Security | WPg

Protect Your Google Apps Login From Phishing Attacks

By Dan

Following a series of Google Apps login phishing attacks (specifically on Google Docs) in 2017, Google made several improvements. At the time, while we welcomed Google taking steps to address the phishing problems, it caused issues for WordPress plugins.

Specifically, the updates made it challenging in cases where customer installation required individuals to create a Google Cloud project with their own OAuth 2.0 Client IDs.

To make things easier and safer for legitimate users who need to create Google applications, we recommended that Google:

Allow users to authenticate against an OAuth ID they created using the same account as the one being used to access the app.
Allow admins to whitelist specific ID/Secrets on their domain and also allow any regular Gmail account to whitelist for their own use.
Provide a simpler verification form, including clear and consistent wording (is a ‘project ID’ the alphanumeric string, or the integer?), plus no long text fields (‘the app needs calendar scopes in order to access the user’s calendar…’). There is no point checking the privacy policy for the app since it can be changed easily in the future and will presumably not be respected by phishers!
Provide a clearer error message where unverified apps encounter ‘Invalid Scope.’
Deliver documentation explaining the new verification processes they have rolled out.
Offer a more robust and selective solution than joining the ‘Risky’ Group (Google already confirmed to us they are aware this cannot be a permanent solution).

Since then, we have even more suggestions for WordPress users using Google Apps login to deter attackers.

(more…)

Prevent Brute Force Attacks on Your WordPress Site with Google Apps Login

By Dan

Prevent brute force attacks with better cyber security

[Image via Pexels]

Let’s say you want better security for your WordPress site. Maybe you want your employees to always access their WordPress account by authenticating through Google (which you see as easier than requiring all users to maintain separate usernames/passwords for WordPress as well as Gmail).

You’ve also read about brute force attacks on WordPress, so hope that a Google login will guard against those. You might also have installed a plugin such as Limit Login Attempts to prevent multiple login attempts from the same IP address — likely a sign of a brute force attack (although increasingly such attacks are performed from distributed IPs).
(more…)

You Can Now Use Google Apps Login as a Single Sign-On for More Cloud Apps

By Dan

You can use Google Aps to Log In to WordPress

[Image via Pexels]

Google Apps Login can now be used as a Single Sign-On (SSO) solution for a wider range of cloud applications — specifically, those that support the SAML 2.0 standard.

Why is this great news for WordPress users?

Although our Google Apps Login plugin has always allowed users to sign into WordPress sites — via their Google Apps accounts — previously we used a different authorization mechanism called OAuth 2.0.

OAuth 2.0 is a modern protocol designed for ‘web scale’ to be used across web browsers and mobile devices. It aims to make things simpler for developers and also afford more nuanced authorization flows.

However, many ‘enterprise’ services prefer to use the older SAML 2.0 even though it is restricted to web browsers and is more complicated to implement. This is largely because SAML can also provide extended ‘authentication’ information, controlling users’ permissions once connected.

Why You Should Closely Monitor Your Users

[Image via Pexels]

With more people working remotely — and companies needing to grant access to a range of third parties, such as consultants — it can quickly become difficult to track who is working within your system. It’s even more of a challenge to know how every user is behaving.

Are you sure each user is who they say they are? How can you be certain? If you see suspicious behavior, how can you control this as an admin?

The extended controls that SAML authorization provides help IT admins grant permissions to every user. If you want to give basic access to a third party but block them from viewing confidential information, SAML authorization will help make this distinction.

With data breaches on the rise, it’s always important to take extra precautions.

A More Secure Future for WordPress Users

The fact that Google Apps accounts can now be used as a Single Sign-On for a wider range of services is great news for customers of Google Apps Login. Using Google to sign on to many more services will reinforce your employees’ use of ‘Login with Google’ when they connect to your WordPress site using our plugin — and will help you centralize and bolster your authentication methods.

You can read Google’s official announcement. And there is a great explanation of the difference between SAML 2.0 and OAuth 2.0 here.

Allowing only some employee Groups to access your WordPress intranet

By Dan

Many customers use our Google Apps Login Enterprise version to restrict access to their WordPress intranet so that, not only is it inaccessible to non-employees, but certain groups of employees should have different WordPress roles, and perhaps some employees should not have access at all.
(more…)

Is your WordPress installation secure?

By Dan

Following the Heartbleed vulnerability affecting all of us on the web, security has been a big topic lately. Some of us even changed our years-old passwords, and maybe enabled 2-factor authentication on our email accounts… (2-factor is the system where you need a code generated by, say, your mobile phone as well as your regular password to login.)

So it seems that most of us survived, but given the wake-up call, we thought it would be a good time to remind you of some simple things you can do to ensure your WordPress installation is secure.
(more…)

Making the most of WordPress’ user system

By Suzannah

How important is it to set up a comprehensive user hierarchy on your WordPress sites?

This article will explain the benefits of creating multiple users for your WordPress site and how understanding the different roles users can have will give you the control needed to allow others to create content, without risking control of the site itself. The article will also teach you to check your site configuration to understand if there are any backdoors that unwanted visitors could use to register, view private content, or make undesired changes to your site.

(more…)