[wp-trac] [WordPress Trac] #55514: 2FA by default for WordPress

WordPress Trac noreply at wordpress.org
Sat Apr 2 00:09:13 UTC 2022 

#55514: 2FA by default for WordPress
-----------------------------+-----------------------------
 Reporter:  jamsec           |      Owner:  (none)
     Type:  feature request  |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Security         |    Version:
 Severity:  normal           |   Keywords:
  Focuses:                   |
-----------------------------+-----------------------------
 Hi WordPress!

 Hope this message finds you well! I'm a senior security analyst/researcher
 from Sucuri and I wanted to reach out to you all with an inquiry and
 feature request. I initially reached out to Fio (my old colleague) from
 WordPress.com and he directed me here. Apologies if I should have
 submitted this to HackerOne instead, but it's not a specific
 "vulnerability" ''per se''.

 I'm writing a piece for our Sucuri blog on how 2FA-by-default should be in
 WordPress, similar to how Akismet is included in a default WordPress
 installation to combat comment spam.

 A HUGE number of website compromises that we deal with on a daily basis at
 Sucuri could have been avoided by a simple 2FA additional authentication.
 With WordPress being over 40% of the web, I think that 2FA-by-default
 could be a game changer in terms of making the web a much safer place and
 avoiding a LOT of headaches and malware issues for WordPress website
 admins.

 Adobe made 2FA default in all new Magento2 installations, as they were
 dealing with exactly the same chronic issues of security (abuse of public-
 facing login pages with no additional authentication). You can turn it off
 afterwards if you want, but it's included by default during the
 installation process.

 What are your thoughts on including 2FA by default in new wordpress.org
 installations? I know JetPack includes 2FA, but it's linked to
 wordpress.com and I understand that .com and .org need to remain
 rightfully separate.

 I'd like to include your thoughts in my blog piece if that's ok.

 Looking forward to hearing back!

 Cheers,
 Ben

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/55514>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list