Two-Factor The Wrong Type Of WordPress Security Solution

There is a new WordPress plugin out called Phone Factor being billed as a security solution for WordPress, and it has been emailed to me at least four or five times in the past few days. There have been a few security issues with WordPress recently, resulting in a number of automated attacks against self-hosted WordPress blogs (see earlier Techcrunch post). Following the latest series of posts about WordPress security, there were a large number of plugins recommended as either solutions to the security issue (impossible) or tools that help in detecting breaches or keeping a codebase up-to-date.

The Phone Factor plugin adds a second authentication layer to the WordPress login process by requiring that the user answers a phone call on login. On installation, the user is prompted to register an account with, a free provider of phone-based two-factor authentication. The solution is easy enough to setup, and simple enough to understand, but the problem is in the way in which this plugin is being presented – as a ‘solution’ to security issues in WordPress/

Two-factor is used by banks and enterprises as a way of proving identity, and from there, controlling access to data. The recent WordPress security issues have had to do with filtering and input parsing in PHP scripts, for which two-factor auth is by no means a solution. Prompting a phone-call for each WordPress login does nothing to secure the 270+ php scripts running in webroot as part of a standard WordPress install, and I can’t recall a single security issue or large-scale attack that could have been prevented had two-factor authentication been in place. Whats worse, disabling the second factor is extremely simple if an attacker has access to the local database or wpdb object, from where they can simply switch the plugin off. I have also never seen a phishing attack directed at a self-hosted blog that a two-factor auth solution would have prevented.

Applying a second-factor to something such as a login to a blog tips too far over in the conveniance/security scale – a scale where security improvements are measured against conveniance for an average user. For a blogger, being able to login simply and post quickly is important, and WordPress have put a lot of effort into making that process simple and easy for even the most basic user. Slowing that process down with phone-based authentication for little security gain in return is unlikely to attract many bloggers, most of whom are already struggling in managing their blogs correctly.

If WordPress is being used in an enterprise where two-factor is a policy requirement, the solution is to integrate WordPress authentication into the local domain – so that you don’t have to replicate a new identity structure. The larger solution is to manage your application installs correctly rather than to install-and-forget. With good management and with an understanding of threats.