{"id":210394,"date":"2022-06-20T23:52:32","date_gmt":"2022-06-20T23:52:32","guid":{"rendered":"https:\/\/wpmudev.com\/blog\/?p=210394"},"modified":"2024-03-28T01:39:04","modified_gmt":"2024-03-28T01:39:04","slug":"securing-wordpress-login-biometrics","status":"publish","type":"post","link":"https:\/\/wpmudev.com\/blog\/securing-wordpress-login-biometrics\/","title":{"rendered":"The Ultimate Guide To Securing Your WordPress Login (For Free!) With Web Authentication"},"content":{"rendered":"<p><a href=\"https:\/\/wordpress.org\/plugins\/defender-security\/\" rel=\"noopener\" target=\"_blank\">Defender<\/a> implements Two-Factor Authentication (2FA), fingerprint\/facial recognition, and external hardware security keys for hardened WordPress security!<\/p>\n<p>It has become increasingly apparent that relying strictly on usernames and passwords for logins no longer offers the highest levels of security.<\/p>\n<p>WPMU DEV\u2019s solution to addressing this is through the use of the <em>WebAuthn<\/em> standard, which bypasses vulnerabilities by providing a protocol of public key cryptography as a login authentication method.<\/p>\n<p>Both Defender <a href=\"https:\/\/wordpress.org\/plugins\/defender-security\/\" target=\"_blank\">Free<\/a> and <a href=\"https:\/\/wpmudev.com\/project\/wp-defender\/\" target=\"_blank\">Pro<\/a> versions allow you to make full use of Web Authentication; providing the ability to verify the authenticity of a user login by way of biometrics (facial or fingerprint recognition), or a USB security key (e.g., YubiKey).<\/p>\n<p>Usage of these web authentication methods is similar to the 2FA methods already present in Defender, alongside the existing TOTP (Time-based One-Time Password), backup codes, and fallback email authentication methods.<\/p>\n<p>In this article, we\u2019re going to look at how to implement Web Authentication methods, as part of our 2FA WordPress plugin features in Defender.<\/p>\n<p>Continue reading, or jump ahead using these links:<\/p>\n<ul>\n<li><a href=\"#indispensable-defender\">The All-Encompassing Defender<\/a><\/li>\n<li><a href=\"#walkthrough\">Full Walkthrough on Web Authentication<\/a>\n<ul>\n<li><a href=\"#biometric-usbkey\">Enable Biometric or USB Security Key<\/a><\/li>\n<li><a href=\"#register\">Register Device<\/a><\/li>\n<li><a href=\"#authenticate\">Authenticate Device<\/a><\/li>\n<li><a href=\"#rename-delete\">Rename or Delete Device<\/a><\/li>\n<li><a href=\"#gdpr\">GDPR Compliance<\/a><\/li>\n<li><a href=\"#multiple-methods\">Enabling Multiple 2FA Methods<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#additional-2FA\">Additional 2FA Features: WooCommerce Integration, Disable Users, Custom Graphic URL<\/a><\/li>\n<li><a href=\"#summary\">The Complete Package<\/a><\/li>\n<\/ul>\n<p>Let\u2019s explore all that Defender has to offer in the form of login protection with the cool new 2FA WebAuth features.<\/p>\n<h2><a id=\"indispensable-defender\" target=\"_blank\"><\/a>The All-Encompassing Defender<\/h2>\n<p>Defender gives you the best in WordPress plugin security, stopping SQL injections, cross-site scripting XSS, brute force login attacks\u2014and other vulnerabilities\u2014with a list of one-click hardening techniques that will instantly add layers of protection to your site.<\/p>\n<p>It also makes safety easier on and for you, taking advantage of the latest in WebAuth security measures.<\/p>\n<p>By way of a quick overview, here\u2019s how this works in Defender\u2026 the user will input their username &amp; password to log in, and if Platform authentication has been configured for that device, said user can verify their identity through their fingerprint scanner or facial recognition software. Likewise, if the Roaming authentication has been configured for that device, the user can verify their identity through their USB security key.<\/p>\n<p>Because we\u2019re using the <em>WebAuthn<\/em> protocol, Defender does not at any point receive any biometric or security key data, only a confirmation or rejection from the user\u2019s device.<\/p>\n<p>I want to interject here with a quick point of interest, shared by one of our techs, Marcel Oudejans (and paraphrased by me)\u2026<\/p>\n<p>The convention of naming a dog \u201cFido\u201d was popularized by Abraham Lincoln, though its use as a canine pet name dates back to the ancient Romans.<\/p>\n<p>\u201c<em>Fido<\/em>\u201d means \u201cfaithful\u201d. <em>FIDO <\/em>stands for \u201c<strong>F<\/strong>ast <strong>ID<\/strong>entity <strong>O<\/strong>nline\u201d. The new Biometric authentication feature uses <em>WebAuthn <\/em>protocol from FIDO.<\/p>\n<p>So in a lovely, roundabout way, by using the FIDO protocol to implement this feature, one could say we are infusing \u2018faithfulness\u2019 into Defender.<\/p>\n<figure id=\"attachment_210428\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-210428\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/001.1-synonyms-for-faithfulness.png\" alt=\"Synonyms for faithfulness\" width=\"593\" height=\"378\" \/><figcaption class=\"wp-caption-text\">Faithful FIDO.<\/figcaption><\/figure>\n<p>For more technical information on <a href=\"https:\/\/fidoalliance.org\/fido2\/\" target=\"_blank\">FIDO, check out this article<\/a>.<\/p>\n<p>Ok, now let\u2019s take an in depth look at these awesome new Web Authentication features.<\/p>\n<h2><a id=\"walkthrough\" target=\"_blank\"><\/a>Full Walkthrough on Web Authentication<\/h2>\n<p>First, make sure you have the Defender plugin installed and activated, and update it to the latest version.<\/p>\n<p>Two important things to note up front:<\/p>\n<ol>\n<li>Configuration of authorized devices is required on a per-user basis, since authentication is linked to individual user accounts.<\/li>\n<li><a href=\"https:\/\/wpmudev.com\/docs\/getting-started\/wpmu-dev-minimum-requirements\/\" target=\"_blank\">PHP 7.4 or above is required<\/a>, as it improves performance and security, while also supporting the new biometric feature.<\/li>\n<\/ol>\n<h3><a id=\"biometric-usbkey\" target=\"_blank\"><\/a>Enable Biometric or USB Security Key<\/h3>\n<p>Navigate to the WordPress <strong>Dashboard &gt; Defender<\/strong>. On the left sidebar, click on <strong>2FA <\/strong> and click on the <strong>Activate <\/strong>button.<\/p>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\">\n<figure id=\"attachment_221606\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-221606 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/activate-2fa.png\" alt=\"Defender - Activate 2FA screen.\" width=\"1223\" height=\"534\" \/><figcaption class=\"wp-caption-text\">Activate Two-Factor Authentication in Defender with one click.<\/figcaption><\/figure>\n<\/div>\n<\/div>\n<p>Now you\u2019ll see all the section information for Two-Factor Authentication, and all the options we have available here.<\/p>\n<p>From the same Defender 2FA page, under <strong>User Roles &gt; Administrator<\/strong>, toggle the button <em>On<\/em>. Make sure to scroll to the bottom and click on <strong>Save Changes<\/strong>.<\/p>\n<figure id=\"attachment_210399\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-210399\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/004-user-role-admin-toggle-on.png\" alt=\"Toggle on Admin user roles.\" width=\"612\" height=\"197\" \/><figcaption class=\"wp-caption-text\">Permission to enable 2FA is given through <strong>User Roles<\/strong>.<\/figcaption><\/figure>\n<p>From the Dashboard\u2019s side menu, go to the <strong>Users <\/strong>section, and click on your <em>Admin User<\/em> profile.<\/p>\n<p>Scroll down to the <strong>Security <\/strong>section, and next to <strong>Web Authentication<\/strong>, toggle the button <em>ON<\/em>.<\/p>\n<figure id=\"attachment_221608\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-221608 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/profile-web-authentication.png\" alt=\"Defender - Profile - Web Authentication toggle on.\" width=\"1268\" height=\"725\" \/><figcaption class=\"wp-caption-text\">Select the WebAuth feature in Defender.<\/figcaption><\/figure>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\">\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\">\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>You\u2019ll see a recommendation to choose an additional authentication method from these options: <strong>TOTP, Backup Codes, <\/strong>and <strong>Fallback Email<\/strong>.<\/p>\n<p>In the example below, you\u2019ll see <strong>Fallback Email<\/strong>\u00a0has also been selected, but you can choose whatever method(s) you prefer. Remember to click the <strong>Update Profile<\/strong> button at bottom.<\/p>\n<figure id=\"attachment_221609\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-221609 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/fallback-email.png\" alt=\"Selecting additional authentication methods in Defender\" width=\"984\" height=\"590\" \/><figcaption class=\"wp-caption-text\">The selection of additional authentication methods available in Defender.<\/figcaption><\/figure>\n<p>Web Authentication does not replace your traditional WordPress login (i.e., username &amp; password), instead adds an additional secure layer, like the other authentication options above.<\/p>\n<p>While many browsers and operating systems are compatible with the <em>WebAuthn<\/em> protocol used to manage the authentication process, some are currently not. Check here to see <em>WebAuthn\u2019s <\/em>browser and OS <a href=\"https:\/\/webauthn.me\/browser-support\" target=\"_blank\">compatibility list<\/a>.<\/p>\n<h3><a id=\"register\" target=\"_blank\"><\/a>Register Device<\/h3>\n<p>With WebAuth authentication enabled, the<strong> Registered Device<\/strong> table will appear, with options to <strong>Register Device<\/strong> or <strong>Authenticate Device<\/strong>.<\/p>\n<figure id=\"attachment_210402\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-210402\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/007-registered-device-identifiers.png\" alt=\"Registered device identifiers\" width=\"611\" height=\"190\" \/><figcaption class=\"wp-caption-text\">Defender keeps a list of Registered Device identifiers.<\/figcaption><\/figure>\n<p>Clicking the <strong>Register Device<\/strong> button will start the prompt from your browser to configure the form of Web Authentication you wish to use, depending on what&#8217;s available on your device.<\/p>\n<p><strong>Select an Authenticator Type<\/strong>, enter any name in the <strong>Authenticator Identifier<\/strong> field, then click the <strong>Start Registration<\/strong> button.<\/p>\n<figure id=\"attachment_210734\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-210734 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/authenticator__register-device.png\" alt=\"webauth register device\" width=\"621\" height=\"598\" \/><figcaption class=\"wp-caption-text\">Inputting info to authenticate a device; in this case, a USB Security Key.<\/figcaption><\/figure>\n<p>Depending on the authenticator type and device you are using, the registration process will differ.<\/p>\n<h4>Example 1:<\/h4>\n<p>Registering a <strong>Windows<\/strong> desktop or laptop will prompt you to enter your Windows Hello PIN, or whatever other authentication method may be enabled on your device.<\/p>\n<figure id=\"attachment_210404\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-210404\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/009-windows-hello-PIN-login.png\" alt=\"Windows hello PIN login\" width=\"611\" height=\"359\" \/><figcaption class=\"wp-caption-text\">The Windows Hello sign in PIN entry.<\/figcaption><\/figure>\n<h4>Example 2:<\/h4>\n<p>Registering a mobile device will prompt you to touch the fingerprint sensor, or whatever other authentication method may be enabled on your device.<\/p>\n<figure id=\"attachment_210405\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-210405\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/010-verify-fingerprint-sensor.png\" alt=\"Verify fingerprint sensor\" width=\"611\" height=\"498\" \/><figcaption class=\"wp-caption-text\">A sample fingerprint sensor authenticator window.<\/figcaption><\/figure>\n<p><strong>Example 3:<\/strong><\/p>\n<p>Registering a USB Security key will prompt you to go through a brief series of steps.<\/p>\n<div class=\"image-grid cgrid-row\">\n<div class=\"cgrid-col cgrid-col-span-full\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-210888\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/verify-usb-security-key-process.png\" alt=\"Post image\" aria-hidden=\"true\" width=\"621\" height=\"1137\" \/><\/div>\n<\/div>\n<p>Back on your <strong>Users Profile<\/strong> page, if you scroll to the bottom under <strong>Security &gt; Registered Device<\/strong>, you\u2019ll see your device listed here, along with a message beneath it confirming it has indeed been registered.<\/p>\n<figure id=\"attachment_210736\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-210736 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/authenticator_registered-confirmation.png\" alt=\"webauth registered confirmation\" width=\"611\" height=\"160\" \/><figcaption class=\"wp-caption-text\">Congrats! You&#8217;re registered. Next up&#8230; authentication.<\/figcaption><\/figure>\n<p>The next step is to authenticate the device you just registered.<\/p>\n<h3><a id=\"authenticate\" target=\"_blank\"><\/a>Authenticate Device<\/h3>\n<p>Once the device has been registered, click the <strong>Authenticate Device<\/strong> button.<\/p>\n<p>The same authentication method used to register the device will prompt you to confirm the action.<\/p>\n<figure id=\"attachment_210744\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-210744 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/authenticator-authenticated-device-successfully.png\" alt=\"authenticated device successfully\" width=\"626\" height=\"792\" \/><figcaption class=\"wp-caption-text\">WebAuth device authentication confirmations for a Desktop PC, and a YubiKey.<\/figcaption><\/figure>\n<p>Once done, you\u2019ll see a success message appear. Now you\u2019ll be able to use the registered WebAuth options as additional, secure ways to login to your site.<\/p>\n<h3><a id=\"rename-delete\" target=\"_blank\"><\/a>Rename or Delete Device<\/h3>\n<p>If desired, you can rename or delete any authenticated device.<\/p>\n<p>Navigate to the WordPress <strong>Dashboard &gt; Users<\/strong>, and click on your <em>username<\/em>.<\/p>\n<p><strong>To Rename<\/strong>:<\/p>\n<p>From <strong>Profile &gt; Security &gt; Registered device<\/strong>, click on the <strong>Rename<\/strong> text in the <strong>Action <\/strong>column<strong>. <\/strong>Type the new name, and click <strong>Save<\/strong>.<\/p>\n<figure id=\"attachment_210408\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-210408\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/013-rename-or-delete-registrered-device.png\" alt=\"Rename or delete registered device\" width=\"611\" height=\"287\" \/><figcaption class=\"wp-caption-text\">Action options for registered devices.<\/figcaption><\/figure>\n<p><strong>To Delete:<\/strong><\/p>\n<p>Same process as above, but click on the <strong>Delete <\/strong>text in the <strong>Action <\/strong>column, then click <strong>OK<\/strong> from the next popup.<\/p>\n<figure id=\"attachment_210409\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-210409\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/014-delete-confirm-actions.png\" alt=\"Confirm delete action\" width=\"601\" height=\"409\" \/><figcaption class=\"wp-caption-text\">Confirming the delete of an authentication.<\/figcaption><\/figure>\n<p>Be advised that the <em>Delete <\/em>action doesn\u2019t save settings, so if you decide you want to use the Biometric feature from that device again, you will need to go through the full setup process.<\/p>\n<p>Likewise, if you deactivate any WebAuth functionality on your device, the login will no longer work, and you would need to repeat the process on your device to restore the feature\u2019s functionality.<\/p>\n<h3><a id=\"gdpr\" target=\"_blank\"><\/a>GDPR Compliance<\/h3>\n<p>FIDO Alliance standards were created from the outset with a \u201cprivacy by design\u201d approach and are a strong fit for GDPR compliance.<\/p>\n<p>Because FIDO delivers authentication with no third-party involvement or tracking between accounts and services, biometric authentication with FIDO2 compatible devices is fully GDPR compliant.<\/p>\n<p>With FIDO, no personally-identifying information ever leaves your device.<\/p>\n<p>For more information, see the following article on the FIDO website: <a href=\"https:\/\/fidoalliance.org\/fido-authentication-and-gdpr-presentation\/\" target=\"_blank\">FIDO Authentication and GDPR<\/a>.<\/p>\n<h3><a id=\"multiple-methods\" target=\"_blank\"><\/a>Enabling Multiple 2FA Methods<\/h3>\n<p>If you enable more than one additional authentication method in your profile, each will display as alternate options beneath the method you have set as your default.<\/p>\n<p>For example, here&#8217;s the screen you&#8217;ll see if you select Web Authentication as your preferred method&#8230;<\/p>\n<figure id=\"attachment_221613\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-221613\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/web-authentication.png\" alt=\"Web Authentication\" width=\"610\" height=\"461\" \/><figcaption class=\"wp-caption-text\">Use web authentication methods to log in.<\/figcaption><\/figure>\n<p>And here&#8217;s an example showing TOTP Authentication as the preferred method.<\/p>\n<p>You can click on any available option in the list, and it will display the selected alternate authentication method.<\/p>\n<figure id=\"attachment_221612\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-221612 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/totp-authentication.png\" alt=\"TOTP authentication\" width=\"842\" height=\"933\" \/><figcaption class=\"wp-caption-text\">Using a TOTP to authenticate, with alternate methods (per your selection) listed below.<\/figcaption><\/figure>\n<p>A final note\u2026 Web Authentication requires that the following PHP extensions be enabled on your server: <em>mbstring, GMP,<\/em> and <em>Sodium<\/em>. These extensions are enabled by default on all sites hosted by WPMU DEV.<\/p>\n<p>If you are hosting elsewhere and any of them are not enabled on your server, you\u2019ll see an alert like the one below. Reach out to your hosting provider to have them enable the extensions for you so that you can use this feature.<\/p>\n<figure id=\"attachment_210427\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-210427\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/017-message-alert-requirements-not-met.png\" alt=\"Message alert, requirements not met\" width=\"611\" height=\"113\" \/><figcaption class=\"wp-caption-text\">If you see this message, don&#8217;t panic\u2013you&#8217;ll just need some PHP extensions enabled.<\/figcaption><\/figure>\n<p>Click here for WPMU DEV\u2019s full <a href=\"https:\/\/wpmudev.com\/docs\/wpmu-dev-plugins\/defender\/#web-authentication\" target=\"_blank\">documentation on Defender\u2019s Web Authentication feature<\/a>.<\/p>\n<h2><a id=\"additional-2FA\" target=\"_blank\"><\/a>Additional 2FA Features<\/h2>\n<p>A few extra goodies were included in the most recent rollout of Defender. Here\u2019s what else is new:<\/p>\n<p><strong>WooCommerce<\/strong><\/p>\n<p>Defender allows users to configure 2FA from WooCommerce\u2019s <em>My Account<\/em> page.<\/p>\n<p>Simply flip the option on in Defender\u2019s 2FA settings, and enable two-factor authentication for the user role Customer (so the 2FA section appears under the <em>My Account<\/em> page).<\/p>\n<p><strong>Check Active Users<\/strong><\/p>\n<p>Defender now allows you to see User 2FA status, or reset it for any reason. To do so:<\/p>\n<ul>\n<li>Navigate to <strong>WP Dashboard &gt; Defender &gt; 2FA &gt; Active Users<\/strong>.<\/li>\n<li>Click on <em>View users<\/em>; check the <em>Two Factor<\/em> column to see who has 2FA enabled.<\/li>\n<li>Hover over any user, and below their avatar, <strong>Reset two factor<\/strong> will display. Click on that, then <strong>Save Changes<\/strong>.<\/li>\n<\/ul>\n<figure id=\"attachment_211448\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-211448 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2022\/06\/0001-2FA-users-reset-two-factor-1.png\" alt=\"2FA users reset two-factor\" width=\"559\" height=\"304\" \/><figcaption class=\"wp-caption-text\">Defender&#8217;s 2FA Active User settings.<\/figcaption><\/figure>\n<p>You can also skip a step, and navigate directly to <strong>WP Dashboard &gt; Users<\/strong>\u00a0to reset the 2FA.<\/p>\n<p><strong>Custom Graphic from a URL<\/strong><\/p>\n<p>The Defender icon that appears on your login page can be replaced with a custom graphic of your choosing.<\/p>\n<p>You can now select to link a graphic from a URL, as well as the alternate options of uploading, or having no graphic at all.<\/p>\n<h2><a id=\"summary\" target=\"_blank\"><\/a>The Complete Package<\/h2>\n<p>As protective measures go in WordPress, it\u2019s hard to beat Defender.<\/p>\n<p>Defender has powerful security protocols, including malware scanning, antivirus scans, IP blocking, firewall, activity log, security log, and two-factor authentication (2FA), including two Web Authentication methods&#8211;Biometric, and USB Safety Key.<\/p>\n<p>Defender also comes with an additional, useful enhancement to Defender\u2019s WP-CLI \u201cscan\u201d command. By using this WP-CLI command and option, if any issues are found, Defender will create a table with results.<\/p>\n<p>Previously, you could only see the results of a malware scan from the back-end of the site (at WP Admin &gt; Defender Pro &gt; Malware scanning), but now you&#8217;ll be able to see the completed scan results right in the console.<\/p>\n<p>Coming soon for Defender\u2026 we\u2019ll expand on our use of <em>WebAuthn<\/em>, with our devs currently working on the ability to use hardware authentication devices. Plans are also underway to implement \u2018password free\u2019 logins in the best way possible, using the <em>WebAuthn <\/em>protocol.<\/p>\n<p>You can read about upcoming features for any of our tools and services anytime in our product <a href=\"https:\/\/wpmudev.com\/roadmap\/\" target=\"_blank\">Roadmap<\/a>.<\/p>\n<p>If 2FA is the question, Defender is the answer. Handling security in your WordPress sites can be as simple\u2014yet complete\u2014as activating <a href=\"https:\/\/wordpress.org\/plugins\/defender-security\/\" target=\"_blank\">Defender<\/a>.<\/p>\n<p><em>[Editor\u2019s note: This post was originally published in June 2022 and updated in March 2024 for accuracy.]<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Defender implements Two-Factor Authentication (2FA), fingerprint\/facial recognition, and external hardware security keys for hardened WordPress security! It has become increasingly apparent that relying strictly on usernames and passwords for logins no longer offers the highest levels of security. WPMU DEV\u2019s solution to addressing this is through the use of the WebAuthn standard, which bypasses vulnerabilities [&hellip;]<\/p>\n","protected":false},"author":915455,"featured_media":210423,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"blog_reading_time":"8","wds_primary_category":0,"wds_primary_tutorials_categories":0,"footnotes":""},"categories":[4,263,11260,11259],"tags":[],"tutorials_categories":[11231],"class_list":["post-210394","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-plugins","category-tutorials","category-wpmu-dev-products","category-wpmudev-tutorials","tutorials_categories-defender-pro"],"_links":{"self":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/210394","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/users\/915455"}],"replies":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/comments?post=210394"}],"version-history":[{"count":33,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/210394\/revisions"}],"predecessor-version":[{"id":221615,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/210394\/revisions\/221615"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media\/210423"}],"wp:attachment":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media?parent=210394"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/categories?post=210394"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tags?post=210394"},{"taxonomy":"tutorials_categories","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tutorials_categories?post=210394"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}