Our lastest ShieldPRO security plugin for WordPress brings several much-requested features and enhancements to the WordPress Two-Factor Authentication system.
We’ve offered two-factor authentication (2FA) for WordPress for many years and view it as a cornerstone in account security. Ensuring that only verified users may log into a WordPress site, particularly administrators, provides a peace-of-mind that can’t be found by any other security principle.
Is 2FA perfect? No – it does add a level of friction, of course, to the user login experience.
But in spite of this is does a wonderful job at protecting account owners and WordPress websites from many different sorts of attacks.
The merits of 2FA aren’t up for discussion in this article, however. I just wanted to remind the reader of how important 2FA is in your overall WordPress security hygeine.
We’re going to outline the improvements we’ve brought to Shield’s Two-Factor Authentication for WordPress with ShieldPRO 14.0
#1 All-New Two-Factor Authentication Login Screen
We made a decision several years ago to build a completely custom 2FA login screen.
We did this for a few reasons, but the biggest was that having our own custom screen prevented other plugins/themes from interfering with it in a way that would break the login process.
Being able to log into a WordPress site smoothly is important. Adding 2FA to that process adds friction. Doing so in a way that could be broken by 3rd party plugins was a risk we just couldn’t mitigate any longer. As much as we tried reaching out to developers, getting cooperation just wasn’t in their playbook most of the time.
Fast-forward to today and we’re a little more savvy and our development skills for WordPress are a bit more refined. So based on some feedback from a few customers, we decided to have a go at building our 2FA page on top of the presentation style of WordPress’ own login screen.
This is great for the user experience as they’ll get the same look-and-feel on the 2FA page as the login page.
We’ve done our best to reproduce the WordPress login page (which isn’t as easy as it looks) but it does mostly cover the same styles and layout. If you use custom logos on the login page, or custom styles are enqueued, Shield will honour those, too.
Of course, Shield’s custom 2FA login screen is still available too – and it’s the default option for all new installations – but you’re free to switch to the WP Login style 2FA at any time.
#2 Improved Two-Factor Authentication User Experience
We’ve reworked the UX for Shield’s 2FA pages in several different ways.
- Emails with 2FA One-Time Passwords (OTP) are only sent automatically if Email is your only 2FA provider. If you have others, such as Google Authenticator, then you will need to request an email to be sent. This reduces spurious emails sent that aren’t even required as Google Authenticator is often more convenient.
- The input fields for your OTPs are cleaner, with larger text, and some validation so you don’t input incorrect codes.
- When you use U2F Authentication, the 2FA form is automatically submitted for you, reducing unnecessary clicks.
#3 Easier Access To Two-Factor Settings For Users
The standard place to manage your Two-Factor Authentication settings is within your WordPress User Profile page. This has been case since we introduced 2FA into Shield Security.
However, some clients have asked for a separate WP Admin sub-menu to access these settings – a dedicated 2FA area for the user.
With ShieldPRO 14.0 you have both options available to you – 2FA settings embedded on the user profile page, and/or a dedicated WP admin page.
There’s a new option add to the Shield plugin that lets you choose your preferred approach for users.
And of course, for our ShieldPRO clients you can always use the shortcode (SHIELD_USER_PROFILE_MFA
) to embed the 2FA settings within any page on your site. providing the most flexible screens for your users.
#4 Improved Two-Factor Authentication Processing
We’ve done some major reworking of the two-factor authentication flow within Shield. This is stuff you won’t necessarily see as you use it, but it makes the whole process smoother, more secure and reliable.
#5 WP Login Hide With Custom Redirect URL
ShieldPRO has offered the option to hide the WordPress login and admin pages for a long time. And while this, strictly speaking, falls under the category of “Security through Obscurity”, it is nonetheless useful for many clients to help with their branding and guide users to the correct login URL.
Until now there’s only been 1 response by Shield when a visitor attempts to access the original WordPress login page – a “404 Not Found” error page. This isn’t the most user friendly of pages.
After client feedback we’ve provided the option to redirect the visitor to a URL of your choice. This URL must be on the same site (i.e. they can’t currently be redirected to another domain entirely).
For example, you may want to redirect the request to the home page of your site. To do this, you’d simply provide “/
” as your redirect URL path.
If you wanted to redirect the visitor to a “friendly” 404 page, simply provide “/404
” or some other URL that will result in a WordPress 404 error page.
To use this option, just supply the path of the URL to redirect the request in the new option we’ve provided. If you leave this option blank (which is the default), Shield will respond how it’s always responded – with a “404 Not Found” error page.
#6 [Option Removed] Multi-Factor Authentication
Within Shield we use the term “Multi-Factor Authentication” to mean you’ve configured multiple 2FA providers (such as Email, Google Authenticator, Yubikey) and that you must supply all factors when verifying your login.
This is more complexity than is really required, we feel. 2FA is already a hurdle, so forcing clients to use multiple providers is a bit redundant.
The option to turn this feature on has also been removed from the plugin.
All 2FA verifications will require only 1 factor, regardless of how many providers the user has activated.
Comments, Questions & Suggestions?
We’ve packed a lot of new things into this release and removed an option here and there. We think this is our best release yet for Shield Security, but as with anything that changes, there will be questions and feedback.
Please feel free to use the comments section below to drop us a message or question if you have any. Thanks as always for your support!
On your Shield Security Changelog webpage, can you add an actual release date for each of the the minor updates that were released instead of just showing the minor version number and what that update does? I see you currently have a release date for the major versions, but it would be helpful to see it for each of the minor updates too.
Hi,
Thanks so much for your suggestion.
We’ve added the release date for the minor versions too.
Thanks again! 🙂