Chris La Nauze presents to the Melbourne WordPress Meetup November 2016 about Two Factor Authentication. Further Notes can be found here on my Blog https://chrislanauze.com/go/2FA-wp-talk-nov-2016/
2. WPScan Vulnerability Database
To date there are 2407 vulnerabilities.
1305 WordPress Plugins. (54%) of the
vulnerabilities
344 (14.3%) WordPress theme vulnerabilities
758 (31.5%) WordPress core vulnerabilities
https://wpvulndb.com/
3. Types of Vulnerabilities
The most popular vulnerability types in
WordPress core,
Plugins and Themes are Cross-site
Scripting and SQL Injection.
This is not surprising considering these 2
vulnerabilities have been listed in the
OWASP Top 10 since its inception.
4. What is Security?
Hardening
Addition of extra layers, to protect the penetration
WordPress - relatively secure platform. If you have
auto updates enabled, auto patch security
vulnerabilities in the core for you. It's only when you
start adding plugins, themes and custom code, the
more chance it has of been hacked, and the more
users you have exponentially increases the risks of
an attack.
Security is like an onion, needs
lots of layers of protection
working together.
5. Popular WordPress Security Plugins
Ithemes Security
WordFence
BulletProof Security
Securi Security
BBQ - Block Bad Queries
Caveat: They aren’t 100% secure, they are prone to vulnerabilities too. All four
here have been listed in https://wpvulndb.com/search? But being paid services,
they are very quick to patch and fix over free alternatives.
7. No! 2FA is not the silver bullet. It’s just one of the many
layers to help protect your sites.
8. What is 2 step Authentication?
“Unlike passwords, two-factor authentication (2FA) is a two-step process that asks
for two of three possible factors: things you are, things you have, and things you
know, to prove your identity. Current implementations of two-factor authentication
utilize the something you know (passwords) and something you have/possess
(such as a mobile phone, email account, hardware token, etc.)
WordPress do offer two-factor authentication via free plugins, which offer various
ways to two-factor, including OTP (one-time password) via SMS, phone call, OTP
via email, QR code, authenticators, push notification, and hardware-based key
makers such as Yubikey, SolidPass, etc.”
Ref: http://www.hongkiat.com/blog/wp-plugins-2-factor-authentication/
9. https://www.google.com.au/landing/2step/
Examples for 2FA in everyday life
● Drawing money from the ATM - card | PIN
● Paying with a credit card - card | signature OR card | PIN OR card | security code
● Entering a foreign country - passport | biometric data
11. 3 Two Factor Authentication Plugins for WordPress
● Duo Security
● Clef
● Google Authenticator
12. Duo.com
The Steps that happen when
Authenticating with WordPress
1. WordPress connection initiated
2. Primary authentication
3. WordPress connection established
to Duo Security over TCP port 443
4. Secondary authentication via Duo
Security’s service
5. WordPress receives authentication
response
6. WordPress session logged in
https://duo.com/docs/wordpress