August 4, 2017 by Paul G. | Blog

Update: WordPress Email Two-Factor Authentication – No Auto-Login Links

Shield Image

This is a quick explanatory update on our Shield Security plugin for WordPress.

We’ve been providing email-based two-factor authentication (2FA) for a looong time. And recently we’ve received some feedback about the placing of a direct-login link within the email that is sent out.

How Shield’s Two-Factor Authentication Portal Works

With the portal you’re prompted to enter any or all of your 2FA codes to confirm your login. If you have turned on email-based 2FA, then you’ll get an email with both the code you need, and also a link.

This link will do 1 of 2 things:

  • if you have 2 or more factors that are required, then it’ll pre-populate the portal with your code #neat
  • if email is your only 2nd factor, it’ll log you straight into the site automagically #super-neat

The problem arises with the 2nd option. If a 2-factor email is sent out and intercepted, then the unwelcome visitor wins with a direct link right into your WordPress admin.

The chances of this are slim for 2 reasons:

  • the two-factor portal has a 5 minute window. If you miss it, you have to start your login from scratch.
  • the link can only ever be used once.

But the chance, however slim, remains. So what is the next step?

Decision: Remove The Automatic Login Link

The link is really convenient, but we feel that there is little/no inconvenience in copy-pasting the code into your login portal.

So from Shield v5.12.2 we’ve removed the link from the outgoing two-factor email. You will now have to copy-paste the code into the portal directly.

We apologise if this is a problem for you, but we hope you’ll understand the reason behind it.


ShieldPRO Testimonials
@fourwhitesocks's Gravatar @fourwhitesocks

Works perfect so far!

Very happy with this, and so far no hacks!

@qsmfarhan's Gravatar @qsmfarhan

Essential and Awesome

The plugin is a must have. WordPress structure is similar for all websites which makes it easy for people to target it. This plugin changes that.

@websbydgoszcz's Gravatar @websbydgoszcz

Easy to use!

Thanks for good work!

@matthewlennartz's Gravatar @matthewlennartz

Capturing all the BAD GUYS!

To the Shield Team: Great Work on this highly configurable (but easy to do so) total security solution. After dumping all of my other security plugins (one failure after another), I was up and active with Shield in no more than ten minutes. The reason? The options and detailed configurations…

Hey there handsome! Do you like what you've read here? :)

If this cool feature is something you'd like, but you haven't gone PRO yet, click here to get started today. (no risk, with a 14-day satisfaction guarantee!)

You'll get all PRO features, including Malware Scanning, WP Config Protection, Plugin FileGuard, import/export, customer support, and so much more. Not only that, you'll get that warm, fuzzy feeling that comes from supporting our work and future development.

I Was Born To Go Pro →

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese