WP Engine Adds 2FA to User Portal, Opt-In PHP 7 Support In the Works


WP Engine announced today that two-factor authentication (2FA) is now available to its 42,000 customers. The security measure will help combat increasing attempts on the host’s user portal.

“As we grow, almost everything about the company changes, and security is one of them,” said WP Engine founder Jason Cohen. “For example, we see things like fraudulent accounts and account impersonation/phishing, and other things which didn’t appear often when we were smaller and less of a target.”

Adding 2FA is part of a larger plan for improved security that the company began last year when it hired Eric Murphy as its new security director.

“We’ve had a cross-departmental internal security group of about a dozen people for a few years now, but in 2015 we decided we needed even more leadership in that area,” Cohen said.

“We hired Eric last year, in fact before the December security incident, so in hindsight that was excellent timing.”

Murphy is now overseeing the technical aspects of security, like firewalls and VPNs, as well as the social engineering and training aimed at protecting customer account access.

After the December breach where customer credentials were exposed, WP Engine began moving its customers off of Linode’s cloud infrastructure. Cohen confirmed that thousands of customers have been moved and that no new customers have been added to Linode.

The Challenges of Implementing 2FA

Although providing 2FA for accounts is a security best practice, Cohen said that it would not have prevented the December breach, as the entry point was with Linode. Regardless, WP Engine customers have been requesting 2FA support for the user portal for years. When asked why it took the company so long to implement it, Cohen identified a few of the technical challenges.

“One of the challenges was in identity recovery,” he said. “We can’t use email as a way to recover from a lost phone, because then the email address becomes a ‘single factor,’ i.e. you can use it to recover your password as well as your phone aspect.

“However, nowadays with the advent of Google Authenticator and other apps, plus people’s general awareness of how to use things like scratch codes, we felt it was now not going to be hard for people to use,” Cohen said.

When it comes to protecting WordPress, WP Engine customers have always been able to use a plugin to add 2FA. Cohen said that the company is investigating a solution to make it more convenient for customers who manage multiple accounts.

“Suppose you manage 50 WP sites and you want 2FA,” he said. “So do you configure 2FA on every site and have 50 entries in your Google Authenticator App? That stinks!

“So, something better would be a SSO system somewhere, have 2FA on that, and then use that to get into WordPress,” Cohen said.

“Another way would be to use OAuth, e.g. use Google OAuth on WP, and indeed for customers who already use Google Apps, we do recommend that method. Another method might be that our own User Portal be an OAuth provider.”

With a host of solutions already available, Cohen said they are also considering simply pointing customers to a list of recommendations.

“Even if we do our own, we’d always support the other methods,” he said. “The idea isn’t to box anyone into a single method.”

WP Engine Plans to Add Opt-In PHP 7 Support in 2016

WP Engine is currently working on a PHP 7 implementation for all customers. In December, the company tested 25 concurrent users over 5 minutes across 10 randomly selected URLs — run against a basic WordPress (4.3.1) install on its Mercury Vagrant configuration. The results showed that PHP 7 handles the raw hits 2.6x faster than PHP 5.5.


Unfortunately, customers who are eager to see WP Engine upgrade to PHP 7 across the board will be waiting for the rest of the WordPress ecosystem to catch up. As an alternative, the company is looking at the possibility of making PHP 7 an opt-in.

“We have PHP7 running on some machines,” Cohen said. “But it’s actually amazing how few WP sites in the field are compatible. We’re finding that it’s less than 20%. There will need to be an opt-in for that reason.”

Although WordPress core is compatible with PHP 7, the vast majority of WordPress plugins and themes are not.

“Even WooCommerce doesn’t completely work with it,” Cohen said. “Many big, popular plugins are not yet compatible. With PHP v5.5 there was some of that, but this is much more. Of course PHP7 is the future so it’s inevitable, but it’s going to take more time than some other PHP releases did.”

Cohen said the best case scenario would be for customers to choose PHP 7 on an install-by-install basis and change at any time. He does not yet have an ETA, as the company is working on an undisclosed big project that Cohen says is part and parcel of it.

“We have to make some decisions about how much to put into it before release, versus releasing it earlier and then layering in more things afterwards,” he said.

There are several large hurdles to allowing PHP version selection on an install-by-install basis, which need to be worked out before rolling it out to thousands of customers.

“One challenge is running multiple versions at the same time on the same machine,” Cohen said. “Another is tech support — if something doesn’t work in it, we need our 150+ support techs to understand how to figure that out and help.”

Cohen said he could see opt-in PHP 7 support happening for customers as early as this year but could not specify when.


13 responses to “WP Engine Adds 2FA to User Portal, Opt-In PHP 7 Support In the Works”

  1. Hmmm thinking about the php7 stuff would it be possible to make a plugin that scans and tests plugins and theme and then list all that are incompatible? I mean that would help both people wanting to change to php7 and plugin and theme author quickly test their own. I mean I know the other way would be cloning your site and testing but this would make it that little bit easier plus if it outputs the errors people can even copy them to support channels to make it easier.

    This is just an idea for someone who might actually be able to create this and wants to help get more people moving over to php7.

    Or maybe this already exists and I just don’t know about it.

    • Hi Jay, that’s a good question. The answer is “yes and no.” The “yes” part is that some aspects of PHP7 can be seen statically, e.g. PHP code features which are not PHP7 compatible. The “no” part is that some aspects aren’t visible until you try to execute the code, which might involve e.g. submitting a form inside an authenticated page in wp-admin, which is not generally possible to scan for.

      • Thanks yeah wondered how things like forms would work with a scan and if there was some way to test the code that executes without actually using the form. But thanks for the reply so I guess the best way for people to test would be to create a clone and run it and test it.

        As a scan plugin would only solve the more obvious issues.

  2. Interesting circle; WordPress says “Can not abandon old PHP, bc. hosts use this” and hosts says “Can not update, bc. WordPress uses that’.

    Sure, a vast group of users one-clicked installation, then one-clicked many plugins without any knowledge. These group will not update, take care of this issue and probably never even know something about it.

    Even if WordPress requires low entry barrier, low technical knowledge, in the case of a self-hosted website, it is self-hosted website :) It should be managed with that in mind.

    Many users would make a favour to themselves, if they use managed solution like wordpress.com or anything similar.
    The same applies to many “hosting” companies, they can do incredible service to “online world” if they leave that business and do something more helpful.

    • Not sure if it’s same with everyone, but my account with them was moved over to Rackspace infrastructure. We had a rough few days during the Linode incident, but overall I’ve been very satisfied with how WPEngine dealt with all that in the end. And I very much appreciate that they continue to improve their service. It makes my life easier managing sites.

  3. I’m running a site with 90+ plugins active (don’t ask) but there is literally only one that causes small issues. I’m not saying that WPEngine is lying or anything, but not having the OPTION to turn on PHP7 has pretty big consequences for a few of my clients. Simply because they have a heavy stack of plugins (WooCommerce, Membership Plugins + BuddyPress, Jetpack) the performance of WPEngine hosted sites compared to other hosts becomes very noticeable. Especially because as a developer I’m unable to use Redis or Memcached for logged in users I have no options to improve site performance. This has been incredibly frustrating for a while now, and I’ve stopped recommending WPEngine to clients that want more than just a regular blog.

    • I suggest you move your site to Lightning Base. They’ve had PHP 7 available for some time. I’ve just upgraded my sites (most of which are membership sites running 80+ plugins) and it was a breeze. First page load takes 0.7 seconds according to GTMetrix; subsequent pages take less than half that time.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.