Make WordPress Core

Opened 3 years ago

Last modified 19 months ago

#55514 new feature request

2FA by default for WordPress

Reported by: jamsec's profile jamsec Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Hi WordPress!

Hope this message finds you well! I'm a senior security analyst/researcher from Sucuri and I wanted to reach out to you all with an inquiry and feature request. I initially reached out to Fio (my old colleague) from WordPress.com and he directed me here. Apologies if I should have submitted this to HackerOne instead, but it's not a specific "vulnerability" per se.

I'm writing a piece for our Sucuri blog on how 2FA-by-default should be in WordPress, similar to how Akismet is included in a default WordPress installation to combat comment spam.

A HUGE number of website compromises that we deal with on a daily basis at Sucuri could have been avoided by a simple 2FA additional authentication. With WordPress being over 40% of the web, I think that 2FA-by-default could be a game changer in terms of making the web a much safer place and avoiding a LOT of headaches and malware issues for WordPress website admins.

Adobe made 2FA default in all new Magento2 installations, as they were dealing with exactly the same chronic issues of security (abuse of public-facing login pages with no additional authentication). You can turn it off afterwards if you want, but it's included by default during the installation process.

What are your thoughts on including 2FA by default in new wordpress.org installations? I know JetPack includes 2FA, but it's linked to wordpress.com and I understand that .com and .org need to remain rightfully separate.

I'd like to include your thoughts in my blog piece if that's ok.

Looking forward to hearing back!

Cheers,
Ben

Change History (3)

#1 @jorbin
3 years ago

Hi @jamsec, welcome to trac.

Related: https://make.wordpress.org/core/tag/two-factor/

I couldn't find a relevant ticket, but @georgestephanis may know one. When including this in core has been discussed in the past, some of the hesitations has been around creating a system where users won't end up locking themselves out of their sites. @macmanx put it well:

I’ll say it this way: We want users to be able to secure their sites with 2FA, not sit back and watch outdated abandoned sites pile up because they locked themselves out and simply give up when when we mention FTP, Database, or SSH.

The #core-passwords room in slack, Featured Plugin, and numerous make core posts should be able to provide you with some more information.

#2 @jamsec
2 years ago

Thanks for the response @jorbin

In my view as someone who works with hacked sites every day, it seems that if outdated/abandoned websites would pile up because users are locked out, those same outdated sites are getting infected with malware instead.

If 2FA were to be included by default, it can still easily be disabled by renaming the plugin directory name in wp-content/plugins, so re-establishing admin access should not be too difficult if someone gets locked out as most hosting platforms provide access to the file structure.

IMO the pros would outweigh the cons by a pretty large margin.

Even something as simple as adding a "Would you like to add 2FA?" to the WordPress installation process would make a huge difference.

#3 @SergeyBiryukov
19 months ago

#57870 was marked as a duplicate.

Note: See TracTickets for help on using tickets.