Secure Wordpress Login With Two Factor Authentication Using privacyIDEA
Wordpress is THE widely spread blogging system that is not only used for private blog sites but sometimes also as CMS for company web sites.
Wordpress is very good maintened and easy to update. But as it is so widely used, it is also an intersting goal for crackers (avoiding to say hackers).
This is why today I will tell you how to secure the wordpress accounts with a second factor for OTP authentication.
I assume, that you already have installed wordpress on your system following some guide like this one.
Create some users, your administrator and some editors. I created the users admin, fred and
To wrap it up, today on Ubuntu 14.04 LTS installing privacyIDEA is as easy as this:
apt-get install privacyidea
apt-get install python-mysqldb
Start the services:
service privacyidea start
Create your administrator:
privacyidea-create-pwidresolver-user -u admin -i 1000 > /etc/privacyidea/admin-users
Done. Login at https://yourserver:5001 with the administrator you just created. You need to add the suffix @admin to the administrator's username. In this case "admin@admin".
privacyIDEA can read the users from your wordpress installtion. So each time you create a new user in wordpress, privacyIDEA will see this and you will be able to assign a new OTP token to this user.
For this to work right, we need to create a useridresolver, that tells privacyIDEA where to find the users and a realm. Go to privacyIDEA Config->UserIdResolvers and click "new" and on the next dialog click "SQL" to create a Resolver to an SQL database.
I installed privacyIDEA on the same machine as wordpress. And the MySQL database of wordpress is also on the same machine. If your SQL database is on another machine, you need to take care, that privacyIDEA must be able to access the SQL database accross the network.
At the top you need to enter all information for the SQL connection. At the botton within the SQL Attributes you can simply click the button "Wordpress" and the correct table and column definitions will be entered. (privacyIDEA also knows the table presets for OTRS, Tine2.0 and OwnCloud!)
You can click the button "Test" and you will see, that privacyIDEA found the three wordpress users.
You can also see this in the userlist
Lets enroll a FreeOTP token for the user fred. Please install the FreeOTP App (or if you really want to, you can use the Google Authenticator) and select the user fred in the userview.
Now click the button "enroll" and select "Generate HMAC key".
privacyIDEA will create a QRCode, which you need to scan with your App.
The App will then be able to create one time passwords. The user will have to authenticate with a static password (1st factor) and the one time password created by the app (2nd factor). If you want the user to authenticate with the static password from wordpress (in this case the user can change his static password in wordpress) you need to set the following policy in the "Policies" tab.
Please note, that you need to "activate" the policy and adapt the realmname accordingly.
You can go to https://yourserver:5001/auth/index and authenticate with the username "fred" and the concatenation of your wordpress password and the OTP value like "mySecretWordpressPa$$123456".
If you authenticated successfully you are ready to setup wordpress!
Wordpress Strong Authentication
Your privacyIDEA server is set up correctly and the user has a working OTP token.
Now login to your wordpress installation and install and activate the strong authentication plugin.
At settings you can configure the strong authentication plugin to use the local installation of your privacyidea server. Remember to add https and the port. In the field exclude users you can define username, who should not be verified againt privacyidea. This is a good possibility to have some kind of emergency account either if you misconfigured the plugin or your service went down.
Now you can authenticate with a second factor of your choice.
We enabled wordpress to be able to authenticate all users with a second factor. The second factor is managed by an external system. Thus you can assign several devices to the users and you can assign different devices to the users. One user may login with a Google Authenticator another user with a yubikey - Giving you the better flexibilty over wordpress-integrated solutions.
In addition you can use your privacyIDEA installation to authenticate users at other applications - be it other web applications or systems like OpenVPN or SSH.
You can also use a destinct realm in your wordpress configuration to use one privacyIDEA installation for several wordpress instances. Thus providing two factor authentication to a whole wordpress farm with managing all authentication devices in one privacyIDEA system.