Secured Logins for the WordPress Environment
Executive Summary
TraitWare passwordless multi-factor authentication provides simple and secure logins without usernames and passwords for hosting WordPress sites. The WordPress website environment is comprised of multiple layers and access points, each of which require their own layer of security. TraitWare passwordless multi-factor authentication (TW MFA) eliminates the need to remember multiple user names and passwords. Not only is our login process simple and easy to use, it virtually eliminates vulnerabilities associated with the traditional username and password logins in the web browser.
TraitWare MFA works with Azure, AWS, and Google Cloud Services. TraitWare also provides multi-factor authentication for cPanel, the UNIX-based control panel that works with WordPress-compatible servers such as Apache, MySQL, and phpMyAdmin. Using the TraitWare solution for both WordPress and cPanel eliminates the need for passwords in the authentication process.
The TraitWare PAM (pluggable authentication module) uses the TW Accept/Decline pre-authentication process to provide MFA for SSH and SFTP for WordPress-compatible Linux servers. Administrators can access MySQL and myAdminPHP through SSH or cPanel.
This white paper explains how the TraitWare authentication processes protect WordPress websites at every point of access.
WordPress Login Environment
The WordPress login environment is much larger than just the login to the WordPress dashboard. As shown in Figure 1, the WP environment may include the server hosting, domain registry, Linux OS, server services including Apache, MySQL, phpMyAdmin and WP-CLI, cPanel, and WordPress plugins, all of which require logins. TraitWare logins are designed to simplify and secure the process in ways that do not require the user to remember, retrieve or enter a username and password.
Figure 1 WordPress Environment with Usernames and Passwords
Hackers target all of these layers to gain access to websites. Each of the logins needs multi-factor authentication. TraitWare provides the means to secure each of the login endpoints.
Figure 2 shows how TraitWare has created a simpler, more secure multi-factor authentication process by using Security Assertion Markup Language (SAML), OpenID Connect (OIDC) and Open Authorization (OAuth) 2 protocols to modify the WordPress environment and replace or supplement the usernames and passwords for each of the logins. TraitWare has used SAML to apply its MFA process to web hosting on Microsoft Azure, Google Cloud and Amazon Web Services. When using SSH and SFTP, a username and password is still required unless a private/public key set is being used, but the same TraitWare app used for SAML and OIDC sign-ins without username and password can be used to provide 2-factor authentication.
Figure 2 WordPress Environment with TraitWare
TW authentication has been thoroughly tested with all aspects of the WordPress environment on a variety of operating systems. TW authentication is compatible with any Domain Registrar that support SAML. TraitWare PAM has a strong track record with the Red Hat version of Linux. We have tested authentication with both Google and Amazon clouds and their DNS services. Currently, the cPanel with TraitWare OIDC integration is running on an Azure virtual machine and the Secure Login with TraitWare WordPress plugin is in commercial use on multiple sites.
The following Table 1 lists users, applications, the application access point and interface and databases where usernames and passwords are stored in a traditional WordPress environment. The revised configuration to support TraitWare MFA is shown in Table 2.
Three groups of users typically need access to the WordPress environment: 1) The site administrators and designers (web design consultants or web design companies); 2) the customer or site owner including the customer’s admin and other dashboard users; and 3) the customer or site owner’s users.
The third group is often comprised of site visitors. But for sites with protected content, memberships, bloggers, and e-commerce customers, there can be large numbers of other users who need secured or limited access. Most of the access is through web-based GUI (Graphical User Interface), but it can be through a terminal using SSH (secure shell), FTP (File Transport Protocol), SFTP (Secure FTP), or remote access to server GUI. Usernames and passwords are stored in several different databases for verification during the login process. The following table shows four different databases for one website.
| Table 1 WordPress Use and Configuration Logins. The dBs store: username and passwords and the CMS content Traditional Configuration |
| Access Users | Applications | Application Access Pt. & Interface | Authentication Credential Storage |
| Web Design Company Admins Designers | Web Hosting Service | HS WebGUI & CLI | HS Database |
| Customer (Site Owner) Admins Editors Authors Bloggers Custom Role Others | WP Server Operating Sys Apache MySQL phpMyAdmin | SSH, GUI SSH, cPanel_GUI SSH, cPanel_GUI SSH, cPanel_GUI | Server Database Srv_dB, cPanel_dB Srv_dB, cPanel_dB Srv_dB, cPanel_dB |
| Customer Clients Bloggers Protected Content E-commerce Membership Site Visitors | cPanel WHM Admins cPanel Admin Webmail users | cPanel-GUI_Browser cPanel-GUI cPanel-GUI | cPanel dBcPanel dB cPanel dB |
| WordPress Dashboard Admins Editors Others Protected Content E-commerceSite Access | WP-WebGUI_Browser WP-WebGUI WP-WebGUI Web_Browser Web_Browser Web_Browser | wp_MySQL_dB wp_MySQL_dB wp_MySQL_dB wp_MySQL_dB wp_MySQL_dB none |
For the majority of WordPress environment users, access to the hosting service and required server services (MySQL and phpMyAdmin) are set up to use TraitWare. TraitWare currently provides the TraitWare Simple and Secure Multi-Factor Login into Azure, AWS and Google Cloud Services. Once a Linux server is set up on one of these hosting services, TraitWare deploys a pluggable authentication module (PAM) to provide a multi-factor, secure login process as described in the PAM section below. Even for users using a key set for SSH, TraitWare recommends using a PAM to prevent username and password access without requiring multi-factor authentication.
Administrators can provide GUI access to server service with TraitWare MFA by installing cPanel and configuring it to use TraitWare. Finally, WordPress is installed and the TraitWare WP plugin is added for TW MFA.
Software and Hardware Requirements
To use TraitWare for the complete WordPress environment, users must have a TraitWare Enterprise Account with access to the TraitWare Customer Console (TCC) and WordPress Account with access to WordPress (TCC). Access is granted to the TCC is through the TraitWare device app available from the Apple Store and Google Play. The same app with two accounts can be used for all of the TraitWare authentications for the WordPress environment. One account has a web hosting service SAML application, a PAM OAuth Application for the Linux server and a cPanel ODIC application. The second account is used for access to the WordPress dashboard and WordPress TCC.
When using TraitWare, the passwords in the WordPress environment shown in Table 1 above, should be either removed or made very long (recommended to be at least 16 characters for strong passwords). The Linux passwords protected with TraitWare PAM can be shorter. Users added directly to TraitWare for Web Host Service, cPanel, and WordPress are not supplied with any passwords.
When TraitWare is used, the credential database is split up into the structure shown in Table 2 below.
| Table 2 WordPress Use and Configuration Logins With TraitWare dBs – most passwords are eliminated. |
| Applications | Application Access Pt. & Interface | Authentication Credential Storage |
| With TW userID and TW AuthServer Credential | With TW userID and TW Resource Server Credentials And User Device Credentials | userID, TW AuthServer Credentials, Private key | ||
| Web Hosting Service | HS WebGUI & CLI | HS Database | TW Auth Server_WHS_ActdB | User DevicedB |
| WP Server Operating Sys Apache MySQL phpMyAdmin | SSH, GUI SSH, cPanel_GUI SSH, cPanel_GUI SSH, cPanel_GUI | Server Database Srv_dB, cPanel_dB Srv_dB, cPanel_dB Srv_dB, cPanel_dB | TWAuthServer_Cu_ActdB | User DevicedB |
| cPanel WHM Admins cPanel Admin Webmail users | cPanel-GUI_Browser cPanel-GUI cPanel-GUI | cPanel dB cPanel dB cPanel dB | TWAuthServer_Cu_ActdB | User DevicedB |
| WordPress Dashboard Admins Editors Others Protected Content E-commerce Site Access | Wp-WebGUI_Browser Wp-WebGUI Wp-WebGUI Web_Browser Web_Browser Web_Browser | wp_MySQL_dB wp_MySQL_dB wp_MySQL_dB wp_MySQL_dB wp_MySQL_dB none | TWAuthServer_Cu_WpdB | User DevicedB |
It appears at first that more databases are present than the case without TraitWare. But, when we consider that the user has to store and remember all the different passwords, there are more databases than shown in Table 1. Few people can remember multiple, strong passwords that include upper and lower case, numbers and symbols. If using a password manager, that in itself is a database, and the storage of the credential for the password manager is another database.
TraitWare Cloud Server Portal Access
TraitWare provides SAML-based MFA logins to Azure, AWS and Google Cloud. To set up TraitWare Cloud Server Portal Access, a user must have a TraitWare Enterprise Account with access to the TraitWare Customer Console (TCC). Users access the TCC through the TraitWare device as described for the WordPress environment.
For instructions on setting up the cloud portal access for Azure, AWS, and Google Cloud, go to https://documentation.traitware.com/.
The following images demonstrate accessing the TW Azure cloud:
Go your TW Azure sign-in portal. Enter your account email address. Once you have used the account, cookies will autofill for you.
Choose your account on the computer screen and open the TraitWare app on your login device.
Click the TW app account associated with the relative domain.
Authenticate to the login device. Then select “Scan QR Code” and scan the QR. You will be logged into your Azure portal without typing a username or password when you use your device biometric. During the setup process, an admin can set the process to require up to four factors for the authentication: registered device (something you own), biometric (something you are), a PhotoAuth™ sequence (knowledge factor), and correct location (geo-fenced).
The same process can be used for portal access, Domain Registry access and DNS Server access. TraitWare has tested access to both AWS DNS and Google Cloud DNS.
TraitWare PAM with TW Pre-Authentication
To eliminate the vulnerabilities of a username and password sign-in for SSH and SFTP, a TraitWare PAM (Pluggable Authentication Module) is required as part of the authorization process. The setup procedure involves installing the TraitWare PAM on the Linux server and setting up a TCC OAuth Application per instructions here.
To prevent the accidental success of a brute force, stuffing, or stolen or misused credentials attempt (username and password), TraitWare requires the user logging in to pre-authenticate with their TraitWare app. For an SSH sign-in, the user opens a local terminal as shown:
Before pressing return, the user opens their TraitWare app and selects the account for which they are signing in (if they have multiple accounts). The user authenticates with either a biometric or with the TraitWare PhotoAuth™ knowledge factor, or with both if 3-factor TW authentication is required by their admin.
The app screen will look like this:
Once the user is authenticated, they will press return on their computer terminal panel and the app screen will update to accept/decline. If they have not pre-authenticated, the SSH login will not proceed.
After clicking “Accept,” the SSH terminal will change to show the TraitWare authentication approved.
It will now wait for the user to enter their password. After entering their password, the user will be logged in. TraitWare is looking into ways to eliminate the password. The requirement could be turned off in the SSH but this would open up root access. After entering their password, they are logged in.
Note: Most users will not need to use SSH that requires a username and password if cPanel is installed. Much of what they will need to do can be done through cPanel. If work needs to be done at the root level, a root password is still required.
When root login is disabled, only TraitWare registered users with the root access password will have access to the root, further increasing security. This prevents attackers from using any form of credential attack to gain root level access.
TraitWare cPanel
The server that hosts this website has cPanel installed including Webmail and WHM. All three are set up to use TraitWare’s secure and simple MFA. The standard username/password at this point still works. For security, the password used for setup has been set to 16 characters with no external storage record. If the setup password is saved and stored, it needs to be securely stored. Other administrators were set up for recovery, thus the only practical access is by registered TraitWare app users whose accounts have been linked to the prime account.
The authorized users can access the standard cPanel applications including a terminal, MySQL, and myAdminPhp. The MySQL and myAdminPhp are set up for localhost access (forcing access to be through cPanel or through SSH or SFTP). (Logging into SSH or SFTP also requires TraitWare; see above – TraitWare PAM.)
The access to WHM, cPanel, and cPanel Webmail were set up using the external authentication protocol built into cPanel that uses OIDC and the TraitWare OIDC (Open Identity Connect) application that is available to registered TCC (TraitWare Control Console) administrators. Directions for using the TCC can be found here. Access requires approval by a TCC Admin. Instructions for setting TW access to cPanel are found here.
Once set up, the login screen shows “Select Login via TraitWare,” which will present a QR to scan with your registered and authorized device (must be linked to cPanel user account per setup instructions).
Currently, the TraitWare cPanel (OIDC) access does not support TraitWare Direct Login (log in for the authentication device). The username and password fields are currently active. To eliminate username and password login will require modification of code by cPanel. The TraitWare Plugin for WordPress provides the option to deactivate and turn off the input fields for username and password login.
TraitWare WordPress Plugin
The TraitWare WordPress plugin, combined with its mobile app, provides a simple, secure login to the WordPress Dashboard and Protected Resources via web browsers by replacing usernames/passwords with a QR scan. Using the TraitWare mobile app, role-based Multi-Factor (2FA) Authentication provides an extra layer of security to your sign-in process. To take full advantage of this feature, a simple setting has been added to disable the username and password fields!
Site administrators can set up the plugin to protect wp-admin/Dashboard logins, Custom page/site user logins, pages, and resources within a page. They can also allow for a user to self-register with TraitWare to access resources or a protected page.
TraitWare is a premiere multi-factor authentication platform that never needs a password or a password manager. With our QR web browser login solution, we can also eliminate the need for a username for logins.
To learn more about TraitWare and how it can help improve your sign in process, visit our website.
Easy Install
1. Install and register the plugin (Video Instructions Part 1: Account Creation. See additional videos in the installation tab).
2. Send yourself a registration email.
3. Install the TraitWare app on your mobile phone by simply selecting the Registration link from your phone and completing registration.
4. Now scan the QR on the plugin screen with your TraitWare Mobile App to add TraitWare to your site.
5. Log in to your site by scanning a QR for all future logins!
*If you have a firewall, please make sure you have your network IP or https://api.traitware.com whitelisted. For additional information, go here.
Find a more detailed walk-through and the rest of the videos in the Installation tab!
Supported Mobile Devices
*Android 6.0 (Marshmallow) and up for smartphones and tablets (Google Play must be enabled for auto-registration piece)
*iPad iOS 10 and up
*iPhone iOS 10 and up (requires iPhone 5S or newer)
How Secure is TraitWare Authentication?
TraitWare uses Multi-Factor Authentication to secure each individual client’s browser login to WordPress. The factors that it utilizes for securing each user’s identity are 1) each user’s mobile device equipped with the TraitWare Mobile App; 2) the cloud-hosted TraitWare Authentication Server; 3) something you are or know. While TraitWare’s authentication is incredibly effective against malicious attacks and identity theft in a browser, site admins and their users should still use best practices. This means disabling username and password options and making sure FTP, SFTP, and MySQL logins are complex or protected with the TraitWare PAM.
TraitWare Services Trial Period
While the WordPress plugin is completely free to install and register, if you wish to continue using the TraitWare app to sign in after your 30-day trial expires, you will be asked to choose a payment plan or remove the TraitWare plugin.
TraitWare SSO User Portal
TraitWare offers a User Portal to manage all of your site logins from one place.
1. Navigate to login.traitware.com and select Log In With TraitWare
2. Open your TraitWare Mobile App and authenticate
3. Scan the QR to gain access to your sites
4. That’s it!
TraitWare Direct Login
TraitWare offers direct login to the dashboard directly from the TraitWare app on your device.
1. Open your TraitWare Mobile App and authenticate
2. Select Direct Login on the screen
3. Choose the site where you want to access the dashboard
4. That’s it!
TraitWare Restricted Content
TraitWare can protect pages or sections of pages in addition to securing logins for admins and consumers. A detailed tutorial can be found here.