Introduction
Snicco, the team behind Fortress Security plugin, is a group of experts in WordPress development and security research. They have helped 24 well-known security plugins fix security problems in their code. Some of these problems were very serious and could have allowed hackers to take over websites completely. They found issues like weaknesses to DOS attacks, a lack of proper encryption, and unnecessary security shortcuts. Many plugins even copied code from others directly, causing more security problems. Every plugin they looked at had at least one issue, and most had three or more.
Because of their research and the serious problems they found in other plugins, Snicco created Fortress. This plugin focuses on making WordPress websites much safer by improving its own security practices. It adds features like secure 2FA, rate limiting, safer sessions, and strong passwords using the best available encryption.
About Fortress
No Security Compromises
The main idea of hosting partnerships is to include only what can be done effectively at the plugin level, without adding unnecessary features. With Fortress, you get all the security improvements that can be made in PHP, without any useless or resource-wasting features.
Fortress is different from other security plugins because it doesn’t make security compromises by:
- Choosing not to support old PHP versions and only supporting 7.4+|8+|8.1+.
- Working directly with hosting companies (like us) to remove any uncertainties about the hosting environment. (Other plugins store encryption keys in the database because it’s the only thing they can rely on being available).
Fortress Modules
Fortress includes four parts that you can use separately or together:
- Authentication
- Password Security
- Rate limiting
- Session Management
All four parts are turned on from the start, and they work together to strengthen your website’s security at every stage of the sign-in process.
Quality Assurance
Fortress goes through tough testing to ensure every code change works well. This includes 1,200 automatic tests before each new version comes out, covering all the different WordPress and PHP versions that it supports.
Customization
Fortress has modules that can be easily changed to fit your needs, and they can be set up differently for each user role on your website. With its powerful features like secure 2FA, rate limiting, safer sessions, and strong passwords, even the most complicated situations can be handled, making sure your website stays safe and secure.
Secure Two-Factor Authentication
A big issue with many security plugins is that their two-factor authentication isn’t safe. In some cases, turning it on could have even led to your website getting hacked. The team behind Fortress, Snicco, has helped other plugin creators by giving them the code needed to fix these problems.
In Fortress, two-factor authentication uses the latest and best security methods. It can be set up with great detail and comes with its own WP-CLI, making it a reliable choice for keeping your website safe.
2FA Rate Limiting
Fortress is the ONLY security plugin that limits the number of times someone can try to use two-factor authentication (2FA) and fail. Without this limit, hackers could guess 2FA codes until they get it right.
By default, Fortress lets users fail at 2FA five times (you can change this). The count starts over after a successful 2FA login.
If someone fails too many times, Fortress will “lock” the user’s account by:
- Ending all sessions (even the current one) for that user.
- Changing the user’s password to a random one.
- Sending the user an email to tell them what happened.
Compatibility
- Fortress uses a TOTP method that follows the RFC 6238 rules, so it works with popular apps like 1Password, Google Authenticator, and more.
- The 2FA feature in Fortress works with “most” custom WordPress login forms right away, even including ones from WooCommerce.
Password Security
The password security features in Fortress are divided into two groups:
Main Features:
- Safe password coding
- Password Rules
- Turning off password resets for important users
Extra Changes:
- Turn off application passwords
- Make password reset links last for a shorter time
- End all user sessions when a password is changed
Let’s take a closer look at each of these features.
Secure Password Hashing
WordPress uses an old method for password security called md5, which isn’t considered safe anymore. Fortress fixes this problem by:
- Using its own secure method based on the libsodium core PHP extension, the best cryptographic method in PHP.
- Encrypting the password code with the user’s ID and storing it safely in the database making it harder for hackers to crack unless they get into the filesystem.
- Keeping encryption keys in the environment, not the database, which stops common attacks where hackers change passwords or swap password codes.
- Unlike other plugins, Fortress updates password codes actively in the background, even for users who haven’t logged in recently and can stop using old codes after upgrading.
- Fortress can find old password codes from different sources and change them to safer ones using argon2 encryption.
- Using the password upgrade-legacy-hashes command, it can automatically upgrade old password codes in batches without causing problems for your site.
Password Policy
Fortress makes sure all user accounts have strong passwords by following these rules:
- Passwords can be between 12 and 4096 characters long with no restrictions and full support for all types of characters, including emojis and symbols. For example, 🧐🧐漢字👀docker-horse-chair is a valid password.
- Password strength must score at least 3 out of 4 based on the zxcvbn password strength estimator.
- These rules apply when a user edits their profile on the /wp-admin/profile.php page or creates a new user on the /wp-admin/user-new.php page.
- The rules are checked when users reset their password on the wp-login.php page.
- Users can be left out of the password rules based on their roles or by using the CheckingPasswordPolicy event.
- Fortress never allows weak passwords, even if the “Confirm use of weak password” checkbox is clicked.
Additional Information
The zxcvbn estimator is a tool for measuring password strength, created by Dropbox. It’s inspired by password crackers and takes into account 30,000 common passwords, popular names and last names from US census data, frequently used English words from Wikipedia, and common phrases from US television and movies. It also considers patterns like dates, repeated characters, sequences, keyboard patterns, and “l33t speak.”
Disabling password resets for privileged users
Forgetting a password can be tricky, as it’s important to balance security and ease of use. Fortress uses a special approach for password resets to make it more secure.
Users with certain roles won’t be able to:
- Request a password reset link.
- Reset passwords on the profile page.
By default, this applies to users with the roles of:
- administrator
- editor
Our support team can always reset passwords by creating a quick support ticket.
For these specific roles, Fortress stops the password reset process that WordPress usually uses to send a recovery email. Instead, the user will be informed that they can’t reset their password. You can also add extra user roles (for example, if you use WooCommerce, you might want to add the shop_manager role).
Disable Application Passwords
The issue: WordPress application passwords can be at risk from social engineering attacks. In these attacks, a hacker might trick a site admin into adding a new application password by clicking on a link.
Since most sites don’t need application passwords, Fortress turns them off by default. You can turn application passwords back on for websites that need them.
Decrease Password Reset Link Duration
Usually, WordPress password reset links last for 24 hours. Fortress makes your website more secure by shortening this time to 30 minutes.
If you think 30 minutes is too short, you can adjust it to fit your needs. However, this shorter duration is enough time for most websites, making it a safer option while still being convenient for users.
Destroy all user sessions on password change
The issue: When a user changes their password in WordPress, their sessions are supposed to be invalidated. This happens because part of the user’s password code is in their authentication cookie. Specifically, the 8th to 12th characters of the code are in the cookie. However, these characters’ differences aren’t always guaranteed, making this method unreliable.
To fix this problem, Fortress intentionally ends a user’s sessions when they change their password. This way, the website stays secure, and sessions are reliably invalidated.
Rate Limiting
Rate limiting is a way to control how many requests are made to a system or service at once. This helps prevent overload and protects against harmful attacks, like brute-force attacks, which try to flood a system with too many requests.
When the rate limit is reached, any more requests are stopped until later. This method is often used in web applications to prevent denial-of-service attacks and limit the effects of automated bots.
Rate limiting helps keep your website stable and secure by controlling the number of requests. However, most WordPress security plugins can only protect against attacks from one IP at a time because they think that “one attacker equals one IP.” This idea is outdated in 2023.
Fortress has two rate-limiting features: Password reset throttling and Login throttling. It uses a new rate-limiting method (Token Bucket) that only needs to store a single counter for each IP, username, and other details. This saves storage space and uses the WP Object Cache instead of the database, making Fortress a more efficient and effective solution.
Password Reset Throttling
- Fortress only allows password resets once every 15 minutes for each IP address. This helps prevent attackers from filling a user’s email inbox with password reset requests.
- Password reset throttling also stops attackers from fooling the email system (SMTP service) into sending many password reset emails at once.
Login Throttling
Login throttling is a way to control how many login attempts are allowed, protecting your website against different types of attacks.
Device ID throttling: After a genuine user logs in, Fortress gives a secure device ID to their browser that attackers can’t fake or break into. This way, honest users have fewer limits on their login attempts, ensuring they aren’t affected during a brute force attack without using annoying solutions like Captchas.
Username throttling: Fortress controls login attempts for specific usernames.
IP throttling: Fortress limits login attempts from certain IP addresses, allowing for short bursts with a refill period to prevent mistakes.
Global throttling: Fortress looks at all failed login attempts, no matter the username or IP address involved. This helps keep your website secure from a variety of attack methods.
Secure Sessions
Before exploring the features below, it’s crucial to know what a session is and how it affects your website’s security. Here’s a simple explanation:
A WordPress session is when a user is logged in to the website. When a user logs in, WordPress creates a session for them, allowing them to access protected pages and perform actions needing authentication. The session is kept alive using a session cookie, a small file saved on the user’s browser. This cookie has a unique ID that lets WordPress connect the user’s browser to their session.
When the user logs out, or the session ends (due to inactivity or a set timeout), the session is closed, and the user is logged out of the website. Sessions are vital for WordPress security because they help make sure only authorized users can access important pages and features on the website.
Fortress makes WordPress sessions much more secure.
Custom User Session Storage
WordPress has its own session system that saves session data in the wp_user_meta_table, but this has some drawbacks:
- The table can become too large if many users log in often.
- All user sessions are stored together instead of separately, which can slow down access if your users have multiple devices.
- Expired sessions can only be removed when a user logs in on a different device.
- To update one session, all sessions must be checked first.
- This system could be vulnerable to time-based side-channel attacks, although it would require a skilled and highly motivated attacker.
Fortress solves these problems with its custom user sessions.
- Fortress stores sessions in a separate table, where each session is one row with the session token as the primary key. This is more efficient and enables the other features of the session module.
- Fortress replaces WordPress’s default session storage with a custom table, making all its session-related features possible.
- Fortress includes a WP-CLI command to remove expired sessions from the database, which you can schedule as needed.
- The plugin also offers an option to end all sessions on your site, a more efficient and safer way to log out all users instead of changing your site’s salts, which might not work with all plugins.
Session Management and Security
The Issue:
- WordPress uses cookies to authenticate users, and these cookies have a session token connected to a real WordPress session.
- Attackers can steal valid cookies through network communication or by using malware on a user’s infected computer.
- Stolen cookies are often sold in large batches on the dark web, leaving WordPress sites vulnerable to attacks. Neither the WordPress core nor other security plugins have a solution to this problem.
Recently, the Linus Tech Tips YouTube channel experienced a similar attack, which was explained in detail in one of their videos.
Interesting Information
Numerous viruses are created specifically for stealing cookies, which is a significant security issue. Surprisingly, no one in the WordPress security community seems to be addressing this problem.
The Solution:
Fortress strengthens WordPress session security using four different timeouts. You can customize each of these settings to suit your website’s needs.
- The Absolute Timeout:
Fortress ends a session after a set time, regardless of user activity. This is similar to what WordPress does by default. - The Rotation Timeout:
To protect user sessions from being misused if their session token is stolen, Fortress rotates tokens after a certain time (default is 20 minutes). If an attacker or virus steals a token, they have limited time to use it before it’s invalid. If the user keeps using the site, they’ll get a new token, and the old one becomes invalid.
However, if an attacker uses the stolen token immediately, there’s a race between them and the legitimate user. After the rotation timeout, the user session is copied to a new session token (auth-cookie), and the first valid client request gets the new auth cookie.
- The Idle Timeout:
This timeout logs users out if they haven’t been active on the website for a specific time, like 30 minutes (default). This helps protect accounts if a computer is left unattended, used publicly, or shared between multiple people. The timeout resets with each HTTP request, except for WP-Cron or Heartbeat API in the WordPress admin area. - The Sudo Mode Timeout:
This timeout requires users to re-enter their password for sensitive actions after logging in, similar to what companies like Amazon do. After entering the password, users can perform sensitive actions for a set period without re-authenticating. Fortress has a default sudo timeout of 10 minutes, which can be changed for individual users using the sudo_timeout option. This feature works alongside absolute and idle timeouts to provide better security.
Fortress Sudo Mode
Fortress includes a feature called sudo mode, which grants users higher privileges for a set time after logging in, similar to the Linux sudo command. Once that time is over, the user’s privileges return to normal.
While in sudo mode, users can navigate the website as usual. If they attempt to access a protected page without being in sudo mode, Fortress will prompt them to confirm their password. Upon entering the correct password, the sudo timeout resets, and they can access the protected page.
Are you ready to increase your website’s security?
Our team is ready to get your website configured and set up for ongoing maintenance and security updates. Check out our WordPress Maintenance plans and find your perfect match!