Hardening the Security on GEN
PCI Compliance
We installed WordFence on sandbox GEN to scan the site for issues with the following settings:
Message sent on 7/9 to support to ask we can schedule WordFence to scan certain folders instead of whole site since it takes too long to do a full scan
We also changed the performance settings:
Rate Limiting
Located on the same page as above. All the WordFence settings are in the same place. We changed the following settings:
Login Security/Enforcing of Strong Passwords
Due to the changes in the Rate Limiting settings, admins will not be able to create accounts with weak passwords. In this example, I went to users and editing an existing account on sandbox. I clicked set new password to reveal the new password field. I entered password as the password, which is a very weak password as shown below. I checked off the confirm use of weak password box:
I then scrolled down and clicked the update button and the following message appeared:
sandbox will no longer allow weak passwords even if this box is checked
This is due to the settings in WordFence that we're testing
RCP - Login Security on forms created by other apps
form lives here: https://sandbox.genengnews.com/create-your-gen-account/?level=2
No affect. I was able to create a free GEN account with a weak password. I used password as the password for this test.
RCP has an add-on to enforce strong passwords at registration: https://wordpress.org/plugins/rcp-strong-passwords/
Formidable: Login Security on forms created by other apps
https://www.genengnews.com/get-the-gen-digital-magazine - this form creates accounts for those who fill it out. There is some effect from the enforcement of stronger passwords.
I filled out the form and put password for the password and submitted the form. This is the message that appeared:
It doesn't tell you that the password is not strong enough. It's not spam blocking the entry. It is the weak password. I did several tests with real names and fake ones all using password as the password and the same message appears until you enter a stronger password and hit submit.
This is not ideal because it does not tell the user what is wrong. Need to look at formidable settings to see if we can fix that
It looks like we can fix this. There are settings on the form for what is allowed for the password: (I checked them off for testing. They were not checked on the original form)
What effect do those settings have on the form and the messaging?
The changes to the settings above will result in the following changes on the form:
Login Security on forms created by other apps - LoginPress
No effect. I logged in with a free account I created through RCP (GEN Edge Sign up form) where the password was password, but I was not prompted to change my weak password to a stronger one.
There are no options to force someone who has a weak password to create stronger one at login. Not sure if this is a deal breaker or not
These are the only options I have found but they do not address the weak password problem. Not sure if this is a deal breaker.
Login Security on forms created by other apps - BuddyPress/my account area
Some effect.
When I hovered over Howdy, name and clicked profile from the drop down
then clicked to update my password:
It would not take a new weak password. I tried password1 but it did not pop up a message asking for a stronger password nor did it explain why it rejected the password. It did not even tell me it did not take the password. There was no success message, but there was no error message either. I logged out and tried to log back in using password1 but it did not work. I was able to log in using password but that was the password I was trying to change.
Need to look at buddy press settings.
Found this but may not need to do anything for BB if we can enforce strong passwords elsewhere: https://buddydev.com/support/forums/topic/enforce-strong-passwords-in-buddypress-general-settings/