Two Factor Authentication

I did a search and saw someone else asked about this in 2018. Any chance 2 factor authentication could be implemented for the admin account?

My main site is a wordpress based web site and it regularly gets hammered. This morning there were over 20 attempts to get in. Fortunately I use Wordfence that locks them out, as well as 2 factor authentication on my phone.

I just made my sytist password extremely long (over 30 characters) out of a genuine fear that my Sytist site which generates most of my revenue now, has minimal protection should it get targeted for brute force attacks.

However the ability to lock people out after a set number of brute force attempts, as well as 2 factor authentication would be very appreciated for peace of mind.

This is more elegant than asking my hosting company to institute a VPN tunnel and admin log in rules for me that would prevent any unauthorised internet log ins

Edited by

I have very similar concerns and would appreciate the hardening of the security of sytist with totp. captcha isn't enough.

Edited Mon Sep 19, 22 2:58 AM by Trailboy

Until such security features are available, I thought I'd share some of the things I do to help security and would be interested in hearing what other people do too.

SSL is a must.

Change the default login page address, don't advertise, or link it, and even exclude it from robots.txt and sitemaps.

I filter visitors by country, I only allow a handful of countries to even connect to my site. My clients are in Canada so they need to be able to connect, and I monitored the main search engine crawlers to find out which other countries and IP addresses I needed to allow as to not adversely impact my #1 position on google, bing etc. Outside that, I block everyone else, especially the "problem countries" where attacks generally originate such as Russia, China and the entire African continent. If they don't even know you are there, they can't get you!

Disable or severely limit SSH access to your host(s).

Make regular backups of your site and databases.

Use harsh DMARC policies on your domains, and 2 factor on your email - avoiding free services that harvest your data (such as google, hotmail etc).

As these are all things you can do now, it might give you some comfort until site specific solutions are developed.

Edited by

Much thanks.

Looking at this, most of this are things I need to discuss with my hosting company.

SSL isn't a problem. I think Google has us over a barrel with this and most modern browsers have made it next to impossible to be non-SSL and expect to stay in business.

I will need to talk to my hosting company about the default login page. Are you meaning its port value?

VPNs render blocking countries difficult now. Many of the hack attacks on me come from the USA, Canada, UK, Germany, Finland, and South Korea, as well as Ukraine and Russia which were once considered the home of these things. Curiously African nations as well as India are conspicuously absent in these attacks even through they are notorious. So the usage of VPNs by these people has made it difficult. Incidentally I am based in Malaysia, and I see hackers geo-tagged from here as well and I cant block them either.

SSH done

Back ups: Yes..regularly

DMARC - Google...how I hate thee. Many of my clients use Google and something in an email i sent to one f my customers triggered something in Google that has caused them to black list my main domain. I have friends involved i the set up of my countries email servers, as well as setting up for publically listed companies, ad after reviewing the "offending emails" told me that Googles algorithms are a god unto themselves. I have to use Gmail now sadly in my communications.

I do hope others have ideas, but 2 factor would really help me sleep better. Not sure why the admins have been silent on this topic. Hopefully they have it in the works.

Edited by

Just replying to some of your questions:

Usually the default login is www.website.com/sy-admin. You can change this through the sytist options as it wouldn't take a hacker very long to find it once they look through the documentation on here.

China, Russia and Africa accounted for over 90% of my websites port sniffing before I blocked them, so that's my personal experience. You can ban VPN's by assigning known public VPN lists to your firewall rules, and you can block source ports that are synonymous with VPN protocols (like port 500). I don't personally bother because since blocking almost every country, I get next to no port sniffing.

Regarding Google, it's usually wise to use a 2nd domain for email, I've bought mine, I just haven't migrated over to it yet but it's in the works! Not getting flagged as junk is a wholesome topic in itself, which constantly evolves, but having strong email credentials (two factor, no data harvesting) stops people getting into your other accounts as easily.

Tim's a one man band from what I gather, I think he's done a great job with sytist as my website, features etc all far exceed that of my competitors. I really can't speak for him, but I'm assuming that sytist has gotten so big and complex now, just keeping it up to date with PHP, HTTP, payment portals and the other constantly evolving things that make up the internet take up most of his time. He does add improvements, but if you look at the requested features thread he'd need an army to keep up. I wish there was a way to sponsor feature requests, perhaps once the request is "approved" (Tim confirming it would be possible and compatible) then people could pledge how much they would be willing to invest to have it developed sort of like a go fund me. I assume the money would be spent on additional resources to make it possible. I might go add that to the feature request thread now!

Edited by