WordPress 4.3: Making the Web More Secure
Today, WordPress powers roughly a quarter of the web. It is a powerhouse that can easily affect the course of the Internet for the future. This is why I was excited to hear of an initiative starting in WordPress 4.3 to improve passwords.
If you have not heard yet, the latest version of WordPress now includes an improved user experience for setting and resetting passwords. While this may seem like a minor feature of a much larger update, it is a small, but significant step towards eliminating the most common security issue with WordPress: people being terrible at creating and remembering passwords. For example, read WPEngine’s analysis of 10 million passwords.
Auto Generated Passwords
To combat this, WordPress now generates strong passwords by default for users created by administrators or by self-registering. This mirrors a best practice of developers and site admins when creating new accounts and takes a step out of the process when administrators are creating new accounts.
Password Analysis & Feedback
In addition, the password analyzer released in WordPress 3.6 will notify the user of their selected password’s strength, giving them hints to make their password even stronger. This is not a strict rule when creating passwords (as some have recommended), but the effect is the same by appealing to our human nature. Users now have to jump through a few more hoops to create a weak password. Educating the public on what makes a password strong and providing direct feedback on this strength can go much farther than forcing strict password rules.
No More Passwords Sent Via Email
Finally, WordPress removed functionality that would send passwords over email, instead providing users a reset password link with a temporary key via email that expires in 24 hours. This eliminates another source from which unauthorized users can gain access to your WordPress site, especially since many passwords sent via email are never changed. Requiring the user to go through a password reset process will force the user to set their own password rather than use an auto generated one. This encourages users to create their own memorable password and reduces the need to save this password in an insecure manner, e.g. text documents or sticky notes. Additionally, WordPress sends an email when your password is changed to inform you in the case of a fraudulent change to your account.
The new password features are focused on implementing best practices and educating the public. This is only the first step of many in improving the security and user experience of passwords in WordPress. Of course, there are many naysayers; one of my favorites being, “Adding a steel door into a paper wall. Don’t say “security”, I’ll sneeze.” I will admit, there is some truth to statements like these. There are still many opportunities for WordPress to improve from a security standpoint and there will continue to be vulnerabilities that can be exploited whenever a project is open to outside contributions, especially when using a variety of plugins with dubious backgrounds. Despite these facts, efforts towards improving the security of WordPress and the process of creating and managing passwords in WordPress are making the Internet a more secure place.
Continue reading about the strong passwords feature on the Make WordPress Core blog.
Next Steps for Password Improvements
WordPress is dedicated to improving the password experience and security surrounding password creation and storage. A larger number of ideas have been proposed by a variety of contributors, many of which have merit.
The next major feature is the addition of 2-factor authentication which provides two separate sources for identifying the authenticating user. Many major sites and services already make use of this method, usually by utilizing text messaging to send a generated key. Unlike services like Twitter or Github, WordPress is being used in a variety of manners around the world, so relying on a single service for 2-factor authentication poses a problem. The best we can do is rely on email to provide a second source to verify the user.
While there are a variety of plugins that provide 2-factor authentication already, they all accomplish the goal in different ways. A WordPress core feature would attempt to standardize the user experience, providing methods for developers to hook in to for creating new services. That’s exactly what George Stephanis and Derek Herman are trying to accomplish through their two-factor functionality on Github. I encourage you to read through and contribute as this will be the future of security in WordPress.
I hope to see you on the WordPress Slack channel in #core-passwords for further discussions on this topic!
Next steps? Learn more about our website design and development services by getting in touch today. We’ll get back to you as soon as we can!
Also, have you heard? We have also just opened a new WeWork location in Chinatown!