Implemented 2FA on Both of my WordPress Websites Today

[Dan Calloway]

Fellow UCLUGgers,

A measure I've taken today to further secure both my dpNetwork and "Our Amazing Planet" WP websites is to enforce WP 2FA on each. This required me to install the WP 2FA plugin on each Website dashboard interface, then configure it to use my Google Authenticator as the secondary authentication platform of choice. 

Now, when I allow Roboform to fill the username and password fields on the Admin Login interface of either WP CMS website, I'm confronted with an Authenticator field requesting a 6-digit code. Both of my passwords on each WP website are 20-digit randomly-generated strong passwords (upper- and lowercase letters, numbers, and special characters) which in and of themselves is virtually impenetrable. But, if by some miracle of God a hacker was able to gain access to my password(s), they would then have to gain access to my iPhone app (Google Authenticator) to obtain that 6-digit code. If they didn't use my 2FA platform, then the number of possibilities they would have to randomly enter to gain access would be on the order of 900,000 combinations. After 3 incorrect guesses of the 6-digit PIN, the hacker would be blocked and would have to wait out a period of time before being able to retry. There is no way for a hacker to access either of my sites going forward, so I now have peace of mind that at least my Websites won't be hacked unless I give up my credentials and 6-digit PIN.

-- 

Dan Calloway

LCDR, SC, USNR (Ret.) / 20-year Veteran

Asheville, NC 28805

Title 38 of the Code of Federal Regulations defines a veteran as

“a person who served in the active military, naval, or air service and who 

was discharged or released under conditions other than dishonorable.”

[Eric]

On Friday, March 25, 2022 at 12:05:23 AM UTC-4 dan.ca...@gmail.com wrote:

A measure I've taken today to further secure both my dpNetwork and "Our Amazing Planet" WP websites is to enforce WP 2FA on each.

[...snip details...]

There is no way for a hacker to access either of my sites going forward, so I now have peace of mind that at least my Websites won't be hacked unless I give up my credentials and 6-digit PIN.

It's great that you have added 2FA to your sites! Any site you can use 2FA the better.

That being said, I did want to note that password enumeration and brute forcing passwords are not common ways Wordpress sites are compromised. Generally they are compromised via vulnerabilities in the software itself (sql injection, etc). The core system itself is generally somewhat safe. But the large collection of semi-maintained plugins are often the weak point. If you want to increase your piece of mind make sure you:

• Have auto-updating enabled. A bad update may occasionally take your site down but that's better than being compromised so for a site only lightly maintained the auto-update is best.
• Keep plugins to a minimum. Only ones you can't live without. Any you do use, make sure they are widely used (therefore are more battle tested) and receive regular updates.
• Use wpscan to scan regularly for vulnerabilities. It's a black-box scanners that will look for vulnerable versions/plugins and notify you about them so you can address them before someone else finds them.
  

Eric

[George Law]

100% agree Eric - my apache logs are filled with blind requests from various bots looking for known issues

not just wordpress - I also see probes for joomla, phpmyadmin, etc ... some of the probes are for the wordpress wp-login page -

probably probing for a login with admin/admin -- that's the #1 reason why the admin user for my wp sites are not "admin" nor

are the the domain name, etc...

I was going to recommend https://ithemes.com/sync/#plans but it looks like I've been grandfathered in - I am on their 10 site plan but have never paid $0 :)

Even to pay for it, its worth the ability to see all your wordpress sites and update them from a single dashboard.

I've personally had the wordpress xmlrpc sub system exploited to hack a couple of my sites - the same type of injection used on the WUBI website.

Best way I've found to block it is to do a straight up .htaccess deny  - as well as chmod 000 xmlrpc.php

<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

I've also tried this but this does not work well from a VPN where you never know what your IP is going to be

based on my public IP from ATT, this would let me in but deny all others.

RewriteEngine on
#RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
#RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ [OR]
#RewriteCond %{REQUEST_URI} ^/wp-login\.php$ [OR]
#RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$
#RewriteCond %{REMOTE_ADDR} !^1\.1\.1\.1$
#RewriteRule ^(.*)$ http://go-away.com [R]
#RewriteRule ^(.*)$ - [R=403,L]

things like mod_security are useful as mod_security will watch the apache $POST requests for things like sql injects, etc.

--
You received this message because you are subscribed to the Google Groups "Upstate Carolina Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uclug+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/uclug/2602319f-24d5-4ca1-93e5-e7a0542a3aben%40googlegroups.com.

[lyrics.sa...@mailer.me]

Mar 25, 2022, 11:06 AM by uc...@googlegroups.com:

things like mod_security are useful as mod_security will watch the apache $POST requests for things like sql injects, etc.

Along those lines a web application firewall (WAF) can do a lot of good. Cloudflare has the functionality (as well as CDN stuff) and a lot of people like it. But depending on your cloud provider you may have other options. For example in GCP the WAF is called Cloud Armor.

Eric

[Fred Laxton]

I also use the Loginizer add-on for my WordPress websites to notify on repeated login failures, and the WPS Hide Login add-on to make a website-specific login URL. I have Loginizer set to email my gmail account from any of my servers on repeated login failures, and a filter on my gmail that forwards it to another special email address with the failed login notices. Then I read it from a Google Compute Engine (free tier) server cron job and parse out the IP address of the attacker. Then the script issues commands that instructs all my servers to block that IP address at all the server firewalls via fail2ban. The block is released after a number of hours automatically.

I also use server and AWS firewalls (security groups) and the Cloudflare firewall. Also mod_security is tied in with automatic updates. Firewall is modified by fail2ban rules (or my custom setup I outlined above).

Works very well and requires zero maintenance ;-)

Fred

--
You received this message because you are subscribed to the Google Groups "Upstate Carolina Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uclug+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/uclug/865aaeee250ba65ad5028950b35b7b8f%40mailer.me.

[Dan Calloway]

Eric,

I self-host my websites on a single SBC Raspberry Pi, thus no hosting companies touch my sites. I've used CloudFlare before, but I don't think using them is necessary at this time. I have fairly strong anti-spam/malware plugin support that allows me to block all incoming traffic by Country, if necessary. Currently, Russia and China are blocked entirely. 

[Dan Calloway]

Fred,

Great advice. I've used fail2ban very successfully in the past in conjunction with my websites and ssh server in Linux on the Raspberry Pi.