WP Engine announced today that two-factor authentication (2FA) is now available to its 42,000 customers. The security measure will help combat increasing attempts on the host’s user portal.
“As we grow, almost everything about the company changes, and security is one of them,” said WP Engine founder Jason Cohen. “For example, we see things like fraudulent accounts and account impersonation/phishing, and other things which didn’t appear often when we were smaller and less of a target.”
Adding 2FA is part of a larger plan for improved security that the company began last year when it hired Eric Murphy as its new security director.
“We’ve had a cross-departmental internal security group of about a dozen people for a few years now, but in 2015 we decided we needed even more leadership in that area,” Cohen said.
“We hired Eric last year, in fact before the December security incident, so in hindsight that was excellent timing.”
Murphy is now overseeing the technical aspects of security, like firewalls and VPNs, as well as the social engineering and training aimed at protecting customer account access.
After the December breach where customer credentials were exposed, WP Engine began moving its customers off of Linode’s cloud infrastructure. Cohen confirmed that thousands of customers have been moved and that no new customers have been added to Linode.
The Challenges of Implementing 2FA
Although providing 2FA for accounts is a security best practice, Cohen said that it would not have prevented the December breach, as the entry point was with Linode. Regardless, WP Engine customers have been requesting 2FA support for the user portal for years. When asked why it took the company so long to implement it, Cohen identified a few of the technical challenges.
“One of the challenges was in identity recovery,” he said. “We can’t use email as a way to recover from a lost phone, because then the email address becomes a ‘single factor,’ i.e. you can use it to recover your password as well as your phone aspect.
“However, nowadays with the advent of Google Authenticator and other apps, plus people’s general awareness of how to use things like scratch codes, we felt it was now not going to be hard for people to use,” Cohen said.
When it comes to protecting WordPress, WP Engine customers have always been able to use a plugin to add 2FA. Cohen said that the company is investigating a solution to make it more convenient for customers who manage multiple accounts.
“Suppose you manage 50 WP sites and you want 2FA,” he said. “So do you configure 2FA on every site and have 50 entries in your Google Authenticator App? That stinks!
“So, something better would be a SSO system somewhere, have 2FA on that, and then use that to get into WordPress,” Cohen said.
“Another way would be to use OAuth, e.g. use Google OAuth on WP, and indeed for customers who already use Google Apps, we do recommend that method. Another method might be that our own User Portal be an OAuth provider.”
With a host of solutions already available, Cohen said they are also considering simply pointing customers to a list of recommendations.
“Even if we do our own, we’d always support the other methods,” he said. “The idea isn’t to box anyone into a single method.”
WP Engine Plans to Add Opt-In PHP 7 Support in 2016
WP Engine is currently working on a PHP 7 implementation for all customers. In December, the company tested 25 concurrent users over 5 minutes across 10 randomly selected URLs — run against a basic WordPress (4.3.1) install on its Mercury Vagrant configuration. The results showed that PHP 7 handles the raw hits 2.6x faster than PHP 5.5.
Unfortunately, customers who are eager to see WP Engine upgrade to PHP 7 across the board will be waiting for the rest of the WordPress ecosystem to catch up. As an alternative, the company is looking at the possibility of making PHP 7 an opt-in.
“We have PHP7 running on some machines,” Cohen said. “But it’s actually amazing how few WP sites in the field are compatible. We’re finding that it’s less than 20%. There will need to be an opt-in for that reason.”
Although WordPress core is compatible with PHP 7, the vast majority of WordPress plugins and themes are not.
“Even WooCommerce doesn’t completely work with it,” Cohen said. “Many big, popular plugins are not yet compatible. With PHP v5.5 there was some of that, but this is much more. Of course PHP7 is the future so it’s inevitable, but it’s going to take more time than some other PHP releases did.”
Cohen said the best case scenario would be for customers to choose PHP 7 on an install-by-install basis and change at any time. He does not yet have an ETA, as the company is working on an undisclosed big project that Cohen says is part and parcel of it.
“We have to make some decisions about how much to put into it before release, versus releasing it earlier and then layering in more things afterwards,” he said.
There are several large hurdles to allowing PHP version selection on an install-by-install basis, which need to be worked out before rolling it out to thousands of customers.
“One challenge is running multiple versions at the same time on the same machine,” Cohen said. “Another is tech support — if something doesn’t work in it, we need our 150+ support techs to understand how to figure that out and help.”
Cohen said he could see opt-in PHP 7 support happening for customers as early as this year but could not specify when.