WP Engine announced today that two-factor authentication is available to its 42,000+ customers. This is expected to halt increasing attempts to brute force into the host’s user portal.
“As we grow, almost everything about the company changes, and security is one of them,” said WP Engine founder Jason Cohen. “For example, we see things like fraudulent accounts and account impersonation/phishing, and other things which didn’t appear often when we were smaller and less of a target.”
Adding 2FA is part of a larger plan for improved security that the company began last year when it hired Eric Murphy as its new security director.
“We’ve had a cross-departmental internal security group of about a dozen people for a few years now, but in 2015 we decided we needed even more leadership in that area,” Cohen said.
“We hired Eric last year, in fact before the December security incident, so in hindsight that was excellent timing.”
Providing 2FA is a best practice there are a couple issues with doing so. WP Engine wanted to make something simple that worked without requiring too many entries in their Authenticator App. They also had some technical issues that Cohen outlined below.
“One of the challenges was in identity recovery,” he said. “We can’t use email as a way to recover from a lost phone, because then the email address becomes a ‘single factor,’ i.e. you can use it to recover your password as well as your phone aspect.
“However, nowadays with the advent of Google Authenticator and other apps, plus people’s general awareness of how to use things like scratch codes, we felt it was now not going to be hard for people to use,” Cohen said.
When it comes to protecting WordPress, WP Engine customers have always been able to use a plugin to add 2FA. Cohen said that the company is investigating a solution to make it more convenient for customers who manage multiple accounts.
“Suppose you manage 50 WP sites and you want 2FA,” he said. “So do you configure 2FA on every site and have 50 entries in your Google Authenticator App? That stinks!
“So, something better would be a SSO system somewhere, have 2FA on that, and then use that to get into WordPress,” Cohen said.
“Another way would be to use OAuth, e.g. use Google OAuth on WP, and indeed for customers who already use Google Apps, we do recommend that method. Another method might be that our own User Portal be an OAuth provider.”
With a host of solutions already available, Cohen said they are also considering simply pointing customers to a list of recommendations.
“Even if we do our own, we’d always support the other methods,” he said. “The idea isn’t to box anyone into a single method.”
PHP 7 Support
PHP 7 is one of the most watched versions of PHP ever and with it improving WordPress performance time twofold, and reducing the system load for hosts greatly its’ been the technology that everyone is keeping their eyes on. However, Cohen mentioned some technological issues with implementing it.
“We have PHP7 running on some machines,” Cohen said. “But it’s actually amazing how few WP sites in the field are compatible. We’re finding that it’s less than 20%. There will need to be an opt-in for that reason.”
Although WordPress core is compatible with PHP 7, the vast majority of WordPress plugins and themes are not.
“Even WooCommerce doesn’t completely work with it,” Cohen said. “Many big, popular plugins are not yet compatible. With PHP v5.5 there was some of that, but this is much more. Of course PHP7 is the future so it’s inevitable, but it’s going to take more time than some other PHP releases did.”
Cohen said the best case scenario would be for customers to choose PHP 7 on an install-by-install basis and change at any time. He does not yet have an ETA, as the company is working on an undisclosed big project that Cohen says is part and parcel of it.
“We have to make some decisions about how much to put into it before release, versus releasing it earlier and then layering in more things afterward,” he said.
There are several large hurdles to allowing PHP version selection on an install-by-install basis, which need to be worked out before rolling it out to thousands of customers.
“One challenge is running multiple versions at the same time on the same machine,” Cohen said. “Another is tech support — if something doesn’t work in it, we need our 150+ support techs to understand how to figure that out and help.”
Cohen said he could see opt-in PHP 7 support happening for customers as early as this year but could not specify when.