Millions of user passwords are now available for purchase. In fact, there’s a good chance that one if not all of your credentials has been sold. Hackers can efficiently and successfully purchase credentials and passwords to log into accounts that haven’t been protected. PayPal, MailChimp (owned by Intuit), General Motors, and others have all been in the news due to breaches involving this practice known as credential stuffing. Record numbers of data breaches are being hit year over year, along with other unreported incidents. And yet, vendors sometimes downplay the impact of security issues in order to potentially protect their reputation. Credential stuffing is a huge and increasingly widespread problem.

What is Credential Stuffing?

Using a database of passwords known to work or have worked at one time, hackers efficiently are able to attempt logins over a period of time. On successful login, a script usually runs to capture as much personal information as possible or they use the credentials to try and elevate their privileges in the system. In a physical world scenario, it would be similar to one having 20 keys from a door lock manufacturer and being able to walk a neighborhood trying all 20 keys in every door. Normally, that would draw attention, but not when it can be done in less than a minute. Lock makers only make so many key versions, so the process is likely to be successful.

Wait, it gets worse. Many people – over 65% according to a recent Harris poll –  use the same password or variations of it for all their logins. This makes it easier for hackers to infiltrate more than one of your accounts with the same key, so to speak. If one of those accounts happens to be your email, they could leverage that to reset all your passwords and get into everything before you’re aware that your password has been stolen.

What Can You Do?

There are several ways to make it more difficult for hackers to gain access to accounts if your password is stolen. The following suggestions may prevent or reduce the impact of unauthorized password use.

  • First, make sure to use a different password for each account. This can be difficult to do, so use a safe password manager (such as Enpass or 1Password).
  • Second, do not share passwords among coworkers, family, or friends. Each person should have their own password. This is also true when you are responsible for a WordPress website.
  • Third, if you are in charge of accounts on a website, make sure each account only has the minimum privileges required. This helps contain a credential stuffing breach that may happen.
  • Last, and most importantly, require two factor authentication (2FA) or multi-factor authentication (MFA) for all accounts. Configure this through a mobile application such as the ones listed later in this article.

How to Set Up Two Factor Authentication on WordPress

Two factor authentication (2FA) is one option to secure your WordPress logins and protect against attackers exploiting weak or stolen credentials. This dramatically improves the security of login attempts on your website. By requiring a code to be entered only provided on your mobile device, the password alone does not allow the user to gain access.

There are several security plugins available for free that enable and manage 2FA. Wordfence and iThemes Security are both available as free versions and paid with support.

It’s a good idea to give your users early warning that 2FA is coming, instructions on how and when to activate it, and the deadline in which the account will be locked when 2FA is not yet enabled. 2FA is now very common  and most users will have experience with it from some of their more secure accounts. Encourage users to also enable it on as many other accounts as possible.

Wordfence is already highly recommended to be installed on any WordPress website.. With its other features turned on, adding 2FA helps to provide a broad security solution. Managing 2FA through Wordfence does not require any coding and configuration is not complex.

In the Wordfence menu, click on Login Security. There you can set what roles are required to have 2FA and any grace periods before an account is locked due to 2FA not enabled. For admin roles, each admin will need to have their grace period activated by going to the user profile and clicking on Activate Grace Period. Once these settings are saved, users will be able to configure their accounts with the instructions provided. Example instructions may look like this:

  1. Download an authentication app on your mobile device. The following options may be used with Wordfence: Google Authenticator, Sophos Mobile Security, FreeOTP Authenticator, 1Password (mobile and desktop versions) See: 1Password help, Microsoft Authenticator, and Authy 2-Factor Authentication
  2. Log into your account and edit your WordPress profile.
  3. Scroll down to to the Wordfence 2FA section
  4. Click Activate 2FA
  5. Open the 2FA app on your mobile device and press the plus sign or whatever adds a new service.
  6. Choose the scan QR code option and scan the QR code on the screen.
  7. Download the emergency codes and keep them in a safe place.
  8. Enter the code from the app into the box and click activate.
  9. Log out and back in to make sure it works.

Enabling 2FA on WordPress adds another important puzzle piece to the overall security of the website though it does not mean your website is 100% secure. WordPress is a prime target for hackers due to its popularity and lack of proper management during and after installation.

ClearEdge offers enterprise level management and support for WordPress websites. We can take the burden off your marketing or IT teams to keep your website secure and assist with common tasks. Let us know and we’d be happy to help.

The opportunities for hackers to use credential stuffing continue to grow. Educating your team on how to protect themselves is just one piece of the puzzle. ClearEdge can provide guidance and support to help you elevate your organization’s cybersecurity game.