Moderator
Yui
(@fierevere)
永子
This is clearly a plugin area, you can choose among many available alternatives
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Jordi, I have removed the link. This site is not for promoting any blog post.
All of us are suffering from brute force attacks, and I think that It’d be easy to implement some code in next WP versions to avoid them. (hide login and something against xmlrpc and directory traversal attacks).
Most of that is addressed here.
https://ww.wp.xz.cn/support/article/hardening-wordpress/
Hiding the login is a choice but does not make an installation more secure, it just makes it harder to support. It also may do nothing for XMLRPC access.
If someone is concerned about people logging into their WordPress installation then strong passwords and/or 2FA is the way to go.
https://ww.wp.xz.cn/plugins/search/two+factor/
https://ww.wp.xz.cn/plugins/search/strong+passwords/
Both of which are plugin territory.
I think 2FA should almost be considered for core at this stage. However, I know that it could potentially lock out non-tech-savvy users who don’t understand what they’re enabling or the importance of writing down the backup seed.
WordFence has one of the most straightforward setups I’ve seen so far. The QR also worked well with my open-source authenticator from F-Droid (no proprietary OTP authenticator lock-in)
-
This reply was modified 2 years, 11 months ago by
Jack. Reason: their to they're
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
I think 2FA should almost be considered for core at this stage.
I agree with you. But the very wise people who support that code has seen 2FA go horrifically bad at other places and at scale. Best to keep it optional via a plugin.
