What Impact Does Two-Factor Authentication (2FA) Have On Hackings Through WordPress Plugin Vulnerabilities?
On the WordPress Support Forum, someone asked not that long ago if two-factor authentication (2FA) would prevent websites being hacked through security flaws in WordPress plugins? It’s a good question and another security provider didn’t really answer the question.
For those not familiar, 2FA refers to having a second element when authenticating, that is logging in to a system, beyond the username/password. There is a rather long Wikipedia entry, if you want to learn more about that. But what is important to answer the question being posed is that 2FA only comes in to play if someone is trying to log in someone else’s account and they already know the username and password.
Most vulnerabilities in WordPress plugins don’t involve logging in to someone else’s account. They might not involve logging in at all. For example, an attacker might exploit a vulnerability that allows those not logged in to upload malicious files. In other cases, the vulnerability is only exploitable by someone logged in to WordPress, but attackers don’t normally try to access someone else’s account to try to exploit it.
There recently have been a few vulnerabilities found that allow resetting the passwords of existing WordPress accounts. 2FA wouldn’t stop the exploitation of the vulnerability, but could prevent an attacker from then being able to log in to the account, as they won’t have access to the second factor.
It’s also possible in a targeted attack where a website doesn’t allow untrusted individuals to have WordPress accounts, for an attacker to exploit a vulnerability that requires them to be logged in by gaining access to an existing user’s username/password. 2FA could also come in to play there.
So it is possible that 2FA could provide some protection in a limited number of situations. It is important to remember that there are various methods to bypass 2FA and a plugin adding support for 2FA could also introduce insecurity as well.
Based on all that, for those looking to protect against vulnerabilities in WordPress plugins, 2FA isn’t a great option to focus on. You will get a lot more protection by doing the basics, including keeping plugins up to date. You can also increase protection a lot more by using a firewall plugin that provides effective protection, which most don’t offer. For those that have increased concern for security, having security reviews done of plugins you use will help to avoid vulnerabilities existing on your website that could possibly be exploited.