Security Archives - Page 69 of 95 - Appunti dalla rete

How to Stop WordPress Spam: The Ultimate Guide

No matter how big or small your WordPress site, unwanted WordPress spam in comments sections, site registrations and contact form messages are issues that you’ll need to address.

Left unchecked, WordPress spam comments and spam user registration issues can quickly take over your site with intrusive content that detracts from the message your site is intended to portray.

In this guide, we’ll take you step-by-step through the process of stopping WordPress comment spam. You’ll also learn the best ways to prevent spam registration WordPress messages, end spam user registration efforts, stop WordPress contact form spam, and a lot more. Let’s take a closer look.In This Guide:

What Is WordPress Spam?

Spam has been an annoying, and often serious issue since the Internet became a staple in our lives. In the early days of being online, we became familiar with spam when unsolicited messages started to overtake our email inboxes, promoting everything from car insurance to cheap vacations. In fact, you probably continue to deal with this kind of unwanted spam every time you log into your email.

When discussing the spam that bombards a WordPress website, it’s a more multi-faceted subject than traditional email spam.

In a nutshell, WordPress spam attacks happen in many forms. As a WordPress site owner, chances are that you’ve dealt with these 3 types of WordPress spam:

Comment spam
User registration spam,
Contact form spam

While these WordPress spam attempts are, of course, highly annoying to both you and your site visitors, it’s important to understand that there are also some major security components that are tied to the spam you’re experiencing.

While attacking and defeating WordPress spam head-on might seem like an overwhelming task, protecting your site actually isn’t that difficult. All you need is the right approach and the best tools.

With the many different types of spam attacks happening on WordPress, it’s important to understand the different approaches that spammers take. Then we’ll look at the specific tools and tips that will allow you to take full control of the problem.

WordPress Contact Form Spam Explained

For most websites, a contact form is an absolute necessity. Contact forms help facilitate communication between you and your site visitors in a way that’s streamlined and user-friendly.

However, spammers see your contact form as a way to further promote their agenda.

WordPress contact form spam is different than other types of spam that attack your site. This is because your contact form requires the use of a plugin, unlike site registrations and comments that are natively built-in to your WordPress core installation.

When employing a contact form, you can choose from popular WordPress forms plugins such as Gravity Forms, Ninja Forms, or Contact Form 7. Just as each of these contact form plugins has its own unique set of features, they also employ different ways of eliminating WordPress contact form spam.

The specific features to protect your site from spam will be found in the settings of the plugin you choose. In some cases, you may need to download and install a companion plugin for full spam protection.

How To Stop WordPress Contact Form Spam

While the annoyance factor of receiving contact form spam emails is high, the solution for stopping them dead in their tracks is quite simple.

The first thing you’ll want to do is install a WordPress spam blocker plugin like Askismet.

If you’re using WPBruiser or Akismet, it’s good to know that either one is ready to work in unison with a wide variety of WordPress contact form plugins. In fact, Akismet will work directly out-of-the-box with Jetpack, Ninja Forms, Gravity Forms and Contact Form 7.

Conversely, WPBruiser is a little different in the way it combats WordPress contact form spam. WPBruiser requires a commercial extension in order to work with your WordPress contact form plugin.

With that said, WPBruiser has a much wider range than Akismet for spam protection options on plugins such as Formidable Forms, Fast Secure Contact Form, and the other popular contact form plugins detailed above.

Additionally, you’ll get a free Jetpack contact form extension in the core WPBruiser plugin installation.

No matter the contact form plugin you’re using, Akismet and WPBruiser will use robust spam blocking tools to help keep your contact forms safe from unwanted spam messages.

WordPress User Registration Spam Explained

The WordPress user registration feature is built directly into WordPress core.

The user registration feature is extremely useful for:

Membership sites
Online communities
eCommerce site customer accounts

Unfortunately, spam user registration is an area where spammers can easily focus their bots on malicious spam attacks. To prevent spam registration WordPress issues, it’s important to look at the root of the problem. WordPress stop spam registrations begins there.

A spam user registration consists of a phony site registration by spam bots that intend on spreading their message throughout your site. These spam user registrations will often lead to spam comments in your blog. They can even lead to more malicious attacks involving site security or a cluttered site with an unwanted front-facing membership directory.

What’s more, many WordPress plugins and themes have security vulnerabilities that can allow low-level site users, such as subscribers, to garner access to the administrative settings on your site. This is an important reason to prevent spam registrations WordPress is infamous for.

While the security flaws in themes and plugins typically require a spammer to work in a roundabout method to exploit the built-in vulnerabilities, it’s important to understand that even the most dormant-looking WordPress user registration spam account could be waiting and ready to exploit your site at any time.

Understanding the need to prevent spam registration WordPress attacks is the first step to solving the issue. Then, it’s time to employ a robust spam user registration blocker to put the issue to rest.

The aforementioned WPBruiser plugin will go a long way toward preventing WordPress user registration spam. It’s your first layer of defense in the WordPress stop spam registrations game.

However, there are a few other simple steps you should take in the WordPress stop spam registrations battle. Make sure to read this guide until the end for full details.

WordPress Comment Spam Explained

When you use the built-in WordPress comment section on your website, you’re automatically inviting conversation from users and readers.

Unfortunately, you’re also inviting a bunch of unwanted spam comments. These spam comments distract users from meaningful conversations about your content and severely muddy the overall experience for the user.

As discussed, spambots are constantly looking to exploit vulnerabilities in your WordPress security, which is a major reason to download and install the best WordPress security plugin.

But these same bots also search out and exploiting your comments section in a very malicious way. If you leave your site unprotected, the spambots will litter your entire site with more nonsense comments than you can keep up with. And they can do it in an extremely short timeframe.

WordPress Comment Spam Examples

WordPress comment spam, aside from the obvious blatant advertisements or garbled-up characters that don’t make sense, should quickly stand out to you because they’re highly complementary, but don’t contain any specific information or questions.

For example, you may see WordPress spam comments that read something like:

“Great blog you’ve got here! Beyond that, your website loads quickly and is easy to use. What site host do you use? Would it be possible to get your affiliate link to the host you use? I really wish my site would load as fast as yours. This is great $4/month hosting with a free domain and SSL, if you’re interested.”

“It looks like you’ve really thought through all of what you’ve presented in this post. Your words are very convincing and I think they’ll work. Even still, the posts your write are perfect for newbies. I do think that you should lengthen your future posts a bit. But thank you for this one.”

“I’m a frequent blogger and sincerely appreciate the information you’ve presented. The article really piqued my interest from the very first word. I just bookmarked your site and will check back for new content once every week. I also subscribed to your RSS feed.”

As you can see, these types of comments are very general and don’t address anything specific about your content. Once you understand this very obvious WordPress comment spam technique, they become quite easy to spot.

You may also see lots of question marks in a spam comment. Lots of question marks are a good indicator of spam.

Is Having a Comment Section On WordPress Worth the Trouble?

The easiest and most effective way to immediately put a stop to WordPress comment spam is to simply turn off the commenting function. If you’re not committed to keeping up with user comments, this is the best way to be free from spam comments cluttering up your site.

To turn off comments on individual posts and pages, you can do so from Post or Page settings. Scroll down to the Discussion section.

There are also several comment disabling options from the WordPress dashboard > Settings > Discussion page. From this screen, you can enable additional settings that can help curb comment spam, like requiring users to register to comment.

The WordPress comment moderation field on this page also allows you to set certain words or even IP addresses that will flag a comment to be held in the comment moderation queue, meaning the comment won’t automatically go live on your site.

That said, there are many different types of WordPress sites that have a need for a live and active comments section. This is especially true for blog sites that are content-based and thrive with heavy user interaction.

If your website falls under that category, the first thing you need to do is stop the spam comments from overtaking your little slice of the online world.

Stopping spam comments is going to take a healthy combination of plugins, along with some common sense spam administrative practices.

To start out, the default WordPress settings for the comment section (Settings > Discussion) can easily be adjusted to limit the harm that comment spammers do. When you look under the “Other Comment Settings” heading, it’s important to check the box next to “Automatically close comments on posts older than ___ days,” and “Users must be registered and logged in to comment.”

These are fast resolutions that’ll cut down on your WordPress comment spam immediately.

How to Stop WordPress Spam Comments

If you’ve chosen to make your comments active, the next best thing to do is install a WordPress spam blocker plugin. The plugins you can use for this purpose typically require very little in terms of ongoing maintenance and are quite simple to use.

After the initial setup process, these tools will do their job to keep you from dealing first-hand with the spam that continually bombards your comments.

1. Use a Spam Blocker Plugin like Akismet

Akismet is the first spam blocker to look at for preventing spam comments. It’s one of the few default plugins that come in every installation of WordPress core. Because of this, many WordPress users find Akismet to be one of the best WordPress spam blockers for comment section spam.https://wordpress.org/plugins/akismet/embed/#?secret=2x8NVUsWwL#?secret=Mm1J0eHr1Y

The Askismet plugin works 24 hours per day to filter out any potential spam comments and set questionable ones aside for your moderation. But beyond that, Akismet has a discard feature that automatically blocks out all known spam, which saves you the time and hassle of ever seeing it.

While Akismet does offer a free spam comment blocking feature, it’s important to note that your protection is normally only as good as what you’re willing to pay for. If you’re running a personal site or blog with relatively low traffic, you should be able to get away with running on the free plan.

If, however, your site is for business and pulls in a lot of traffic and comments, it’s best to upgrade to one of the paid commercial protection plans. The paid plans for commercial and business sites begin at only $5 per month. That small fee is more than worth it when you consider the amount of spam that you’ll never need to deal with.

WPBruiser is another option for fully ridding your comments section of unwanted spam posts.

With the WPBruiser application, you’ll get a customizable and free WordPress comment spam blocker plugin that doesn’t rely on any other third-party services. In other words, you won’t need to fumble around with API keys or open your site up to additional privacy or security concerns.

This plugin creates a comment blacklist, which prevents spam bots from even submitting comments at all. You can also set the plugin to clear out your logs after a specified period of time, and it won’t slow down your site like some other spam plugins.

More Powerful WordPress Spam Protection Techniques

To prevent spam registrations WordPress gives us several more options. WordPress user registration spam, comment spam and contact form spam are all enemies of running a successful WordPress website.

1. WordPress CAPTCHA or reCAPTCHA

While we’ve already covered WordPress stop spam registrations techniques and know how to prevent spam registration WordPress is infamously famous for, putting a complete end to spam requires implementing a CAPTCHA.

The best way to do this is by using the iThemes Security Pro plugin to add a WordPress reCAPTCHA to all user comments, user registrations, password resets and logins. This is an incredibly effective tool that determines exactly what a bot is and who your real users are.

To get started using Google reCAPTCHA, enable the option on the main page of the security settings.

The next step is to select which version of reCAPTCHA you want to use and generate your keys from your Google admin.Note: We recommend using reCAPTCHA v3. We cover each of the 3 versions in more detail in the Understanding Different reCAPTCHA versions section.)

Now enable reCAPTCHA on your WordPress user registration, reset password, login, and comments.

Finally, set the number of failed reCAPTCHAs need to trigger a lockout with the Lockout Error Threshold.

Selecting different versions of reCAPTCHA will display different settings.

2. Honeypots

Another helpful idea for throwing bots off your tail is to create a “honeypot field.” This is a form that’s hidden within your page’s code and is invisible to any real people that browse your WordPress site.

However, it attracts spambots.

They view it as another contact form or field to clutter up with spam messages.

The idea with this technique is that the bots will fill out the honeypot field, unaware that it will immediately expose them as spam. The entry is immediately rejected and the message will never land your inbox or cause any other mayhem on your site.

The honeypot technique, in theory, is a simple way to filter spam out of your life. But the reality is that it can sometimes be hit-and-miss. Some of today’s more sophisticated bots may be capable of getting around your honeypot trap.

While a lot of WordPress security plugins and contact form plugins include built-in honeypot features, make sure it isn’t the only solution you use. When you combine it with CAPTCHA and a spam filter plugin, you’ll have robust, multi-layered protection from spam attacks.

It’s also critical to employ a powerful WordPress backup plugin such as BackupBuddy. With the sophistication of today’s spambots, they can wreak all kinds of havoc on your site without warning. If and when that happens, the BackupBuddy plugin will automatically have a fully-functioning backup copy of your WordPress site ready to go, that you can get online immediately.

Make Spam on WordPress a Problem of the Past

WordPress stop spam registrations is a process that none of us want to deal with. However, to prevent spam registration WordPress has given us powerful tools to use.

As we’ve covered in this guide, spam on WordPress comes in many different forms, including emails, comments, and spam registrations. Fortunately, the techniques and tools discussed in this article will give you a strong upper hand on reducing spam on WordPress to an absolute minimum.

Remember, spam is a constant nuisance and, unfortunately, part of our everyday lives. It’s safe to say that none of us, or our websites, are immune to the problem. As such, we have to limit its impact.

Source :
https://ithemes.com/blog/how-to-stop-wordpress-spam/

Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021

Google Project Zero called 2021 a “record year for in-the-wild 0-days,” as 58 security vulnerabilities were detected and disclosed during the course of the year.

The development marks more than a two-fold jump from the previous maximum when 28 0-day exploits were tracked in 2015. In contrast, only 25 0-day exploits were detected in 2020.

“The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits,” Google Project Zero security researcher Maddie Stone said.

“Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces,” Stone added.

The tech giant’s in-house security team characterized the exploits as similar to previous and publicly known vulnerabilities, with only two of them markedly different for the technical sophistication and use of logic bugs to escape the sandbox.

Both of them relate to FORCEDENTRY, a zero-click iMessage exploit attributed to the Israeli surveillanceware company NSO Group. “The exploit was an impressive work of art,” Stone said.

The sandbox escape is “notable for using only logic bugs,” Google Project Zero researchers Ian Beer and Samuel Groß explained last month. “The most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.”

A platform-wise breakdown of these exploits shows that most of the in-the-wild 0-days originated from Chromium (14), followed by Windows (10), Android (7), WebKit/Safari (7), Microsoft Exchange Server (5), iOS/macOS (5), and Internet Explorer (4).

Of the 58 in-the-wild 0-days observed in 2021, 39 were memory corruption vulnerabilities, with the bugs stemming as a consequence of use-after-free (17), out-of-bounds read and write (6), buffer overflow (4), and integer overflow (4) flaws.

It’s also worth noting that 13 out of the 14 Chromium 0-days were memory corruption vulnerabilities, most of which, in turn, were use-after-free vulnerabilities.

What’s more, Google Project Zero pointed out the lack of public examples highlighting in-the-wild exploitation of 0-day flaws in messaging services like WhatsApp, Signal, and Telegram as well as other components, including CPU cores, Wi-Fi chips, and the cloud.

“This leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both?,” Stone said, adding, “As an industry we’re not making 0-day hard.”

“0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits,” forcing them “to start from scratch each time we detect one of their exploits.”

Source :
https://thehackernews.com/2022/04/google-project-zero-detects-record.html

Tips For An Optimized .Htaccess In WordPress

January 7, 2022 / Security, SEO, Tips / Guides, WordPress.org, WPO / 5 minutes of reading

Today, many companies are facing the challenge of digitalization, moving their physical commerce to the online world. This is not as easy as it seems, because depending on the type of store and the way it makes sales or contacts with customers, it will need one type of platform or another. Some opt for a classic website, while others opt for CMS functionalities such as WordPress.

In order to make these decisions, it is important to have IT and sales expertise or, failing that, a specialized consultancy.

Many companies recognize that they need to work digitally, but lack the resources to bring in full-time specialists. It seems that the usual format of companies is inflexible when it comes to incorporating this talent that makes periodic rather than daily contributions. To counteract this, the freelance format appears. Thanks to various platforms, it is possible to find different professional profiles and agree on a project-based collaboration, with a fixed and delimited cost.

Table of Contents

What Is The Purpose Of The .Htaccess File?

The necessary aspects for a website to function correctly are content management, programming and files such as .htaccess. This is a hypertext access that serves as a file to configure the software called Apache. It is a widespread server software, but it needs a series of directions to program its behavior to a certain extent.

The .htaccess file indicates the possibilities of action that a user has when entering the web. It can also limit certain actions to give us more control over our own website.

Another use is to configure the server to react to failures in the user’s connection. This will improve the so-called UX or user experience and serve to channel certain user actions.

It also has special relevance when it comes to making a site load better. Optimization is key, and not just to reduce users waiting time. The loading state of a page affects in part the chances of that page appearing among Google’s top results. Therefore, if our website uses the .htaccess file to prioritize load time optimization, it will not only improve the experience of current users but also attract different users.

The .htaccess file is a small document but it can serve as a gateway to an efficient and functional page. According to the parameters and rules entered, when a user enters the site the server directs traffic to the home page that appears in .htaccess. If there are any errors, the server directs the user to a failure page called 404, which is also customizable to some extent. So a bad configuration can be a risk since it will ruin a lot of visits that could be potential customers. This is why it is advisable to leave these files in the hands of professionals.

If there is one aspect that many entrepreneurs need to focus on, it is IT. The shortcomings in this regard have caused many viable projects to stagnate in their digital adaptation phase.

To prevent this from happening, the best thing to do is to have a programmer specialized in WordPress, especially at the start of the project. This professional is used to dealing with the WordPress computer system, programming, file types and promotional options. It is becoming more and more common for companies that do not have their own IT department to hire freelance programmers sporadically for specific periods or for specific actions. This type of contracting is becoming more and more common, as it helps to save costs in small and medium-sized businesses, where sustaining a full-time employee is a significant economic effort.

WordPress And .Htaccess

WordPress is one of the most popular virtual sites among businesses today. Its intuitive website designs and paid promotion options allow many users to do business on the Internet on a daily basis. The .htaccess file also plays a key role in this format.

There are a couple of aspects that are worth relating about WordPress as a beneficiary of .htaccess technology. To begin with, .htaccess files can refer to the entirety of a website, that is, to indicate the desired behavior in any section of it. However, there is also the option of assigning this type of document to each directory, which opens up the possibility of customizing different subsections.

We are talking about a very important element to restrict entry to some server folders, IP addresses, etc. As we can see, these are very necessary protection functions in the current cybersecurity context.

Optimizations For Our .Htaccess File

Different optimizations can be made in this document to take advantage of each and every one of its functionalities. In addition, as our WordPress website is used, it will be necessary to make adjustments that make sense. It is important to remember that, before modifying the .htaccess file, professionals usually make a backup copy. This is because, in case of failure (which can occur even for spelling issues), the page could be out of order. To make things easier, it is recommended to create a duplicate edition and apply the following tips.

Customize The 404 Error Page

The 404 error page is one of the most annoying pages for users because, in many cases, they do not know how they ended up there. Customizing this section allows you to give specific indications or explanations.

Home Page

The .htaccess file allows you to define a default home page, which does not have to be the same as the main page. Many people running personal projects use the “About Us” section as their home page.

Bringing Visitors From Our Old Website

When a client had an old website that has been replaced by another one, it is important to redirect people who enter the old domain. This way they will understand that the content has been moved.

Protect .Htaccess Modification

Parameters must be set so that this master sheet cannot be modified by third parties.

Block Bots And Users

This can be done from .htaccess. It is a way to prevent unwanted access to the website and to protect it from possible attacks.

Source :
https://wphelp.blog/tips-for-an-optimized-htaccess-in-wordpress/

How To Set Up 2-Factor Authentication(2FA)

The security of your WordPress website depends on the systems you implement to protect it and strengthen its security. With the increase in automatic password cracking, your users’ confidential information and access to your site are more at risk than ever.

That’s why it’s so important to further protect your WordPress site by adding two-factor authentication. Because your site is only as secure as your weakest password.

In this article, I’m going to tell you what two-factor authentication or identification is, why it’s so important and how to implement it on your site with easy to use and configure plugins.

Table of Contents

What Is Two-Factor Identification?

Two-factor authentication (2FA) is a type of multi-factor authentication (MFA) and is an additional layer of protection for your website. It is an additional user verification tool, for when someone logs into their account on your WordPress site.

In a standard WordPress setup, a user only has to specify a username and password to log in. Both can be guessed by dictionary attacks or if they are very weak.

When you add two-factor identification to your WordPress site, first, the user will have to enter their username and password as usual, but that’s not the end of it.

Then he will have to provide other information that proves that it is really him who wants to log in. In addition to the password, this information can be one of the following:

Something that only the user knows, usually a password or PIN code.
Something that only the user has, such as a physical device, a phone or a hardware key.
Something to prove that it is you, such as biometric data like a fingerprint or facial scan.

This data can be presented in a variety of different forms, which include:

A text message or phone call that gives a unique code to access.
Biometric proof such as the phone’s fingerprint sensor.
A separate app that users can download that gives them time-based codes that they can enter.

For example, if a user wants to log into a WordPress site, they must first enter their username and password (something only the user knows) . Then, enter two-factor identification, either asking them to verify their identity with a unique code sent by text message or a time-based code in an authentication application (something only the user has).

Or, on a higher security site like a bank might require the username and password (something only the user knows) first. Then, they might require a time-expired PIN code using their card (something only the user has) on a card reader and, as an added benefit, fingerprint scanning if you are logging in via your phone (something to prove you are who you say you are).

Why You Should Add Two-Factor Identification To Your WordPress Site

It’s easier than you think for someone to steal your password. In addition, most of your site users and team members use very weak passwords.

In fact, it probably won’t be news to you that cybercrime is on the rise. In recent years, personal data breaches, data loss and password exposure have been on the rise and are expected to cost the world 5 billion euros annually by 2022.

No matter the size of your website, the rise in automated password hacking means your site could benefit from some additional layers of security.

Enforcing strong WordPress passwords for your users is incredibly important for the security of your website. However, a strong password alone is not enough. One slip of user error could result in a hacker gaining access to your site and could put your customer or user data at risk.

The good news is that this can be stopped by implementing two-factor authentication in WordPress. In fact, even if one of your passwords was breached, the hacker would be stopped at the next stage. Indeed, the second factor would be the last one.

Still not convinced? Here are the benefits of two-factor identification:

Your data will be more secure : A weak password will no longer be the reason for unwanted access to your website.
You will be protected against fraud: 2FA reduces the likelihood that an attacker can impersonate a user.
Your team will have more freedom: Employees can securely access documents and data without putting the information at risk.
You will increase your users’ confidence: Your customers will appreciate that you are taking extra steps to ensure that their data is secure.
Reduce future costs: If your site is protected, you won’t have to spend money to fix it.

Now that we know the benefits of 2FA for your website and your business, it’s time to install it on your WordPress.

How To Add Two-Factor Authentication To Your WordPress Site

The easiest and fastest way to set up WordPress two-factor authentication is to install a plugin.

But as it is becoming more and more complicated to choose among the many plugins for every need, let’s take a look at the easiest 2FA plugins to implement and configure.

What Do You Need To Use 2FA Double Verification?

The only thing you will need, apart from your WordPress web administrator or editor user account and a plugin that includes the activation of double authentication, is a mobile app such as Google Authenticator or Authy, free for iOS and Android, installed on your mobile or tablet.

2FA With WordFence Login Security

Although you already know that I do not recommend it, if for some reason you already use the WordFence plugin, you should know that regarding the two-factor identification this utility is already included, both within the complete plugin and through a plugin that only offers this specific tool, which is recommended in itself: WordFence Login Security.

No matter what you choose, if it is the complete WordFence plugin or the WordFence Login Security plugin, or any of the following, the steps to activate and start using the double identification are exactly the same.

Activate the dual authentication.
Install a two-factor authentication app on your mobile device (Google Authenticator, Authy, etc.).
With the double authentication app, scan the QR code to add the application (your website) to the app.
Save the backup codes, in case you lose your mobile device to be able to log in without the app.
The next time you log in, in addition to the username/email + password, you will be asked for temporary expiration numbers generated by the authentication app for your application (web).

Then the settings:

For which user profiles the double authentication will be mandatory/optional/inactive.
Whether to allow the optional 30-day grace period (so that the user can choose not to be prompted every day).
Require 2FA for XML-RPC connections (recommended)
Also add reCAPTCHA (unnecessary)
Enable NTP protocol (recommended)
WooCommerce integration (optional)

As you’ll see, it delivers perfectly and works flawlessly, so – although I don’t recommend using Wordfence as a security plugin – the Wordfence Login Security plugin is a good option for adding double authentication to your WordPress site.

2FA With IThemes Security

As you may already know, this plugin was one of my favorites until the summer of 2021 when they decided to totally complicate the interface, forcing you to go through a wizard that made difficult what was once simple.

However, if you still use this plugin for the security of your WordPress website, it also includes the option to enable double identification, which you will find in the wizard.

After activating it, and only after completing the tedious setup wizard, you will be able to configure two-factor authentication.

In the settings you will be able to choose the double verification methods:

Mobile App
Email
Backup ID codes

The most common is to choose the mobile app, but if you opt only for the confirmation email method, or only the mobile app, I always recommend activating the backup codes, which are always a lifesaver.

Once you activate them, on the next login, users will be prompted to initiate the login process by double-identification, using the methods you have activated.

Once activated, it is very simple and intuitive.

What is more complicated is how to define for which users to activate double verification, because for this you will have to configure iThemes Security by creating groups of users and, for each one, decide what you activate and how. This is the part that they complicated so much with the damn wizard, and why I currently do not recommend this security plugin.

2FA With SG Security

Another way to enable two-factor identification in WordPress is via SiteGround Security, currently my favorite security plugin, which can be installed on any WordPress site, even if it is not hosted by SiteGround.

The best part is that, like everything in this security plugin, activating two-factor authentication is just one click.

Once two-factor identification is enabled, the next time an administrator or editor user accesses your WordPress site, they will first have to enter their username and password, and then they will be prompted for the temporary expiration numbers generated by the mobile authentication app, and can check the box to not be asked again for it for 30 days.

After logging in, you will be shown the backup codes, encouraged to save them in a safe place, and you will be able to log in.

Subsequently, each user will have the QR code and security code on their profile settings page, as well as the backup codes, in case they forgot to save them on their first two-factor authentication login.

SG Security’s 2-factor identification works with the main double authentication mobile apps, such as Google Authenticator and Authy, and at the moment it is activated by default for administrators and editors, the user profiles with more access and, consequently, more sensitive, although it is planned to extend it to other profiles.

It does not have as many settings as the other plugins, but it makes up for it with simplicity, something that many users value positively, me among them, especially with these new technologies, which tend to be difficult for most users, so although for advanced configurations it could fall short, it seems to me a more than valid option, and above all simple to implement and configure.

2FA With WP 2FA

The last option I will recommend you is a specific plugin for two-factor identification, and that I consider to be the best among the many that there are just for this utility: WP 2FA.

As soon as you install it and activate it, a configuration wizard will start, totally recommended, that will ask you for the methods you want to activate, which users to require the double identification and a few more settings, as you can see in the following screenshots:

As we have already seen before a bit of the terminology of this technology I will not get repetitive, because basically, the wizard settings are the same as in other plugins, so the screenshots are pretty self-explanatory and easy to understand.

Only the screens will change depending on whether you choose identification via mobile app or email.

With this you would have finished configuring the basic settings, but there is still more, because being a specific plugin it has quite a few additional settings, which are not shown in the initial wizard, that you should review.

For this you have a new item in the administration called WP 2FA, with two additional settings configuration pages:

2FA Policies
Settings

2FA Policies

In the 2FA policy you will be able to:

Select the available dual-ID methods
Choose for which profiles to force double identification
Define a grace period or not
Whether an external 2FA settings page will be created for the users or the settings will be in the WordPress admin
Choose where to redirect users to after setting up their 2FA page
Whether users will be able to disable 2FA in their profile or not

WP 2FA Settings

In the settings section you will find 3 tabs, namely:

Email settings: Here you can customize the texts and more options of the emails sent by the double authentication system.
General settings: A few technical settings about how the plugin works, which you will normally not have to modify.
White label: You will be happy to know that you can customize the texts that are shown to users in the double authentication process.

As you can see, it is the most complete of all in terms of customization possibilities, there is no possible competition in this regard.

It also has a premium version, payable, but it is not really necessary except for applying double-ID expiration policies, statistics and little else.

What Is The Best 2FA Two-Factor Identification Plugin?

I think it is clear that the most complete is WP 2FA, there is no doubt. The fact that it is a specialized 2FA plugin is noticeable, and beats any of the other options, for customization, for settings, for everything.

Now, should you install a specific 2FA plugin if your security plugin already offers this tool?

Well I think that, unless you NEED some specific functionality offered by the specific plugin and it is not available in your security plugin, I would use the 2FA feature of your security plugin, for not overloading plugin headers in your site, activating more code, having to maintain more plugins, etc. For economy of resources you could say.

Source :
https://wphelp.blog/how-to-set-up-2-factor-authentication2fa/

5 Reasons Why You Should Be Careful With The Maintenance Of Your WordPress

If you have a WordPress website you probably think that you are already doing maintenance of your site, and it is not true and you should probably not do it yourself. WordPress web maintenance is essential, and should always be done by professionals, not WordPress publishers, but web maintenance professionals for WordPress.

But why should WordPress web maintenance be done by professionals? why shouldn’t I do it myself, if I even installed WordPress? doesn’t WordPress have automatic updates and shit like that?

Table of Contents

No One Can Be An Expert At Everything

If you want your website to have stability, good performance and be secure, it must be maintained by professional experts in various disciplines, which you alone will never master, mainly for 2 reasons:

It is not your goal in life
You can’t be an expert at everything

As much as you like WordPress and technology you can’t know everything or at least be an expert in everything, you need professionals specialized in different disciplines to make correct web maintenance:

Servers
Web Security
SEO On Page
WordPress Core
Plugin development
Theme development
Performance and resource optimization

Upgrades Are Not Perfect

Yes, WordPress even offers automatic updates in the background, but I’m sorry to discourage you: they are NOT SAFE, ever, for several reasons.

To begin with, no update is routinary, not even minor versions or maintenance and/or security updates, no matter if they are for plugins, themes or WordPress itself.

You should always check that the update does not require any additional action, that it does not modify styles or operations of any tool, that it does not alter the resulting HTML in the pages, that it does not negatively affect the performance and speed of the pages, or simply that it does not bring down the web.

Only a WordPress maintenance service that, before each update is performed, tests the possible consequences on a copy of the website, and only applies them after proving that nothing is broken, is a sufficient guarantee.

Let alone with updates in online stores, where sometimes it is required to update the database, with what that entails, and where it is always latent in what updates will affect sales, orders, customers, etc..

A professional WordPress maintenance service acts differently:

It disables all automatic updates.
Analyze and know in advance all the changes of the updates and what they can affect.
Tests the updates before on a test site, copy of the real one.
Makes backups just before any updates on the real web.
Update the real site.
Check the live site for anything that may have been affected, updating the database if necessary, and making adjustments if there are visible or operational changes.
In case of problems restore the site with the backup from just before the upgrade, to restart the process before a second attempt.

Plugins And Themes Do Not Always Work Well Together

Not only in updates, simply by installing a new plugin you can break the website, duplicate theme functionalities or ruin the SEO of the website by duplicating structured data, HTML tags or PHP functions of the theme or other plugins.

Code execution priorities should be reviewed. Sometimes it is better that a new code/plugin is loaded from the theme functions, or just the opposite, before the theme is loaded, or even before any plugin is loaded, working as a must-have plugin. Order often matters, and you can’t know all the plugins, themes, let alone the code.

A professional web maintenance service must take into account all these dependencies, to avoid problems and, if they occur, know how to solve them quickly.

It is a matter of each service, but in my case I do not allow my WordPress maintenance clients to install plugins, I require them to always ask the maintenance team to install and activate them, for several reasons:

Sometimes we already know in advance that a plugin is not going to work well.
Sometimes we already know in advance which plugin is best for the client’s need.
We always make an additional backup before installing any plugin, in case there are problems when activating it, to recover the website instantly.

Nothing you do in a web installation is trivial, and there is nothing better than relying on professionals with experience in many other websites instead of launching into the adventure testing themes and plugins and then regretting it, without being able to use your website, losing sales, contacts or business for having “tried on your own”.

Internet And WordPress Change And Evolve

Do you have several hours a day to keep yourself up to date on all the new technologies and threats that are on the Internet? Do you test every new WordPress, plugins and themes that come out to adopt the best technology for your website? do you know up to the minute the new algorithms, changes and requirements of Google?

If the answer to all these questions is a resounding “Yes” then perhaps you do not need to rely on different specialists.

If you hire a specialized WordPress maintenance service you can be sure that you will not get stuck and that they will always advise you on all the possible improvements you can make to your website.

A Business Critical Website Needs Constant Attention

Finally, perhaps the most important thing when deciding whether to take care of the maintenance of a WordPress website yourself or to entrust these tasks to professionals is that the web, like your business, needs constant attention and care, and …

If you take care of the business, who takes care of the website?
If you take care of the web, who takes care of the business?

As the person in charge of a business, you should focus your efforts on your business, not on the tools that support or serve the business.

Just as you would not take care of the maintenance of fire extinguishers or lighting of a physical store, but you would be taking care of customers and looking for new sales and promotion opportunities, it makes no sense or logic that you neglect your business to take care of plugins, themes, codes, PHP versions or Apache or LiteSpeed servers, caches or the latest Google algorithm.

If you want your business to move forward you should start thinking about the business, and let other specialists take care of the maintenance (web and others), who will guarantee that the tool will not be a problem for the business.

Source :
https://wphelp.blog/5-reasons-why-you-should-be-careful-with-the-maintenance-of-your-wordpress/

Connect Windows Admin Center to Azure

In this post we will be going through connecting Windows Admin Center to Azure to allow management of Azure VM’s. To install WAC see previous post.

The Azure integration allows the management of Azure and on-prem servers from a single console.

First step is to register WAC with Azure, Open the WAC admin console and go to settings tab. AZ1

Go to the Azure in the gateway settings AZ2 Copy the code and click on the enter code hyperlink and enter the code AZ3 AZ4

Sign-in using an admin account on the Azure tenant. AZ5 AZ6

Now go back to WAC and click connect to finish the registration AZ7

Once WAC is registered it require admin application permission to be granted to the application registration in Azure AZ8

Now that the registration is completed we can now add Azure VM’s to WAC go to add and select Azure VM AZ9

Select the subscription (if there are multiple subscription in your tenant), resource group and VM that will be added. AZ10

Once the Azure VM is added, to allow management there will need to be management ports opened to allow a connection between WAC and the Azure VM. If you are using a site to site VPN you can just allow the ports over the VPN connection.

I have a public IP associated with my VM and I will be modifying my network security group to allow the ports from my public IP.

I wont be going through configuring an NSG as this was covered in a previous post. AZ15

On the VM itself you need to enable winrm and allow port 5985 through the windows firewall if enabled. This can be done by running the two command below from an admin PowerShell session.

winrm quickconfig
Set-NetFirewallRule -Name WINRM-HTTP-In-TCP-PUBLIC -RemoteAddress Any

Once the NSG is configured we should then be able to connect to the VM. AZ12

Below shows the overview of the VM AZ14 We can also now connect to the VM using integrated RDP console in WAC AZ13

WAC also allows us to manage services, scheduled tasks, backups, check event logs and other admin task, along with connecting using remote PowerShell directly from WAC. AZ16

Source :
https://thesleepyadmins.com/2020/05/23/connect-windows-admin-center-to-azure/

Bulk add and remove Office 365 Licences

I recently had a to move around a few thousand EMS licences to enable MFA for Office 365 and Azure, I decided to do two quick scripts to remove and add back the licences to the required users. I thought I would do a quick post on how I moved the licences.

As always any scripts should be tested on a subset of users before running on larger groups to test that they work as expected.

For this script we need the Office365 PowerShell module installed.

To check if the module is installed run

Get-Module -ListAvailable MSOnline BulkAdd

First step is to get the AccountSKU to do this run

Import-Module MSonline and then Connect-MsolService BulkAdd2

Get-MsolAccountSku | Select-Object AccountSkuId BulkAdd3

To make things easier and more repeatable in case I need to remove or add other licence I am using Out-GridView -PassThru to select the CSV file and also the licence SKU.

First Out-GridView is for the Csv file with UserPrincipalName (UPN) BulkAdd4

The second is to select the SKU to be removed BulkAdd5

Once the two items are selected the script will then run BulkAdd6 The full remove license script is below. The only part that needs to be updated is the $csv variable to point to the correct folder where the csv files will be kept.

## Bulk Remove licenses ##
## Select Csv file
$csv = Get-ChildItem -Path C:\temp\Office365Licence\Remove\ -File | Out-GridView -PassThru

## Import Csv
$users = Import-Csv $csv.FullName

## Select Account SKU to be removed
$accountSKU  = Get-MsolAccountSku | Select-Object AccountSkuId | Out-GridView -PassThru

## Loop through each user in the Csv
foreach($user in $users){
Write-Host "Removing $($accountSKU.AccountSkuId) licence from $($user.UserPrincipalName)" -ForegroundColor Yellow

## Remove licence
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -RemoveLicenses $accountSKU.AccountSkuId
}

The add script is the same only I added a check to confirm if the user requires the licence. The only part that needs to be updated is the $csv variable to point to the correct folder where the csv files will be kept.

Just a note on this I was applying the licence to existing users who where already setup with a usage location so if this is not set the script will error out.

## Bulk Add licences ##
## Select Csv file
$csv = Get-ChildItem -Path C:\temp\Office365Licence\Add\ -File | Out-GridView -PassThru

## Import Csv
$users = Import-Csv $csv.FullName

## Select Account SKU to be removed
$accountSKU  = Get-MsolAccountSku | Select-Object AccountSkuId | Out-GridView -PassThru

## Loop through each user in the Csv
foreach ($user in $users) {

## Check if Licence is already applied
$check = Get-MsolUser -UserPrincipalName $user.UserPrincipalName | Select-Object UserPrincipalName,Licenses
Write-Warning "checking for $($accountsku.AccountSkuId) on $($user.UserPrincipalName)"
if ($check.Licenses.AccountSkuId -notcontains $accountsku.AccountSkuId){

## Add licence
Write-Warning "Adding $($accountSKU.AccountSkuId) licence to $($users.UserPrincipalName)"
Set-MsolUserLicense -UserPrincipalName $user.UserPrincipalName -AddLicenses $accountSKU.AccountSkuId

}
else
{
## Licence already applied
Write-Host "$($user.UserPrincipalName) has $($accountsku.AccountSkuId) licence assigned" -ForegroundColor Green

}
}

Source :
https://thesleepyadmins.com/2019/10/12/bulk-add-and-remove-office-365-licences/

Report on users MFA status in Office 365 using PowerShell

During a recent audit we wanted to confirm what users had MFA enabled in Office 365. We use conditional access policy to enforce MFA.

We wanted to check each users to see if they had setup MFA and had a method configured. We also wanted to get information on licensing status and assigned licenses.

The only pre-req for using the script is that the MSOnline Powershell module is installed.

To install the MSOline module open and admin PowerShell windows and run

Install-Module -Name MSOnline

To confirm the module is installed run the below command.

Get-Module -ListAvailable MSOnline

This image has an empty alt attribute; its file name is image-26.png

First we need to connect to MS Online to do this run

Connect-MsolService

Once connected to check the MFA status I will be using the StrongAuthenticationMethods properties as if MFA is configured for the user there will be a default method set.

For users that haven’t configured MFA no StrongAuthenticationMethods is set.

Below are the 4 methods available for MFA.

OneWaySMS
TwoWayVoiceMobile
PhoneAppOTP
PhoneAppNotification

In the script I only want to return the default method.

There is only one mandatory parameter for the export path where the report will be exported to.

The below is an example of how to run the report.

.\Office365_MFA_Report.ps1 -ExportPath C:\temp

Below is what the output will look like.

The full script can be downloaded from the below link.

Scripts/Office365_MFA_Report.ps1 at master · TheSleepyAdmin/Scripts (github.com)

Source :
https://thesleepyadmins.com/2021/05/15/report-on-users-mfa-status-in-office-365-using-powershell/

10 essential Linux tools for network and security pros

Picking just 10 Linux open source security tools isn’t easy, especially when network professionals and security experts have dozens if not several hundred tools available to them.

There are different sets of tools for just about every task—network tunneling, sniffing, scanning, mapping. And for every environment—Wi-Fi networks, Web applications, database servers.

We consulted a group of experts (Vincent Danen, vice president of product security, RedHat; Casey Bisson, head of product growth, BluBracket; Andrew Schmitt, a member of the BluBracket Security Advisory Panel; and John Hammond, senior security researcher, Huntress) to develop this list of must-have Linux security tools.Linux security: Cmd provides visibility, control over user activity

Most of them listed here are free and open source. The two that cost money are Burp Suite Pro and Metasploit Pro. Both are considered indispensible in any enterprise program of vulnerability assessment and penetration testing.

1. Aircrack-ng for Wi-Fi network security

Aircrack-ng is a suite of tools for security testing wireless networks and Wi-Fi protocols. Security pros use this wireless scanner for network administration, hacking, and penetration testing. It focuses on:

Monitoring: Packet capture and export of data to text files for further processing by third-party tools.
Attacking: Replay attacks, deauthentication, fake access points via packet injection.
Testing: Checking Wi-Fi cards and driver capabilities.
Cracking: WEP and WPA PSK (WPA 1 and 2).

According to the Aircrack-ng website, all tools are command line, which allows for heavy scripting. The tool works primarily on Linux, but also Windows, macOS, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

Cost: Free open-source software.[ Learn how IT can harness the power and promise of 5G in this FREE CIO Roadmap Report. Download now! ]

2. Burp Suite Pro targets web-app security

Burp Suite Professional is a web application testing suite used for assessing online website security. Burp Suite operates as a local proxy solution that lets security pros decrypt, observe, manipulate, and repeat web requests (HTTP/websockets) and responses between a web server and a browser.

The tool comes with a passive scanner that lets security pros map out the site and check for potential vulnerabilities as they manually crawl the site. The Pro version also offers a very useful active web vulnerability scanner that allows for further vulnerability detection. Burp Suite is extensible via plugins, so security pros can develop their own enhancements. The Pro version has the most robust plugins, making Burp a multi-tool suite of very useful web attack tools.

Cost: The professional version costs $399. There’s also an enterprise version that enables multiple concurrent scans that can be used by application development teams.

3. Impacket for pen testing network protocols

This collection of tools is essential for pen testing network protocols and services. Developed by SecureAuth, Impacket operates as a collection of Python classes for working with network protocols. Impacket focuses on providing low-level access to packets, and for some protocols such as SMB1-3 and MSRPC, the protocol implementation itself. Security pros can construct packets from scratch, as well as parsed from raw data. The object-oriented API makes it fairly easy to work with deep hierarchies of protocols. Impacket supports the following protocols:

ethernet, Linux;
IP, TCP, UDP, ICMP, IGMP, ARP;
IPv4 and IPv6;
NMB and SMB1, SMB2 and SMB3;
MSRPC Version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP;
Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys;
Portions of TDS (MSSQL) and LDAP protocol implementation

Cost: Free as long as the user gives SecureAuth credit. Impacket is provided under a slightly modified version of the Apache Software License. Security pros can review it here and compare it to the official Apache Software License.

4. Metasploit: A super-tool for detecting exploits

An exploitation framework from Rapid7 that is used for general penetration testing and vulnerability assessments, security pros consider it a “super tool” that contains working versions of nearly every known exploit in existence.

Metasploit enables security pros to scan networks and endpoints (or import NMAP scan results) for vulnerabilities and then perform any possible exploitation automatically to takeover systems.

According to a recent Rapid7 blog post, capturing credentials has been a critical and early phase in the playbook of many security testers. Metasploit has facilitated this for years with protocol-specific modules, all under the auxiliary/server/capture function. Security pros can start and configure each of these modules individually, but now there’s a capture plug-in that streamlines the process.

Cost: Metasploit Pro, which comes with commercial support from Rapid7, starts at $12,000 per year, but there is also a free version.

5. NCAT probes network connectivity

From the makers of NMAP, NCAT is a successor to the popular NETCAT. It facilitates reading and writing data over a network from the command line, but adds features such as SSL encryption. Security experts say NCAT has become crucial for hosting TCP/UDP clients and servers to send/receive arbitrary data from victim and attacking systems. It’s also a popular tool for establishing a reverse shell or exfiltrating data. NCAT was written for the NMAP Project and stands as the culmination of the currently splintered family of NETCAT incarnations. It’s designed as a reliable back-end tool to execute network connectivity to other apps and users. NCAT works with IPv4 and IPv6 and offers the ability to chain NCATs together, redirect TCP, UDP, and SCTP ports to other sites, as well as SSL support.

Cost: Free open source tool.

6. NMAP scans and maps networks

NMAP is a command-line network scanning tool that uncovers accessible ports on remote devices. Many security pros consider NMAP the most important and effective tool on our list— the tool is so powerful it’s become obligatory for pen testers. NMAP’s flagship feature is scanning network ranges for active servers, and then all of its ports for operating system, service and version discovery. Via NMAP’s scripting engine, it then performs further automated vulnerability detection and exploitation against any service it finds. NMAP supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many TCP and UDP port scanning mechanism, OS detection, version detection, and ping sweeps. Security pros have used NMAP to scan large networks of hundreds of thousands of machines.

Cost: Free open source tool.

7. ProxyChains for network tunneling

The de facto standard for network tunneling, ProxyChains lets security pros issue proxy commands from their attacking Linux machine through various compromised machines to traverse network boundaries and firewalls, while evading detection. They use it when they want to use the Linux operating system to hide their identity on a network. ProxyChains routes the TCP traffic of pen testers through the following proxies: TOR, SOCKS, and HTTP. TCP reconnaissance tools such as NMAP are compatible – and the TOR network is used by default. Security pros also use ProxyChains to evade firewalls and in IDS/IPS detecting.

Cost: Free open source tool.

8. Responder simulates attacks on DNS systems

Responder is an NBT-NS (NetBIOS Name Service), LLMNR (Link-Local Multicast Name Resolution) and mDNS (multicast DNS) poisoner that is used by penetration testers to simulate an attack aimed at stealing credentials and other data during the name resolution process when no record is found by the DNS server.

The latest version of Responder (v. 3.1.1.0) comes with full IPv6 support by default, which lets security pros perform more attacks on IPv4 and IPv6 networks. This is important because Responder had lacked IPv6 support and therefore missed several attack paths. This was especially true on IPv6-only networks or even mixed IPv4/IPv6 networks, particularly when you take into consideration that IPv6 has become the preferred network stack on Windows.

Cost: Free open source software.

9. sqlmap looks for SQL injection flaws in database servers

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws that could be used to take over database servers. The tool comes with a powerful detection engine, and boasts many features for penetration testing including database fingerprinting, accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Security pros say it helps them automate SQL discovery and injection attacks against all major SQL back-ends. It supports a wide range of database servers, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB. It also supports various kinds of SQL injection attacks, including boolean-based blind, time-based blind, error-based, stacked queries, and out-of-band.

Cost: Free open source software.

10. Wireshark: Popular network protocol analyzer

Wireshark, which has been around since 1998, is a network protocol analyzer, commonly called a network interface sniffer. The latest update is Version 3.6.3.

Wireshark lets security pros observe a device’s network behavior to see which other devices it is communicating with (IP addresses) and why. In some older network topologies, network requests from other devices pass through the network interface of a security pro’s device, allowing them to observe the entire network’s traffic, not just their own. Security experts say it’s a great tool to figure out where the DNS servers and other services are for further exploitation of the network. Wireshark runs on most computing platforms, including Windows, MacOs, Linux, and Unix.

Cost: Free open source software.Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Source :
https://www.networkworld.com/article/3656629/10-essential-linux-security-tools-for-network-professionals-and-security-practitioners.html

The Next Evolution of Authentication

Bringing identity proofing to Symantec SiteMinder

Readers of this blog won’t need much convincing that today’s digital threat landscape is complex and formidable. Where I expect to find more skepticism is around the prospect of a quick, simple, yet powerful security upgrade to your existing infrastructure.

You’re not wrong to be skeptical.

It’s exceedingly rare when two security technologies, from two different vendors, actually strengthen one another. Much more often the opposite is true, when a lack of identity continuity allows security vulnerabilities and usability barriers to take root in the small gaps between disparate identity systems.

But that’s what makes Daon’s new partnership with Broadcom Software, and our native integration with Symantec SiteMinder, so noteworthy. It really is a fast, simple, affordable way to make SiteMinder even better at what it already does so well—protecting the applications that your business relies on.

Authentication is nice, but is it enough?

SiteMinder has always been highly effective at ensuring that only users with the right identity credentials can gain access to your applications. It manages multiple types of authentication credentials and flow, applying the appropriate mechanism to balance security and convenience.

But in today’s world of ubiquitous password breaches, intercepted OTPs, and stolen devices, there is a quite reasonable and growing level of concern around the inviolability of those very credentials.

At any point along the user journey, how are we to be sure that the identity credentials meant for “Jane” are still, and solely, in her possession?

The Strengths & Weaknesses of Multifactor Authentication

Two-factor authentication solutions like Symantec VIP that utilize multifactor credentials and contextual risk analysis are a critical step in strengthening the authentication process and providing greater confidence that users are who they claim to be.

But this classic model of authentication—including even the strongest, most secure biometric authentication factors like fingerprint authentication—has a limitation. Authenticating that a user’s fingerprint matches the fingerprint on file does not, in itself, prove that the fingerprint belongs to a legitimate user (e.g., Jane). What if the person who submitted the original reference fingerprint was not actually Jane? Or what if someone other than Jane gains access to her account through other means and then changes the reference fingerprint to match their own?

A fast, simple, affordable way to make SiteMinder even better at what it already does so well—protecting the applications that your business relies on.

Consumer biometric authentication tools like TouchID and FaceID are plagued by this vulnerability. On an iPhone or Android phone, you can circumvent the biometric security with a simple password, then proceed in seconds to replace all the biometric reference data on that device. What seemed at first glance like robust biometric security is in fact nothing more than an elaborate password proxy.

And there’s a second problem, too.

As Katie Deighton recently wrote in The Wall Street Journal, “Consumers who use two-factor authentication are finding that changing a phone number or neglecting to write down recovery codes can leave them inadvertently locked out of online accounts.”

When authentication becomes too dependent on a trusted device, genuine SiteMinder users who lose a device, have a device stolen, or change to a new device may find themselves suddenly unable to access their SiteMinder-protected applications.

Introducing Daon Identity Proofing

Real-time identity proofing is the next step in the evolution of authentication. It requires a biometric factor (your face) that can be easily verified against a trusted source document (your government-issued photo ID)—something that’s readily available to users but that cannot be altered without detection.

With ID in hand, a user can quickly snap some photos of the document’s front and back, and then a selfie. In seconds, machine learning algorithms will verify the document, match the selfie to the document image, and use “liveness detection” to prevent spoofing with a photo or video recording. Voilà—the user is authenticated as if they’d presented their credentials to you in person, but with the convenience that digital users have come to expect from all their online interactions. What’s more, this capability can be easily implemented into your Symantec SiteMinder environment through a simple, standards-based OIDC interface.

Your Path Forward

We couldn’t be more delighted that Broadcom Software chose to partner with Daon to bring this powerful capability to SiteMinder users everywhere. Broadcom Software selected us because we’ve been the global leader in biometric identity assurance for over two decades—chosen to secure over a billion identities around the world, performing more than 250 million authentications each day, and trusted by iconic international brands like American Airlines, Hyatt, PNC, Experian, Carnival, and hundreds more.

I hope you’ll watch the short video below for some additional information, and when you’re ready, we invite you to come learn just how easy and affordable biometric identity proofing can be by visiting us here.

Source :
https://symantec-enterprise-blogs.security.com/blogs/feature-stories/next-evolution-authentication