hi everyone today we’re gonna talk about the password list future of WordPress security and as most of you know I think security offers you several different ways to secure your WordPress website and by design a lot of these features will make it more difficult to access the WordPress dashboard and many of you are probably familiar with the WordPress specs best practices of using a unique password on every single site 91% of people know they should use a unique password on every single site but 59% of people still choose to use the same password everywhere this means that they can make your site vulnerable.
If their credentials were part of a database dump now the reason why 90% of Gmail users don’t use two-factor authentication is that as an extra step to their already busy day and the reason why only 12% of Internet users actually use a password manager is because they’re already too tired to think about having to manage something else.
Now we understand why people don’t follow security best practices but it doesn’t make it any less critical according to research done by Google doing two-factor oral prefers prevent 100% of bots attacks and 99% of bulk phishing attacks now there is a changing mindset surrounding cybersecurity security professionals are starting to realize that the onus is to make it easier for users to secure their website and personal accounts with that new mindset.
We at I teams created away for you to lock down your WordPress website while making it easier to log in the new password let’s login method and I assume security Pro will allow you to lock down your website or requiring two-factor authentication and use the strong passwords and it’s gonna allow you to refuse compromised passwords while still allowing people to log into your site with the click of a button now before we go and show off the magic links features.
Passwordless Method Is it Right For You?
It’s not perfect, but a hacker would have to steal your phone or log into your email account to brute-force attack your WordPress login form. Essentially, this is much more difficult for them than simply trying to guess the passwords.
Passwordless authentication sends a link to a phone number or email address that was previously verified. The user clicks on the link to automatically log into the website.
You don’t need to remember your password, but your site still gets the security benefit of two-factor authentication.
Install the Passwordless Login plugin
I’m going to go over to my plugins area and we’ll click add new up in the search box. we want to search for a Passwordless Login plug-in.
First, install and activate the passwordless login plugin
Then go to Users> Passwordless Login. This will bring up the only configuration page for the plugin.
This page contains a short code to generate a login form Passwordless.
Click Appearance> Widgets on your WordPress dashboard.
Under Available Widgets, drag a text widget below the selected footer or sidebar area. Add a title, switch to a text editor, paste the shortcode, and click Save.
The passwordless login form now appears in the footer or sidebar, or wherever you place the widget. Be sure to log out of your account to view the form.
iThemes Security Two-Factor Authentication
how you can use anything of security to lock down your WordPress website alright now that we’re in the item security setting what we’re gonna do is we’re gonna go in and lock down our WordPress login now the very first adjustment.
I’m going to make is going to be in the password required setting. Currently I am only forcing strong passwords on administrator users.
I’m going to change this down to subscriber and here’s why if you have a subscriber to your site or a customer and they are using a week pass for their account gets hacked they’re not going to blame their weak password they’re gonna blame you so let’s go ahead and take the extra precaution and protect their information by forcing them to use strong passwords now I’m also going to remove the compromised passers for the same reason so if their password has appeared in a database dump we’re gonna go to refuse that password because again they’re not going to blame their password they’re gonna blame you if any information from their account becomes compromised so let’s go ahead and save those settings alright.
let’s go to adjust our two-factor settings alright so currently I only have the user type protection which is going to force specific user roles to use two-factor authentication.
I’m gonna go ahead and change this down to all users because here’s what’s gonna happen so now that we’re gonna have pass for this login enabled again they’re gonna be able to log in still with a click of a button but anyone using the traditional login method ie a bot scouring the Internet just attempting brute force attacks they’re gonna have to deal with the additional two-factor requirement so again this is add another layer secure to your site alright now that we have our WordPress login lock down let’s go ahead and log out and let’s take a look at what the traditional login looks like with these extra security precautions alright so we have our WordPress login lockdown so I’m have to enter in my username enter in a unique password that I have to use a password manager to keep track of and then I need to login alright.
I’m gonna have to enter my two-factor code which means I need to get my off the app out yeah hobby pace click authenticate and I’m logged in now the issue is this is that it’s hard to get most people to want to use a password manager and it’s hard to get people to want to add an extra step every time they log into any account so what we’re gonna do now is we’re going to enable the password login feature.
iThemes Security Passwordless Login Link
let’s go back to our security settings let’s click enable now let’s configure the settings and I’m gonna enable for all users I’m gonna it’s gonna be enabled by default for every single user which means they’re gonna have the option to automatically the next time they login.
we’re gonna allow two-factor to be bypassed for all users and then we’re gonna have the username first login method let’s go to save the settings and now let’s log in and select’s see what it looks like now that we have an easier and secure method to login so it’s log out ok so the first thing you’re going to notice is that the password or the login flow has changed some so the first thing you want to do.
you’re going to enter in your username and then what you’re gonna see is okay you want an easier way to login.
you can send a magic link or if you prefer you can still use the traditional WordPress user name and password method of login.
I’m gonna send myself a magic link a magic email that’s gonna send me a password.
let’s login link now let’s go take a look and see what that email looks like alright here.
we are and my email inbox I can see thatI got the email that has my password this long and link and now all I have to do to log in is click the log in Now button it’s gonna open up a new tab and then log me into the WordPress – bride here we are in our WordPress dashboard and as we can see we have a very easy way to log in but any bot that scouring the Internet just looking for WordPress login to attack is still going to have use the traditional method of logging in using a username and password now let’s say for some reason even though you now have the ability to force everyone to use a unique password that has not been part of a compromise without sacrificing the usability the likelihood of the bot guessing the correct password is pretty slim but let’s say if they do you’ve lost it down even harder by requiring an extra two-factor password and as Google stated and their research is that these generic brute-force attacks on a hundred percent of them are blocked was using two-factor authentication so you get to lock down the your site without sacrificing any of the usability used to make it harder for these BOTS attacking your site to log in but making it easier for the actual users of your site to login.