Log into WordPress dashboard, add new post and start typing. Simple, right? Apparently not; the wrong security set-up could lock you out of your own site.
After putting it off for too long, I decided to sit down yesterday and write up a couple of posts for my personal blog. I have a nice Chrome extension called WordPress Site Manager that, once set up, can log me into any of my WordPress sites (including this one) with a couple of clicks. It had been working fine for a long time, except recently I found it odd that I couldn’t log in with the passwords I’d set. I double, triple, even quadruple-checked that I was typing the right letters, but nothing. For a moment, I was left staring at the screen wondering what was going on.
“Let me get this straight; I enter the right login details and I can’t get in?!”
So began a process of elimination, as I tried every single trick I could find via the all-knowing powers of Google.
Have I been hacked?
When one can’t log in with their own details, that are known to be correct, the first conclusion is usually that someone’s broken into the site and changed the login credentials. I didn’t see any sign of a break-in on my sites, but just to be sure, I did some research to find out how to check from a different direction.
Did I say “sites”? Yes, yes I did. I couldn’t get into this site either, which made it even more important to find a way back in; I have a total of three sites that I manage, not including a test project that I’ll talk about another time. Oddly enough, it was just these two I had a problem with – I could log into the others just fine.
Fortunately there are some solutions to get back into the admin dashboard, although some need you to be confident editing code or working in CPanel on your hosting account.
Reset password link
This would be the obvious solution – if you have the link on your login page. I don’t, for some reason. I couldn’t find a way to access the forgotten password link, either. So resetting via email was ruled out very quickly.
This descends very quickly into “knowing what you’re doing” territory. I worked through a tutorial called “How to Reset a WordPress Password from phpMyAdmin“, which is pretty easy to follow.
It should have worked. I tried several times to reset my password this way, but WordPress flatly refused to let me back in.
SQL and FTP tricks
On the WordPress official help site, there is a long page called “Resetting Your Password” that I tried to work through. The phpMyAdmin method didn’t work, so I tried the SQL command. That didn’t work, so I became thankful that I still have FTP access.
What haven’t I tried yet?
By this time, I’d spent hours trying unsuccessfully to get back into my own account. I was frustrated, extremely puzzled and in need of a break.
When I was thinking a bit clearer, I stared again at the login screen with its “incorrect details” message, and the limited logins plugin telling me I had to wait another day before trying again… and I decided to try again once I’d got rid of it.
A little context here: On most web hosting accounts, there is a feature that provides easy installs of many scripts, including WordPress. The main two that I know of are Softaculous and Fantastico. My account provides the former.
Softaculous is more advanced these days; when installing WordPress, it lets you pick a theme, set automatic backups, and also offers to bundle the security plugin “Limit Login Attempts“, which is designed to prevent brute force attacks. A sensible option, one might think… except when locked out of your own site and finding it works against you.
On this occasion, it turned out to be a red herring: once I’d deleted the plugin via FTP and tried to log in again, I was finally presented with the real culprit.
2FA or not 2FA, that is the question…
I have grown increasingly security-conscious as I learn more about web development, especially after taking an online course in cyber-security last year. I also know that WordPress can be notorious for security flaws, so the first plugin I usually install is Bulletproof Security. I did use Wordfence before, thought BPS would be enough so stopped using it… only to find later that no, it wasn’t enough, and it was best to use the two together. Wordfence has the bonus of also preventing brute force attacks, among many other things – but I digress.
After the Dropbox incident sometime ago, where they had recommended that account holders activate Two Factor Authentication (2FA), I had made a lot of use of this for other sites. Google Authenticator became my friend for quite a while, despite the extra inconvenience of having to reach for my phone every time I wanted access to my accounts. There is a plugin that enables this feature on WordPress self-hosted sites like this one, and I set it up to work with all three (at the time) of my sites. They were more secure, so I was happy.
Until I had to replace my phone, that is.
The one problem with Google Authenticator, is that it doesn’t sync to your account like other Google apps do. Why I don’t know, but when you need to replace your device, it is a big problem – especially if you don’t have backup codes.
With the login plugin gone, the error message now read “You can only log in with a verification code”, which told me that the 2FA plugin had malfunctioned. Getting rid of that fixed the problem, and I could finally get back into my problem sites.
2FA: There has to be a better way
Turns out there is: a plugin by miniOrange.
Initially setting it up is a bit of a pain – you need to register for an account, then download the app to set up your phone with it. Once you’re done, though, you can choose other ways to authenticate your details when you next log in – as quoted from the plugin page:
- You can login using username + password + two-factor or username + two-factor.
- Two-Factor can be enabled for administrators as well as all users.
- It can be deployed for your entire userbase in minutes.
- All types of phones are supported Smart Phones (iPhone, Android, BlackBerry), Basic Phones, Landlines, etc.
- If your phone is lost or stolen or discharged, we offer alternate login methods like OTP Over Email.
- If your phone is offline, you can use a one time passcode generated by app to login.
- It offers inline registration of users so you can simply activate and configure the plugin and you are all set.
- We support multi factor authentication for all type of phones.
- Soft Token, QR Code Authentication,Push Notification are supported by miniOrange Authenticator App.
- Google Authenticator method is supported by Google Authenticator App.
Backup methods – that’s more like it!
Google Authenticator is still needed for other sites, like Dropbox and WordPress.com, but at least those sites have backup methods. Self-hosted WordPress sites are a different animal, so more care is needed when securing your site.