Generic selectors
Exact matches only
Search in title
Search in content

WordPress Security without Passwords or CAPTCHA

08/21/2014 / 0 Comments

If you’re like most WordPress administrators, you probably protect your website with password logins, and you may also use a challenge-response system, like CAPTCHA WordPress security plugins, to verify that login attempts are from human users and not from spam or attack bots. But, unfortunately, these methods are highly insecure, and they automatically make your site a target for hackers and other criminals who are looking to compromise user accounts, access your site data, and steal passwords and other credentials.

If you are using password-based logins to secure your WordPress site, you are inviting trouble. Obtaining passwords is a primary goal for hackers, and if criminals can gain access to the password for just one user account, they can potentially gain access to that user’s other accounts for other websites and services.

With hacking, phishing, and malware, criminals have numerous methods at their disposal to steal a user’s passwords, and if you are using passwords for your logins, your site’s security is only as strong as the least secure of your users. If an admin or other account holder uses the same password for multiple websites and services, including yours, and hackers gain access to it, this could place your site and data at risk.

Worst of all, if criminals can use any of these methods to compromise an administrative password for your WordPress site, they could potentially gain full access to your site and user data, which could mean large-scale disaster.

To make matters worse, CAPTCHA is not an effective long-term solution for preventing brute force attacks. Hackers are continuously writing new bot scripts and programs to outsmart image and text-based challenge-response solutions like CAPTCHA. So, it is always just a matter of time before hackers figure out how to defeat each new solution. And once they outsmart the latest plugin, they can program their bots to attack your site while appearing to be human users.

So how can you protect your WordPress site without using passwords or CAPTCHA but provide the best possibly security for your user accounts? The solution is simple, and it’s so secure that it virtually guarantees that your WordPress accounts can never be compromised.


Protecting Your Site with Next-generation Security and Mobile Authentication

SecSign ID is a next-generation login method that replaces password-based logins with 2048-bit encrypted key pairs and mobile authentication. It uses a principle of cryptography that has been used in ATM card security for more than 15 years — knowledge plus possession.

With a simple plugin for WordPress, SecSign ID allows users to log into your site by entering a non-confidential user ID in WordPress. They no longer need to remember or use a password. Once they have entered their user ID, they verify their identity by confirming that they possess an encrypted private key on their mobile device.

SecSign ID enables WordPress logins by using a simple user ID and mobile authentication that eliminates passwords and makes it virtually impossible for criminals to compromise user accounts.

SecSign ID enables WordPress logins by using a simple user ID and mobile authentication that eliminates passwords and makes it virtually impossible for criminals to compromise user accounts.

This is done by using the free SecSign ID mobile app. The app automatically notifies the user that an authentication is pending, and users can authenticate their session in seconds. The user’s possession of the private key is confirmed with the right knowledge, by entering a simple 4-digit PIN or a passcode in the app.

As a final step to verify identity, the app shows a set of four symbols, and the user taps the one that matches a symbol shown on the WordPress login screen. Once verification is complete, your site grants access to the user.

In just a few seconds, a user can be logged into your WordPress site without using a password or CAPTCHA. And, best of all, unlike password-based methods, no sensitive credential is ever stored on a server or transmitted between a server and the user’s mobile device. So there is literally nothing for criminals to steal in transit or steal from a server. Hacking, phishing, and malware will get them nowhere.

Flexible Security Options, Including Apple Touch ID Fingerprint Verification

With Apple’s forthcoming release of iOS8, SecSign ID will also allow iOS8 users to use their Touch ID fingerprint to confirm their identity. Thus, they can use their fingerprint in place of a PIN or passcode, or they can combine it with a PIN or passcode to create an additional layer of biometric security.

SecSign ID can be configured as an optional login method for your site, so it can offered along with a traditional ID and password combination. Thus, you can use it to protect your admin accounts but continue to support traditional logins for your other users. Or, to provide maximum security for your site, you can make it a mandatory login requirement for all of your accounts by disabling the standard WordPress login and replacing it with the more secure method of SecSign ID.

Integrated with WordPress, SecSign ID makes it possible to log into your WordPress site and to post blog updates or content without using passwords and without trying to read CAPTCHA images or solve text challenges. And it provides similar convenience for any of your site members, who can also log in and post without passwords or CAPTCHA annoyances.

Simple User Registration with Self-enrollment

Registration of a SecSign ID account is fast and easy by using the SecSign ID mobile app, and there is no need to set up or distribute IDs to all of your site users. They can self-enroll using the free mobile app, where users can quickly create a new SecSign user ID and set up their PIN, passcode, or fingerprint verification.

SecSign ID uses 2048-bit encrypted key pairs, including a secured private key stored on the user's mobile device, to authenticate user logins.

SecSign ID uses 2048-bit encrypted key pairs, including a secured private key stored on the user’s mobile device, to authenticate user logins.

The app creates the encrypted key pairs that are used for secure authentication, and it sends the public key for storage on the authentication server and stores the private key on the user’s mobile device with a patented SafeKey mechanism for added brute force protection. Even if a user’s device is lost or stolen, an attacker cannot access the private key by brute force, and, even if a criminal could somehow access the key, it is useless without the corresponding PIN, passcode, or fingerprint ID.

With self-enrollment and simple registration, without passwords, this also eliminates another common risk involving WordPress site administration, which is having to set and transmit passwords for other admins. Normally, when using password-based logins, an admin has to create a password for each additional admin account and must transmit it to the new admin.

This creates two security risks in the fact that the original admin knows the password for another user’s account, and it is also very dangerous because the password will be transmitted or shared by email or through another service. Thus, an attacker could steal this credential in transit or from text or a document that is archived and stored on a server.

These risks and all other password and CAPTCHA vulnerabilities are eliminated with SecSign ID.

You can be up and running with SecSign ID for your WordPress site in just minutes. You can download the WordPress plugin, access installation instructions, and watch a helpful video at https://www.secsign.com/developers/. And you can also find a quick reference tutorial at https://www.secsign.com/developers/wordpress-two-factor-authentication/.

 

SecSign 2FA