Make Your WordPress Sites 100% Immune To Phishing


What is a Universal 2nd Factor (U2F) Physical Security Key?

U2F is an authentication standard that lets users securely access their online accounts instantly with a security key – no drivers or client software needed.

You just register a physical device with the online service that supports the protocol. It was created by Google and Yubico and now it’s hosted by the FIDO Alliance. 
wordpress support helpdesk
Basically, U2F security keys are physical USB keys that look like a flash drive. You can only access your account by tapping the key while it’s plugged in.

As an end user, it feels like a dedicated device for 2-Factor Authentication. Instead of using your phone and the Authenticator app, you carry around a physical key.

U2F and WordPress Security

I wanted to give it a go on my site. So I purchased a YubiKey of my own.
Seeing as this was an experiment and I am not super technical I wasn’t ready to attack manual set up. I searched for a free plugin option on WordPress.org.  The search ended pretty fast. There’s currently not a lot of options or information for WordPress so I went with the most popular free option, Two-Factor.
Now armed with my brand new key and the plugin I thought, “this shouldn’t be too hard”.

So, how do you use U2F and physical security keys with WordPress?

  1. Go to Users -> your Profile page
  2. Scroll down. You will see some new features. Under account management, there should be Two-factor options available now.
  3. Enable FIDO U2F and set as primary
  4. Scroll down to Security Keys and press the Register New Key button
  5. Plug in your FIDO U2F security key and tap the circle button on it
  6. Wait for the page to refresh and click Update Profile

wordpress help


What are the drawbacks and barriers to entry of Security Keys?

 

While it’s fairly easy to implement there were some drawbacks.
This level of security is not free and providing security keys to everyone that needs access to your site could be costly – especially for large teams. Keys vary in price from $20 to $50. Plus, it’s recommended you keep a backup key for each of your users just in case their key is lost, damaged or stolen. If you run a team of 10 that would require 20 keys. Cha-ching.

If cost is not prohibitive, the next challenge is that security keys are still not widely adopted. While usage has increased setting-up security keys for other systems can be a painful and lengthy process. The good news is that things are improving and setting up security keys on Google, Facebook or Twitter is fairly straightforward.

Another thing to consider for teams or development agencies is management. Keys create a more complicated employee and client onboarding process. It also means finding a point person for setup and recovery. Hello middle managers.

Perhaps the most obvious hurdle, you can’t access your site without the security key. This is good for your site’s security but could be bad for convenience. Let’s say you just arrived at work and realized you left your key at home. You can’t call somebody to dictate a one-time password – because, there is no spoon password! This could mean a few more hours of driving, which would negate all the extra seconds you have “stolen away” by using U2F over OTP in a single day.

Lastly, Handing out security keys to your WordPress clients could, obviously, be a potential problem.
So, why not just roll with One-Time Passcodes (OTP) or 2FA on my phone? These are valid options, but there are some disadvantages.

U2F vs OTP’s

One-Time Passcodes (OTP) are short numeric codes that are one-time use and are sent via text messages or generated on a separate physical device. While they are more secure than ordinary passwords, OTP’s aren’t perfect:

  • They are vulnerable to phishing and man-in-the-middle attacks
  • You have to carry around a dongle per each website/password
  • SMS messages can be intercepted
 In short, it’s not a 100% protection plan. While it offers another layer of security, if someone phishes access to your email or messages account they can still gain access to your (or your clients) WordPress back-end with an OTP code.

Who Are Physical Security Keys Like YubiKeys For?


For most WordPress users, Defenders 2FA with Google Authenticator on your phone is more than enough. Dedicated security keys offer dedicated protection against phishing and man-in-the-middle attacks and are arguably faster and easier to use once you set them up and get used to them, but let’s face it, ordinary Joe probably doesn’t really need a YubiKey.

That said, if you’re running an agency with multiple administrators on high profile client sites it may be time to consider physical keys for your team.

Google’s own U2F case study showed, that on top of becoming a “no-phishing zone”, they also noticed accelerated employee productivity, reduced support compared to phone authentication, and even lower cost of ownership.

The benefits of the physical keys multiply with the number of employees/clients using keys and with the number of daily sessions each user commences.

Better Solutions for WordPress Security

U2F is most likely the technology of the future and it is growing rapidly in popularity. But for now, it doesn’t seem to provide enough benefits for small or midsize agencies, at least not for replacing a well-set-up 2FA.

If physical keys sound impractical or a bit excessive for your clients, Defender is the best option for securing your WordPress sites. The combination of one-click security tweaks, good password practices, 2-factor Auth along with our forced two-factor authentication for specific user roles, automated cloud backups, and free expert support clean-up is more than enough.

What do you think? Do the risks of phishing associated with your phone have you considering physical keys for your WordPress agency?

A personal WordPress support service by WP specialists, present your demand whenever and our group will deal with it.We will improve and secure your site, with the end goal to capitalize on your service and amplify site performance.We are confident to the point that you will like our wordpress help in UK.Simply call us on Wordpress support Number 0(800)8203300 from anyplace in United Kingdom.

 

 

Location: United Kingdom

Comments

Post a Comment

Popular posts from this blog

New and Improved iOS Sharing Extensions

Image
Are you using the WordPress for iOS app on your mobile device? Our mobile team is excited to announce a big update to the share extension in the app. The ability to share content from other apps is a core part of the iOS experience. Last fall, we decided that our share extension was overdue for a refresh, so we rolled up our sleeves and rethought the entire workflow for both iPhones and iPads. The result is a new and improved experience in version 9.6! Sharing made easier Now when you share content, you’ll notice that the share extension allows you to format text, add headings, make lists, and more with a toolbar similar to the one in your app’s existing editor. After drafting your post, you can assign a category and add relevant tags. When you’re satisfied, select the site to publish the post on and tap  Publish  at the top right. The app will then upload your post and images in the background and notify you when it’s finished. As a bonus, if you share somet...
Read more

Best Email Customizer Plugins for WooCommerce-Wordpresssupport247 UK

Image
Why Should You Customize WooCommerce Emails? The leading reason that custom designed emails are highly suggested is simply because of branding. When your customer receives an email regarding the product they just bought, they expect the email to reflect the brand and the level of professionalism of the company. If you have a well-crafted email, it will help you in strengthening the relationship with the customer. On the other hand, if the users receive a mail which is nothing but a logo and some plain text, chances are your customer will judge your brand image based on that email. You do not want to leave the reputation of your business in the hands of generic and dull email, right? Advantages of having your WooCommerce emails customized Impressive and visually attractive emails. You can customize the emails and design according to your needs. Good looking emails increase conversions and engagement. You can make the emails interactive if needed. It helps in making the busine...
Read more

WordPress Front-End Post Submission Tutorial

Image
By “submit WordPress posts from the front-end”, I mean some type of front-end editor or form where users can fill in the details and hit submit. Then, that information shows up in WordPress as either a blog post or some other custom post type. Why Let People Submit Posts from the Front-End in WordPress? As I mentioned, there are a ton of different ways in which this functionality comes in handy. If you’re working with regular WordPress posts (AKA blog posts), you could: Let people submit guest posts from the front-end and then save them as a draft for review. Create a more beginner-friendly way for registered authors at your site to create blog posts. Let registered members create blog posts to create a sort of community blog. But I think where this functionality starts really getting flexible is when you combine it with WordPress custom post types. Some examples of what you can do here: A job listing site where companies can submit their open jobs through a form and ...
Read more