WordPress.com Turns On Two-Step Authentication
CREDIT: WordPress Foundation
Blogging host WordPress.com is the latest to offer its customers an added layer of security with a new feature called two-step authentication.
The big idea behind two-step authentication — already offered by Google, Facebook, Yahoo and, to an extent, Apple — is requiring not one, but two means of verification to log in.
Users who turn the feature on in WordPress.com will still use their normal passwords, but will also be prompted to enter a one-time numerical code. That code can be generated by the Google Authenticator smartphone app or sent by text message to a regular cellphone.
The app "generates a new number every 30 seconds, making it virtually impossible to guess," WordPress.com wrote on its official blog. "All you need to do is open the app on your phone, and type in the number it's showing."
Even if an attacker manages to get hold of a WordPress.com user's password, the attacker won't be able to breach the account.
Users worried about losing their smartphones can generate and print out unique backup codes that can be kept in a secure place, but not on a networked device.
Will the real WordPress please stand up?
This new security feature is available only to users, both free and paying, of the WordPress.com hosting service. People and companies who use WordPress software on "self-hosted" sites won't be protected.
Confused? You're meant to be.
In a nutshell, WordPress is free blogging software, overseen by the non-profit WordPress Foundation, that anyone can use anywhere. The New York Times uses WordPress to power its blogs; so does TechNewsDaily's sister site LaptopMag.com.
WordPress.com, on the other hand, is a commercial Web host owned by a company called Automattic. Its main business is hosting WordPress-powered blogs and websites, including some that have their own domain names, such as TechCrunch and CNN.
Automattic is cagey about how many clients it has. The WordPress.com "stats" page says there are more than 60 million WordPress-powered sites on the Web, but does not specify how many of those happen to be hosted by WordPress.com.
No help to those who most need it
Ironically, it's the self-hosted sites that could really use two-step authentication.
While WordPress.com immediately applies WordPress security patches to its hosted blogs and otherwise polices the software, self-hosted blogs require manual updates, are often several patches behind and can install all sorts of dodgy WordPress plug-ins.
Cybercriminals often take advantage of this sloppy self-hosted security to infect WordPress-powered blogs with malware that infects blog readers with drive-by downloads.
One well-known example was the Mac Flashback Trojan, which infected 600,000 Apple desktops and laptops through a Java exploit hidden in corrupted WordPress-based blogs.
As Web-based companies try to stay ahead of hackers' increasingly clever methods for breaking into accounts, many companies have adopted the two-step login principle.
While no combination of passwords, numerical codes or other factors is 100 percent secure, requiring a combination of something that a user knows (a password) with something he has (a one-time code) makes work for cybercriminals much more difficult.