Website security is changing at SixFive. Our Managed WordPress Hosting product will soon include Fortress, the only WordPress security system able to defeat security threats overlooked by the WordPress ecosystem.
Table of Contents
The Dirty Secrets No One Wants You to Know
Regarding WordPress Login Security
In simple terms: There isn’t any. Not even with two-factor authentication.
WordPress-based 2fa plugins are hotbeds of vulnerability because they hold their keys – for encryption and password hashing – in the database.
If any of the WordPress plugins you have has the tiniest vulnerability, all of those keys can be found, removed, changed, or disabled. The attacker could swap your secrets out with his own, and that would be it.
This is why added-in plugins are just either security theatre or completely inefficient.
Regarding WordPress Password Security
The WordPress standard md5 hashing can be cracked through a website in a matter of minutes. If a smart business owner were to create a website today, they would never employ an md5-based password hashing system created in 1991. Surprisingly, it’s what WordPress is still using to this day.
Regarding WordPress Session Security
Session tokens are stored as cookies on your local computer and expire after two weeks. If they’re taken from your computer before expiry, anyone can put that same cookie on their computer (see below) and easily log into your website.
Hackers can steal or buy valid cookies on the dark web, putting WordPress sites at high risk for such attacks.
Why Is Fortress essential to your business security?
So, about your typical WordPress-based plugins…
In many cases, they can provide security that is worse than nothing. Because, just like a placebo, they give you a non-existent sense of safety. And they work in a rather interesting way, which we’ll explain.
Every plugin needs a secret to keep everything secure. That’s the only way they can assure consistent functionality.
WordPress “security” plugins are built to the lowest common denominator – in a way that they can be installed anywhere, on any site, and on any platform. To do this, they rely on security theatre to make you feel safe, but they fall short of actually doing much effective security.
Security theatre is the practice of taking security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it – Wikipedia.
One restriction for these plugins (as they have no control over the environment they exist within) is storing all of their secrets in the database. The problem is that the WordPress database is very susceptible to SQL (Structured Query Language) injection attacks, which are very common (see the Patchstack database) and easy given the right circumstances.
This isn’t a matter of IF, but of WHEN those secrets will be exposed.
If your database is compromised, hackers can leak all of those secrets. And from that point on, your security is useless. Once they have full, unfettered access to the database, they can do whatever they want with the available information.
Here’s an example: the first thing a burglar does when entering a house is find a way to disable the alarm system and turn off the cameras so they can get to work. All of your current plugins are hanging the keys on the front door of your website – so a hacker can literally replace the security camera feed and then do whatever they want.
Usually, this would work to put in a “backdoor” of some sort, so they can take their leisurely time and surprise you with a hack just weeks later.
This shows that the WordPress ecosystem’s security posture needs to change dramatically. Fortress solves for that.
The team behind the Fortress Security plugin, Snicco, are enterprise WordPress development and security experts. Fortress came about as a result of a need to improve WordPress’s security practices.
Their security research has detected and prevented several high profile vulnerabilities in the most common WordPress security plugins affecting over 17 million websites. One includes stopping the 2023 Elementor Write SQL Injection Vulnerability dead in its tracks.
Fortress runs on the lightest interface possible to achieve maximum impact. It completely dismisses security theatre, without adding random things in the plug-in space that should be running at server level.
The reason it provides much stronger password management and encryption is its compatibility with PHP 7.4+|8+|8.1+, leaving prehistoric PHP versions behind.
Moreover, no release is approved before Fortress undergoes 1200 automated tests across all combinations of supported WordPress and PHP versions.
Fortress consists of four key features that, when combined, will fortify security measures all across your website. They are:
Two-Factor Authentication (2fa)
One of the biggest problems with many security plugins is that, ironically, their 2fa may have resulted in several websites being hacked. Since they have no rate-limiting, there’s no control of how many requests can be made per user. As a result, there could be plenty of successful brute-force attacks.
For that reason, Fortress is the only security system for WordPress that rate-limits failed 2fa attempts.
If a user exceeds rate-limiting attempts, Fortress will essentially “lock” the user account, which will destroy all sessions for the associated user. Next, the user’s password will be instantly reset to a safe, random one, while the user will be immediately notified of the incident via email.
For any lazy users, the plugin only allows users to skip the 2fa enrollment once. So no employees will be able to say “I’ll get to that,” and compromise your company’s security.
At this point, hackers say, “yeah, never mind, I’ll just move on to the next site; there are lots with other insecure security plugins.”
Typically, session cookies in WordPress expire in 48 hours. As long as these authentication cookies are active, hackers can log in to your admin dashboard without typing in any credentials.
And guess what: cookies can be bought on the dark web. They are stolen from computers by other means, such as computer viruses or maliciously created Microsoft documents, and bundled in their thousands for sale. They’re valuable enough to be sold on the black markets, which explains why about 20% of this type of hack comes from stolen, then sold session cookies.
Fortress fixes this by rotating these session tokens every 5 minutes. It also allows users to set up secondary authentication for elevated permissions – such as updating email addresses or payment details. This is the same technology Fortune 500 companies, like Amazon and banks, use to re-authenticate users for critical and personal actions.
Password Security & Hashing
WordPress still uses old md5-based hashing schema for password security, which helps hackers crack your password hashes in just a few hours.
Fortress changes the way WordPress hashes passwords by ripping md5 out and replacing it with modern encryption called argon2, encryption appropriate for websites built in 2022 and beyond. On the server side, your passwords can never be weak, as Fortress won’t allow it – even if the user checks WordPress’s “confirm use of weak password” box.
The plugin also employs a rate-limiting password reset throttling feature to limit password resets to once every 15 minutes per IP address. Its purpose is to prevent attackers from bombarding users with password reset requests.
The thing about WordPress security plugins is: they can only successfully protect against attacks from a single IP. But hackers have only gotten smarter, and multi-IP brute-force attacks are all too common in 2023.
Along with password reset throttling, Fortress implements a login throttling feature that shields websites against multiple attack vectors. It assigns a unique, secure device ID to the honest user’s browser, making it impossible for an attacker to threaten this specific ID. This way, honest users won’t be compromised by reinforced security or be annoyed by bothersome Captchas.
Secure Managed WordPress Hosting for you.
There’s nothing you need to do but sit back and relax we will be making this happen for you soon.
Fortress will be standard for all websites we manage because it’s important that you protect your digital asset.
Can I buy Fortress elsewhere?
SixFive has worked hard to become one of a few globally trusted partners that has a hosting platform compatible with Fortress. With this trust we have also secured Fortress for you at a fraction of the rate it will be available to the public (USD$50/month/site).
Thanks, I’ll just use Wordfence
That’s fine; however, take a minute to read this article again and understand the impacts of doing so. Wordfence is one of the companies that the Fortress developers provided patches to, but they didn’t implement them correctly because they can’t – this would mean it doesn’t work in 100% of WordPress sites (thus cutting their potential market down).
Wordfence can’t do the things Fortress does because of this restriction.
Preventable Security Issues Cost More Than Your Business
If you think paying a development team is all it takes to mitigate a hacker attack, think again. Unfortunately, you’re likely to lose money in several different ways, such as:
- Losing revenue because of website downtime
- Losing sensitive data – not only from your business but from your loyal customers
- Losing traffic and credibility due to Google’s blacklist flagging your site as unsafe
- Losing customer loyalty and business reputation
- Losing peace of mind, knowing your assets may never be recovered
If website recovery were the only expense, hack attacks wouldn’t be such a huge problem. The real issues, however, are the exorbitant implicit costs associated with security threats.
Sadly, most business owners would rather adopt a “watch and wait” approach. Only once they detect a vulnerability they’ll scramble to get it “fixed.” The problem is: depending on the attack, it can’t be “fixed.” Only prevented.
Don’t let your team learn it the hard way. Get enterprise-grade security while you can, and you won’t ever feel the dread of discovering a security issue. Because trust us, you wouldn’t want to.