixed and delimited cost.
Table of Contents
What Is The Purpose Of The .Htaccess File?
The necessary aspects for a website to function correctly are content management, programming and files such as .htaccess. This is a hypertext access that serves as a file to configure the software called Apache. It is a widespread server software, but it needs a series of directions to program its behavior to a certain extent.
The .htaccess file indicates the possibilities of action that a user has when entering the web. It can also limit certain actions to give us more control over our own website.
Another use is to configure the server to react to failures in the user’s connection. This will improve the so-called UX or user experience and serve to channel certain user actions.
It also has special relevance when it comes to making a site load better. Optimization is key, and not just to reduce users waiting time. The loading state of a page affects in part the chances of that page appearing among Google’s top results. Therefore, if our website uses the .htaccess file to prioritize load time optimization, it will not only improve the experience of current users but also attract different users.
The .htaccess file is a small document but it can serve as a gateway to an efficient and functional page. According to the parameters and rules entered, when a user enters the site the server directs traffic to the home page that appears in .htaccess. If there are any errors, the server directs the user to a failure page called 404, which is also customizable to some extent. So a bad configuration can be a risk since it will ruin a lot of visits that could be potential customers. This is why it is advisable to leave these files in the hands of professionals.
If there is one aspect that many entrepreneurs need to focus on, it is IT. The shortcomings in this regard have caused many viable projects to stagnate in their digital adaptation phase.
To prevent this from happening, the best thing to do is to have a programmer specialized in WordPress, especially at the start of the project. This professional is used to dealing with the WordPress computer system, programming, file types and promotional options. It is becoming more and more common for companies that do not have their own IT department to hire freelance programmers sporadically for specific periods or for specific actions. This type of contracting is becoming more and more common, as it helps to save costs in small and medium-sized businesses, where sustaining a full-time employee is a significant economic effort.
WordPress And .Htaccess
WordPress is one of the most popular virtual sites among businesses today. Its intuitive website designs and paid promotion options allow many users to do business on the Internet on a daily basis. The .htaccess file also plays a key role in this format.
There are a couple of aspects that are worth relating about WordPress as a beneficiary of .htaccess technology. To begin with, .htaccess files can refer to the entirety of a website, that is, to indicate the desired behavior in any section of it. However, there is also the option of assigning this type of document to each directory, which opens up the possibility of customizing different subsections.
We are talking about a very important element to restrict entry to some server folders, IP addresses, etc. As we can see, these are very necessary protection functions in the current cybersecurity context.
Optimizations For Our .Htaccess File
Different optimizations can be made in this document to take advantage of each and every one of its functionalities. In addition, as our WordPress website is used, it will be necessary to make adjustments that make sense. It is important to remember that, before modifying the .htaccess file, professionals usually make a backup copy. This is because, in case of failure (which can occur even for spelling issues), the page could be out of order. To make things easier, it is recommended to create a duplicate edition and apply the following tips.
Customize The 404 Error Page
The 404 error page is one of the most annoying pages for users because, in many cases, they do not know how they ended up there. Customizing this section allows you to give specific indications or explanations.
Home Page
The .htaccess file allows you to define a default home page, which does not have to be the same as the main page. Many people running personal projects use the “About Us” section as their home page.
Bringing Visitors From Our Old Website
When a client had an old website that has been replaced by another one, it is important to redirect people who enter the old domain. This way they will understand that the content has been moved.
Protect .Htaccess Modification
Parameters must be set so that this master sheet cannot be modified by third parties.
Block Bots And Users
This can be done from .htaccess. It is a way to prevent unwanted access to the website and to protect it from possible attacks.
The security of your WordPress website depends on the systems you implement to protect it and strengthen its security. With the increase in automatic password cracking, your users’ confidential information and access to your site are more at risk than ever.
That’s why it’s so important to further protect your WordPress site by adding two-factor authentication. Because your site is only as secure as your weakest password.
In this article, I’m going to tell you what two-factor authentication or identification is, why it’s so important and how to implement it on your site with easy to use and configure plugins.
Table of Contents
What Is Two-Factor Identification?
Two-factor authentication (2FA) is a type of multi-factor authentication (MFA) and is an additional layer of protection for your website. It is an additional user verification tool, for when someone logs into their account on your WordPress site.
In a standard WordPress setup, a user only has to specify a username and password to log in. Both can be guessed by dictionary attacks or if they are very weak.
When you add two-factor identification to your WordPress site, first, the user will have to enter their username and password as usual, but that’s not the end of it.
Then he will have to provide other information that proves that it is really him who wants to log in. In addition to the password, this information can be one of the following:
Something that only the user knows, usually a password or PIN code.
Something that only the user has, such as a physical device, a phone or a hardware key.
Something to prove that it is you, such as biometric data like a fingerprint or facial scan.
This data can be presented in a variety of different forms, which include:
A text message or phone call that gives a unique code to access.
Biometric proof such as the phone’s fingerprint sensor.
A separate app that users can download that gives them time-based codes that they can enter.
For example, if a user wants to log into a WordPress site, they must first enter their username and password (something only the user knows) . Then, enter two-factor identification, either asking them to verify their identity with a unique code sent by text message or a time-based code in an authentication application (something only the user has).
Or, on a higher security site like a bank might require the username and password (something only the user knows) first. Then, they might require a time-expired PIN code using their card (something only the user has) on a card reader and, as an added benefit, fingerprint scanning if you are logging in via your phone (something to prove you are who you say you are).
Why You Should Add Two-Factor Identification To Your WordPress Site
It’s easier than you think for someone to steal your password. In addition, most of your site users and team members use very weak passwords.
In fact, it probably won’t be news to you that cybercrime is on the rise. In recent years, personal data breaches, data loss and password exposure have been on the rise and are expected to cost the world 5 billion euros annually by 2022.
No matter the size of your website, the rise in automated password hacking means your site could benefit from some additional layers of security.
Enforcing strong WordPress passwords for your users is incredibly important for the security of your website. However, a strong password alone is not enough. One slip of user error could result in a hacker gaining access to your site and could put your customer or user data at risk.
The good news is that this can be stopped by implementing two-factor authentication in WordPress. In fact, even if one of your passwords was breached, the hacker would be stopped at the next stage. Indeed, the second factor would be the last one.
Still not convinced? Here are the benefits of two-factor identification:
Your data will be more secure : A weak password will no longer be the reason for unwanted access to your website.
You will be protected against fraud: 2FA reduces the likelihood that an attacker can impersonate a user.
Your team will have more freedom: Employees can securely access documents and data without putting the information at risk.
You will increase your users’ confidence: Your customers will appreciate that you are taking extra steps to ensure that their data is secure.
Reduce future costs: If your site is protected, you won’t have to spend money to fix it.
Now that we know the benefits of 2FA for your website and your business, it’s time to install it on your WordPress.
How To Add Two-Factor Authentication To Your WordPress Site
The easiest and fastest way to set up WordPress two-factor authentication is to install a plugin.
But as it is becoming more and more complicated to choose among the many plugins for every need, let’s take a look at the easiest 2FA plugins to implement and configure.
What Do You Need To Use 2FA Double Verification?
The only thing you will need, apart from your WordPress web administrator or editor user account and a plugin that includes the activation of double authentication, is a mobile app such as Google Authenticator or Authy, free for iOS and Android, installed on your mobile or tablet.
2FA With WordFence Login Security
Although you already know that I do not recommend it, if for some reason you already use the WordFence plugin, you should know that regarding the two-factor identification this utility is already included, both within the complete plugin and through a plugin that only offers this specific tool, which is recommended in itself: WordFence Login Security.
No matter what you choose, if it is the complete WordFence plugin or the WordFence Login Security plugin, or any of the following, the steps to activate and start using the double identification are exactly the same.
Activate the dual authentication.
Install a two-factor authentication app on your mobile device (Google Authenticator, Authy, etc.).
With the double authentication app, scan the QR code to add the application (your website) to the app.
Save the backup codes, in case you lose your mobile device to be able to log in without the app.
The next time you log in, in addition to the username/email + password, you will be asked for temporary expiration numbers generated by the authentication app for your application (web).
Then the settings:
For which user profiles the double authentication will be mandatory/optional/inactive.
Whether to allow the optional 30-day grace period (so that the user can choose not to be prompted every day).
Require 2FA for XML-RPC connections (recommended)
Also add reCAPTCHA (unnecessary)
Enable NTP protocol (recommended)
WooCommerce integration (optional)
As you’ll see, it delivers perfectly and works flawlessly, so – although I don’t recommend using Wordfence as a security plugin – the Wordfence Login Security plugin is a good option for adding double authentication to your WordPress site.
2FA With IThemes Security
As you may already know, this plugin was one of my favorites until the summer of 2021 when they decided to totally complicate the interface, forcing you to go through a wizard that made difficult what was once simple.
However, if you still use this plugin for the security of your WordPress website, it also includes the option to enable double identification, which you will find in the wizard.
After activating it, and only after completing the tedious setup wizard, you will be able to configure two-factor authentication.
In the settings you will be able to choose the double verification methods:
Mobile App
Email
Backup ID codes
The most common is to choose the mobile app, but if you opt only for the confirmation email method, or only the mobile app, I always recommend activating the backup codes, which are always a lifesaver.
Once you activate them, on the next login, users will be prompted to initiate the login process by double-identification, using the methods you have activated.
Once activated, it is very simple and intuitive.
What is more complicated is how to define for which users to activate double verification, because for this you will have to configure iThemes Security by creating groups of users and, for each one, decide what you activate and how. This is the part that they complicated so much with the damn wizard, and why I currently do not recommend this security plugin.
2FA With SG Security
Another way to enable two-factor identification in WordPress is via SiteGround Security, currently my favorite security plugin, which can be installed on any WordPress site, even if it is not hosted by SiteGround.
The best part is that, like everything in this security plugin, activating two-factor authentication is just one click.
Once two-factor identification is enabled, the next time an administrator or editor user accesses your WordPress site, they will first have to enter their username and password, and then they will be prompted for the temporary expiration numbers generated by the mobile authentication app, and can check the box to not be asked again for it for 30 days.
After logging in, you will be shown the backup codes, encouraged to save them in a safe place, and you will be able to log in.
Subsequently, each user will have the QR code and security code on their profile settings page, as well as the backup codes, in case they forgot to save them on their first two-factor authentication login.
SG Security’s 2-factor identification works with the main double authentication mobile apps, such as Google Authenticator and Authy, and at the moment it is activated by default for administrators and editors, the user profiles with more access and, consequently, more sensitive, although it is planned to extend it to other profiles.
It does not have as many settings as the other plugins, but it makes up for it with simplicity, something that many users value positively, me among them, especially with these new technologies, which tend to be difficult for most users, so although for advanced configurations it could fall short, it seems to me a more than valid option, and above all simple to implement and configure.
2FA With WP 2FA
The last option I will recommend you is a specific plugin for two-factor identification, and that I consider to be the best among the many that there are just for this utility: WP 2FA.
As soon as you install it and activate it, a configuration wizard will start, totally recommended, that will ask you for the methods you want to activate, which users to require the double identification and a few more settings, as you can see in the following screenshots:
As we have already seen before a bit of the terminology of this technology I will not get repetitive, because basically, the wizard settings are the same as in other plugins, so the screenshots are pretty self-explanatory and easy to understand.
Only the screens will change depending on whether you choose identification via mobile app or email.
With this you would have finished configuring the basic settings, but there is still more, because being a specific plugin it has quite a few additional settings, which are not shown in the initial wizard, that you should review.
For this you have a new item in the administration called WP 2FA, with two additional settings configuration pages:
2FA Policies
Settings
2FA Policies
In the 2FA policy you will be able to:
Select the available dual-ID methods
Choose for which profiles to force double identification
Define a grace period or not
Whether an external 2FA settings page will be created for the users or the settings will be in the WordPress admin
Choose where to redirect users to after setting up their 2FA page
Whether users will be able to disable 2FA in their profile or not
WP 2FA Settings
General
In the settings section you will find 3 tabs, namely:
Email settings: Here you can customize the texts and more options of the emails sent by the double authentication system.
General settings: A few technical settings about how the plugin works, which you will normally not have to modify.
White label: You will be happy to know that you can customize the texts that are shown to users in the double authentication process.
As you can see, it is the most complete of all in terms of customization possibilities, there is no possible competition in this regard.
It also has a premium version, payable, but it is not really necessary except for applying double-ID expiration policies, statistics and little else.
What Is The Best 2FA Two-Factor Identification Plugin?
I think it is clear that the most complete is WP 2FA, there is no doubt. The fact that it is a specialized 2FA plugin is noticeable, and beats any of the other options, for customization, for settings, for everything.
Now, should you install a specific 2FA plugin if your security plugin already offers this tool?
Well I think that, unless you NEED some specific functionality offered by the specific plugin and it is not available in your security plugin, I would use the 2FA feature of your security plugin, for not overloading plugin headers in your site, activating more code, having to maintain more plugins, etc. For economy of resources you could say.
If you have a WordPress website you probably think that you are already doing maintenance of your site, and it is not true and you should probably not do it yourself. WordPress web maintenance is essential, and should always be done by professionals, not WordPress publishers, but web maintenance professionals for WordPress.
But why should WordPress web maintenance be done by professionals? why shouldn’t I do it myself, if I even installed WordPress? doesn’t WordPress have automatic updates and shit like that?
Table of Contents
No One Can Be An Expert At Everything
If you want your website to have stability, good performance and be secure, it must be maintained by professional experts in various disciplines, which you alone will never master, mainly for 2 reasons:
It is not your goal in life
You can’t be an expert at everything
As much as you like WordPress and technology you can’t know everything or at least be an expert in everything, you need professionals specialized in different disciplines to make correct web maintenance:
Servers
Web Security
SEO On Page
WordPress Core
Plugin development
Theme development
Performance and resource optimization
Upgrades Are Not Perfect
Yes, WordPress even offers automatic updates in the background, but I’m sorry to discourage you: they are NOT SAFE, ever, for several reasons.
To begin with, no update is routinary, not even minor versions or maintenance and/or security updates, no matter if they are for plugins, themes or WordPress itself.
You should always check that the update does not require any additional action, that it does not modify styles or operations of any tool, that it does not alter the resulting HTML in the pages, that it does not negatively affect the performance and speed of the pages, or simply that it does not bring down the web.
Only a WordPress maintenance service that, before each update is performed, tests the possible consequences on a copy of the website, and only applies them after proving that nothing is broken, is a sufficient guarantee.
Let alone with updates in online stores, where sometimes it is required to update the database, with what that entails, and where it is always latent in what updates will affect sales, orders, customers, etc..
A professional WordPress maintenance service acts differently:
It disables all automatic updates.
Analyze and know in advance all the changes of the updates and what they can affect.
Tests the updates before on a test site, copy of the real one.
Makes backups just before any updates on the real web.
Update the real site.
Check the live site for anything that may have been affected, updating the database if necessary, and making adjustments if there are visible or operational changes.
In case of problems restore the site with the backup from just before the upgrade, to restart the process before a second attempt.
Plugins And Themes Do Not Always Work Well Together
Not only in updates, simply by installing a new plugin you can break the website, duplicate theme functionalities or ruin the SEO of the website by duplicating structured data, HTML tags or PHP functions of the theme or other plugins.
Code execution priorities should be reviewed. Sometimes it is better that a new code/plugin is loaded from the theme functions, or just the opposite, before the theme is loaded, or even before any plugin is loaded, working as a must-have plugin. Order often matters, and you can’t know all the plugins, themes, let alone the code.
A professional web maintenance service must take into account all these dependencies, to avoid problems and, if they occur, know how to solve them quickly.
It is a matter of each service, but in my case I do not allow my WordPress maintenance clients to install plugins, I require them to always ask the maintenance team to install and activate them, for several reasons:
Sometimes we already know in advance that a plugin is not going to work well.
Sometimes we already know in advance which plugin is best for the client’s need.
We always make an additional backup before installing any plugin, in case there are problems when activating it, to recover the website instantly.
Nothing you do in a web installation is trivial, and there is nothing better than relying on professionals with experience in many other websites instead of launching into the adventure testing themes and plugins and then regretting it, without being able to use your website, losing sales, contacts or business for having “tried on your own”.
Internet And WordPress Change And Evolve
Do you have several hours a day to keep yourself up to date on all the new technologies and threats that are on the Internet? Do you test every new WordPress, plugins and themes that come out to adopt the best technology for your website? do you know up to the minute the new algorithms, changes and requirements of Google?
If the answer to all these questions is a resounding “Yes” then perhaps you do not need to rely on different specialists.
If you hire a specialized WordPress maintenance service you can be sure that you will not get stuck and that they will always advise you on all the possible improvements you can make to your website.
A Business Critical Website Needs Constant Attention
Finally, perhaps the most important thing when deciding whether to take care of the maintenance of a WordPress website yourself or to entrust these tasks to professionals is that the web, like your business, needs constant attention and care, and …
If you take care of the business, who takes care of the website?
If you take care of the web, who takes care of the business?
As the person in charge of a business, you should focus your efforts on your business, not on the tools that support or serve the business.
Just as you would not take care of the maintenance of fire extinguishers or lighting of a physical store, but you would be taking care of customers and looking for new sales and promotion opportunities, it makes no sense or logic that you neglect your business to take care of plugins, themes, codes, PHP versions or Apache or LiteSpeed servers, caches or the latest Google algorithm.
If you want your business to move forward you should start thinking about the business, and let other specialists take care of the maintenance (web and others), who will guarantee that the tool will not be a problem for the business.
As you already know all my websites are hosted with SiteGround and it is the hosting that I always recommend for performance, support and also for the extras and improvements they bring to any WordPress website.
Table of Contents
Why SiteGround?
Among these extras, some really important features for WordPress sitesare:
Specific server optimizations for WordPress sites.
3 levels of server caching: NGINX Direct Delivery, Dynamic Cache and Memcached
Full, one-click restorable daily backups
WordPress site-specific security rules and firewalls
Own premium optimizations plugin totally free, that WAS only available on sites hosted by SiteGround
And yes, I say “WAS only available on SiteGround hosted sites” because since version 7.0.0.0 you can now install the SG Optimizerpremium optimizations plugin for free on your WordPress website, regardless of which hosting company it is hosted with.
SG Optimizer
Exactly, from now on you can install the SG Optimizer plugin on your WordPress website, no matter if it is hosted on SiteGround or not. You can have a free optimization plugin with features that are usually only offered by paid optimization plugins.
You install it like any other WordPress plugin, activate it and that’s it.https://wordpress.org/plugins/sg-cachepress/embed/#?secret=AfXGZTamFP#?secret=ZN138Km8WC
You will have a new menu in the WordPress administration, with all the optimization tools of SG Optimizer.
Let’s see what optimizations the plugin offers, indicating those that are available on any hosting or only on sites hosted on SiteGround, because some of the optimizations, depending on server systems, will only be available on SiteGround, but they are the least, most of the optimizations you can take advantage of them on any hosting.
And don’t worry that it will be difficult to configure, the whole plugin is very easy to use, designed for all types of users, with or without technical knowledge.
Improvements
With version 7.0.0.0 SiteGround has not only introduced the improvement that it can be used on any hosting, it has also added enhancements to existing features and some new ones:
NEW – Plugin available for non SiteGround hosted users.
NEW – File-based full page caching
NEW – File-based full page cache for logged in users
NEW – Preload cache (requires FB cache)
NEW – Compression level settings for individual images
Code reprogramming and general improvements
Improved HTML minimization
Improved deferred loading exclusions
Improved automatic emptying of custom content types
Improved cache exclusion for wp-json URLs
Improved option to test cache on URLs
Improved CloudFlare detection
Improved WooCommerce email verification support
Improved WP-CLI support
After testing these changes on several of my sites where I still kept WP Rocket to optimize some aspects that the previous versions of SG Optimizer did not solve well, I have ended up uninstalling WP Rocket, also here at WPHelp, as I now get better times and more optimized pages just with the tools of the SG Optimizer plugin.
Problems With Hosting Companies
Although in principle the SG Optimizer plugin can be used on any hosting, you may encounter some problems with some hosting companies.
Here are the ones that I know of or that you have informed me about, and the solution…
SG Optimizer And GoDaddy
If you have tried to install the SG Optimizer plugin on a GoDaddy hosting you will have found that it won’t let you, that it blocks its installation, just like it does with a lot of other plugins blocked on GoDaddy.
In this case, it’s probably just that it won’t let you install it because prior to version 7.0 SG Optimizer could not be installed on other hostings, and now you can.
My recommendation is that you contact GoDaddy and inform them that this has changed and that there is no security or performance (negative) reason for them to block the installation of the plugin, and that they can remove it from their list of blocked plugins.
Why Do GoDaddy And Some Other Hosting Companies Block The Installation Of WordPress Plugins?
This will not only happen with GoDaddy. There are other hosting companies that, for various reasons, block the installation of various plugins, almost always security and optimization (cache, etc.).
This is usually because their hosting plans are oriented to user profiles with little knowledge and they prefer to block access to certain plugins to avoid configuration errors or possible incompatibilities that would generate more work for their support teams.
Other times it is simply because they prefer to have very closed hosting plans, with basic but secure configurations that, again, generate as few problems and support requests as possible.
This is the way it is.
What Is SG Optimizer Missing?
Yes, this optimization plugin is one of(if not “the”) the best we have available. And you can see it easily changing your optimization plugin with this one and seeing the differences in tests.
But despite this, in my opinion, SG Optimizer still lacks a setting to be perfect: Adding missing dimensions of images. This setting does have WP Rocket but in my tests, overall, on no occasion did WP Rocket manage to outperform in scores and main web metrics the results with SG Optimizer, even being on a hosting that did not take advantage of SiteGround’s caching systems, nor the automatic image optimization or the conversion to WebP.
Of course, testing can vary depending on the type of website and page being analyzed, and in each case you’ll need to adjust different parameters of the optimization plugin tools, adding exclusions, etc. But it’s great to have a free optimization plugin as powerful as SG Optimizer and with so many tools that are usually paid.
And if you want to have all the full features, including their own servers, then I recommend you to host your websites on SiteGround.
Today, March 15, 2022, The Wordfence Incident Response team alerted our Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites. These affected sites have a nearly identical backdoor prepended to the wp-config.php file. Of the 298 sites that have been newly infected by this backdoor starting 5 days ago on March 11, at least 281 are hosted with GoDaddy.
We started seeing an overall increase in infected sites starting on March 11th:
The backdoor in question has been in use since at least 2015. It generates spammy Google search results and includes resources customized to the infected site. The main backdoor is added to the very beginning of wp-config.php and looks like this:
The decoded version of the backdoor looks like this:
And continued…
Mechanism of Operation
If a request with a cookie set to a certain base64-encoded value is sent to the site, the backdoor will download a spam link template from a command and control (C2) domain – in this case t-fish-ka[.]ru – and save it to an encoded file with a name set to the MD5 hash of the infected site’s domain. For example, the encoded file for ‘examplesite.com’ would be named 8c14bd67a49c34807b57202eb549e461, which is a hash of that domain.
While the C2 domain does have a Russian TLD, we have no indication this attack campaign is politically motivated or related to the Russian invasion of Ukraine. The domain serves up a blank web page, but in 2019 was serving what appears to be adult content, possibly with an affiliate marketing angle.
The encoded file that is downloaded contains a template based on the infected site source code, but with links to pharmaceutical spam added. This spam link template is set to display whenever the site is accessed.
A snippet of the encoded spam link-template looks like this:
If your site is hosted on GoDaddy’s Managed WordPress platform (which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites), we strongly recommend that you manually check your site’s wp-config.php file, or run a scan with a malware detection solution such as the free Wordfence scanner to ensure that your site is not infected.
If you know anyone using GoDaddy’s Managed WordPress hosting, we urge you to forward this advisory to them because malicious search engine results can take a long time to recover from, and acting fast can help minimize the damage.
We made contact with GoDaddy security and have offered to share additional information with them. They did not provide a comment in time for publication.
All product and company names mentioned in this post are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
