Open source WordPress powers more than 30% of the World Wide Web. Users publish over 41 million new posts on 15.5 billion pages for 409 million viewers every month.
This enormous surface area makes it a prime target for hackers. In 2018, 90% of all breached CMS sites came from WordPress according to a recent report by Sucuri.
[Source]
In this post, we break down five of the most common WordPress attacks — and offer solutions to mitigate risk. (more…)
Following a series of Google Apps login phishing attacks (specifically on Google Docs) in 2017, Google made several improvements. At the time, while we welcomed Google taking steps to address the phishing problems, it caused issues for WordPress plugins.
Specifically, the updates made it challenging in cases where customer installation required individuals to create a Google Cloud project with their own OAuth 2.0 Client IDs.
To make things easier and safer for legitimate users who need to create Google applications, we recommended that Google:
Since then, we have even more suggestions for WordPress users using Google Apps login to deter attackers.
A popular feature of Google Apps Login Enterprise version has always been the ability to specify role mapping rules – so that members of different Google Groups can have different WordPress roles assigned to them.
The only problem was that some companies didn’t have relevant Google Groups already set up (e.g., for marketing@mycompany.com to contain their Marketing team) but instead had their G Suite domain arranged around different Organizational Units to control access to various G Suite features.
(more…)
Let’s say you want better security for your WordPress site. Maybe you want your employees to always access their WordPress account by authenticating through Google (which you see as easier than requiring all users to maintain separate usernames/passwords for WordPress as well as Gmail).
You’ve also read about brute force attacks on WordPress, so hope that a Google login will guard against those. You might also have installed a plugin such as Limit Login Attempts to prevent multiple login attempts from the same IP address — likely a sign of a brute force attack (although increasingly such attacks are performed from distributed IPs).
(more…)
Google Apps Login can now be used as a Single Sign-On (SSO) solution for a wider range of cloud applications — specifically, those that support the SAML 2.0 standard.
Why is this great news for WordPress users?
Although our Google Apps Login plugin has always allowed users to sign into WordPress sites — via their Google Apps accounts — previously we used a different authorization mechanism called OAuth 2.0.
OAuth 2.0 is a modern protocol designed for ‘web scale’ to be used across web browsers and mobile devices. It aims to make things simpler for developers and also afford more nuanced authorization flows.
However, many ‘enterprise’ services prefer to use the older SAML 2.0 even though it is restricted to web browsers and is more complicated to implement. This is largely because SAML can also provide extended ‘authentication’ information, controlling users’ permissions once connected.
With more people working remotely — and companies needing to grant access to a range of third parties, such as consultants — it can quickly become difficult to track who is working within your system. It’s even more of a challenge to know how every user is behaving.
Are you sure each user is who they say they are? How can you be certain? If you see suspicious behavior, how can you control this as an admin?
The extended controls that SAML authorization provides help IT admins grant permissions to every user. If you want to give basic access to a third party but block them from viewing confidential information, SAML authorization will help make this distinction.
With data breaches on the rise, it’s always important to take extra precautions.
The fact that Google Apps accounts can now be used as a Single Sign-On for a wider range of services is great news for customers of Google Apps Login. Using Google to sign on to many more services will reinforce your employees’ use of ‘Login with Google’ when they connect to your WordPress site using our plugin — and will help you centralize and bolster your authentication methods.
You can read Google’s official announcement. And there is a great explanation of the difference between SAML 2.0 and OAuth 2.0 here.
Many customers use our Google Apps Login Enterprise version to restrict access to their WordPress intranet so that not only should it be inaccessible to non-employees, but certain groups of employees should have different WordPress roles, and perhaps some employees should not have access at all.
Why is this so important? In the past, employees worked on-premises, and it was easier to monitor who was working on certain documents and data sets at a given time. For example, if a project was in a draft stage — and not ready for the eyes of senior staff or outside consultants — an employee could hold the file on his or her desk until it was finalized. There were few ways for others to access the file short of stealing the physical copy.
Yet in today’s flexible working environment, employees are constantly logging in to work on projects from different locations and time zones. They might have separate sets of credentials after re-setting their password or for use on multiple devices. It’s much more complicated to confirm who is accessing and editing documents than when employees worked in the same physical space. If you’re trying to keep certain information privileged, tightening access measures can provide an extra security in this opaque environment.
In this post, we’ll break down how we’ve made permissions for users easier for admins to control.
For your sales team’s intranet, maybe you want things to work like this:
Members of the Google Group management@mycompany.com should be Administrators.
Members of the Google Group sales@mycompany.com should be Contributors.
All other members of mycompany.com should be barred (as should non-employees and anyone who is not logged-in).
We’ve recently made this easier by combining improvements to the Enterprise product (version 2.8.2) and also our free All-In-One Intranet plugin.
Here we talk through the key configuration steps required.
Install your Google Apps Login Enterprise version and configure as directed – follow the instructions in Settings -> Google Apps Login, including setting up a Service Account.
You’ll also need to install All-In-One Intranet. Since that is available in the WordPress directory, the easiest thing will be to go to the Plugins page in your WordPress admin panel, click Add New, and then search for ‘All-In-One Intranet.’
There are quite a few steps required to configure Google Apps Login, so below we are just showing the screenshot of the Domain Control tab in Settings -> Google Apps Login from your WordPress admin panel, so you can see how to set up rules for the different Google Groups. You’ll also want to set the Default Role to ‘No Access’ to ensure non-employees, and those members of staff who aren’t in sales or management, won’t have access to the site.
At this stage, staff members should be able to use the Login with Google button on your WordPress login page to access the site. If they should have ‘No Access,’ then they won’t be able to do much in the admin panel, but everyone will still be able to view the front end of your website. That’s because WordPress is set up for your site to be public by default (users only need to be logged in to access the admin area).
This is where All-In-One Intranet comes in. Go to Settings -> All-In-One Intranet, and check the box labeled ‘Force site to be entirely private.’
Now, logged-out users and ‘No Access’ users should be forbidden from viewing any part of the site!
The above assumes you have WordPress in its default mode – if you are running ‘Multisite WordPress,’ you have a lot more flexibility over access to your various subsites — but that is for another post.
Please contact us if you have any questions at all!
Following the Heartbleed vulnerability affecting all of us on the web, security has been a big topic lately. Some of us even changed our years-old passwords, and maybe enabled 2-factor authentication on our email accounts… (2-factor is the system where you need a code generated by, say, your mobile phone as well as your regular password to login.)
So it seems that most of us survived, but given the wake-up call, we thought it would be a good time to remind you of some simple things you can do to ensure your WordPress installation is secure.
(more…)
How important is it to set up a comprehensive user hierarchy on your WordPress sites?
This article will explain the benefits of creating multiple users for your WordPress site and how understanding the different roles users can have will give you the control needed to allow others to create content, without risking control of the site itself. The article will also teach you to check your site configuration to understand if there are any backdoors that unwanted visitors could use to register, view private content, or make undesired changes to your site.
Users click their way through Login via Google (just one click after the first time)
Logging in is only the start – Google Apps Login takes care of all your WordPress user management. Find out more here.
×