Encrypt Two-Factor Authentication keys in WordPress – AIOS

The latest version of AIOS Premium from UpdraftPlus brings more functionality and features to our popular WordPress security plugin. Today, we’ll go through one of the most important changes in detail and what it means for your website as an AIOS user.

We’ve included a full log of all tweaks and fixes at the end of the article.

New security feature: Encrypt Two-Factor Authentication keys

AIOS now offers the option to encrypt TFA database keys and store them in a separate file, giving you additional website security

The importance of Two-Factor Authentication for your WordPress site

Two-Factor Authentication offers extra protection against attackers by asking you to verify your identity using a separate device. This means even if your login information is compromised, your site remains protected.

Two-Factor authentication has become more and more important in recent years, as hackers and scammers use increasingly advanced tactics to steal your personal information and gain access to your website.

The risk with Two-Factor Authentication is around ‘secret keys’. These are stored and used by website owners to regain access to their sites if their device is lost. 

If hackers get hold of your secret keys, then your website is vulnerable – putting your reputation, customer data, intellectual property, or more, at risk.

AIOS 5.1.9 has been updated to include encryption of your authentication keys.

What does this mean for your website?

If security keys are stored in the database in plain text and that database is stolen, then the secret keys can be read and used by hackers to generate TFA codes giving them access to your website.

This new feature is opt-in, and gives you the option to encrypt your TFA secret keys. The encryption key is stored on disk in a file. This means the attacker would need access to your database and your filesystem in order to break through. 

The result is a website that is safe and secure, giving you the peace of mind to know you’re protected.

The Premium version of AIOS contains even more features to help keep your WordPress investment safe from harm, and it includes personalised, ticketed support from our team of experts. To learn more, visit our features page to see if Premium is the right choice for you and your website.

Changelog:

Below are additional fixes, tweaks and features:

* FEATURE: IP addresses – Blacklist manager functionality based on PHP instead of .htaccess rules. Added AIOS_DISABLE_BLACKLIST_IP_MANAGER constant, Define it in your wp-config.php to disable IP Blacklist manager.

* FEATURE: Detect spambots posting comments and discard it completely or mark as spam.

* FEATURE: Encrypt TFA secret keys that are stored in the database (extra protection in case of your database being hacked)

* FEATURE: Added a “Delete all” and “Delete filtered” bulk action to the audit log table

* FIX: Prevent Cloudflare Turnstile being added to login forms when no credentials where set

* FIX: Change where the audit log event handler is loaded to prevent an error on plugin deletion

* FIX: Fix context class checks to support cli

* TWEAK: Multisite super admin can access the subsite dashboard without login again if salt postfix enabled

* TWEAK: Captcha JavaScript file is unnecessarily loaded on some site pages if comment captcha or custom login captcha enabled

* TWEAK: Change some nonce checks to use our internal function to check user capability and nonces

* TWEAK: User registrations and successful logins are now recorded in the audit log

* TWEAK: Added a commands class and refactored AJAX handlers

* TWEAK: Captcha verification to prevent conflicts with some plugins that recall the WordPress authentication code

* TWEAK: Improve database table prefix feature UI.

* TWEAK: WordPress core updates are now recorded in the audit log

* TWEAK: Translation updates are now recorded in the audit log

* TWEAK: Add an entity changed event to the audit log when upgrader information is not available

* TWEAK: Automated emails sent by AIOS that failed to send due to from address