Issue with Two-Factor Authentication

  • kvmz72

    (@kvmz72)


    1 year, 2 months ago

    Hi Solid Security team,

    First of all, thank you for the great plugin!

    I’ve noticed an issue with the two-factor authentication feature. When the “Hide Backend” option is enabled, the two-factor login step seems to be completely bypassed, it’s like 2FA is not active at all. But when I disable “Hide Backend”, the 2FA feature works as expected.

    Also, when 2FA is working (with “Hide Backend” disabled), the email I receive with the authentication code is very difficult to read. The content appears as a long block of raw HTML code, making it hard to find the actual code.

    Is this a known issue, or is there something I might have misconfigured?

    Thank you in advance for your help, and keep up the great work!

    Best regards

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Brent Wilson

    (@bwbama)

    1 year, 2 months ago

    Hello,

    Glad you reached out here!

    First, I want to tackle the issue you are having with the Hide Backend and to do that I would like to explain why I personally believe the feature should be left disabled. (I know, probably not what you thought I was going to say!)

    While this approach might seem to enhance security by making the login URL less predictable, it’s essential to understand the concept of “security through obscurity” and its limitations.

    What is Security Through Obscurity?

    Security through obscurity refers to securing a system by concealing its details or implementation. If potential attackers are unaware of certain system aspects, they will be less likely to exploit vulnerabilities. However, this method is generally discouraged as a security measure.

    Why Hiding the Login Page May Not Be Effective

    While hiding the login page can deter some automated attacks, determined attackers can still discover the login URL through various methods. This approach can lead to a false sense of security, potentially diverting attention from implementing more robust security measures. Additionally, altering the default login URL can sometimes cause compatibility issues with other plugins or themes, leading to unintended functionality problems.

    Recommended Security Measures

    Instead of obscuring the login page, consider implementing the following proven security practices:

    1. Strong Passwords and Usernames: Ensure all user accounts have complex, unique passwords and avoid using default usernames like “admin.”
    2. Two-Factor Authentication (2FA): Add an extra layer of security by requiring a second form of verification during login.
    3. Limit Login Attempts: Restrict the number of login attempts to prevent brute-force attacks.
    4. Regular Updates: Keep WordPress core, themes, and plugins updated to their latest versions to patch known vulnerabilities.
    5. 3rd Party Proxy Firewall: Solid Security Basic is a software firewall and it does a great job at being that. However, software firewalls (like other WordPress security plugins), will always be limited in their scope. A 3rd Party Proxy Firewall, such as Cloudflare, offers a free service that can use their massive database of known attackers and stop threats before they even reach your host. Cloudflare and Solid Security work great together to offer a complete well rounded security solution!

    Your email issue suggests a potential plugin conflict. Are you using any plugins that might alter WordPress emails? Solid Security uses its templates and then the wp_mail() function to send out those emails. If something is intercepting these emails before they are sent, it would definitely cause the issue you are seeing!

    Let me know if this helps!

    Thread Starter kvmz72

    (@kvmz72)

    1 year, 2 months ago

    Hi Brent,

    Thank you so much for your quick reply and for providing all of those detailed explanations, it’s greatly appreciated!

    I completely understand your perspective on the Hide Backend option and the concept of “security through obscurity.” For my particular setup, however, I do find the Hide Backend feature quite important. I’m actually using Solid Security together with WP Hide Security Enhancer, and interestingly, the 2FA from WP Hide is compatible with the Hide Backend feature of Solid Security. On the other hand, the Solid Security 2FA doesn’t seem to work when Hide Backend is enabled, which is a little disappointing. Is there any chance of a fix or workaround for this? It would be fantastic to have both Hide Backend and Solid Security’s 2FA working hand in hand.

    As for the email issue, that turned out to be unrelated to your plugin after all. My apologies for the confusion, and thank you for pointing me in the right direction! Everything is back to normal on that front.

    I really appreciate your help and I’m grateful for all the hard work you put into Solid Security. Thank you again!

    Best regards

    Plugin Support chandelierrr

    (@shanedelierrr)

    1 year, 1 month ago

    Hi @kvmz72,

    Thank you for providing the additional information about your setup!

    To clarify, both the Solid Security 2FA and HBE features should work together seamlessly. I’ve created a test site where both features are activated, and everything functions as expected. Here’s a demo of that site.

    It looks like something on your site (like a plugin conflict) is causing the 2FA feature to malfunction (appearing inactive or affecting the HTML content of the emails).

    Could you try narrowing down the root cause by deactivating your other plugins and switching to a different theme, leaving only Solid Security activated, and confirm if you’re still experiencing the 2FA issues with HBE enabled?

    Let us know how it goes!

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Issue with Two-Factor Authentication’ is closed to new replies.