red line

Eliminate Unintended Consequences from Site Admin Authentication

2FA is an essential and highly effective security measure to protect the integrity of your website.

If the past 12 months have taught us anything, it’s that “worst-case scenarios” can’t be viewed as distant, unlikely-to-ever-happen occurrences. 

For web developers and website owners, worst-case scenarios can take many forms — with data breaches and hacking ranking high on the list. Recent Security magazine figures indicate that every 39 seconds, a website gets hacked, and far too often, the security measures that are put in place to ensure the integrity of a website can give rise to unintended consequences.  

One example: if 2FA (Two-Factor Authentication) utilizing the popular and highly recommended iThemes Security Plugin is in place for WordPress administrators, and not configured properly, there’s a risk of site administrators being temporarily locked out as a result of authentication emails not being received. This occurs when iThemes Security is deployed in conjunction with an SMTP (Simple Mail Transfer Protocol) provider, such as SendGrid, and the number of authentication emails sent exceeds the allowable limits of the free or paid tier subscription plan account. 

There are essentially two strategies for avoiding this scenario.  

Direct authentication messages to a mobile app

Using a mobile app for 2FA, when possible, instead of an email account, represents a simple and highly effective fix. We recommend that site administrators configure their primary 2FA provider to use a mobile app, such as Google Authenticator, in order to minimize the number of login authentication emails sent via SendGrid or other paid tier SMTP providers.

Other recommendations for reducing/redirecting authentication emails include limiting the number of default recipients and regular auditing to ensure that authentication emails are not being sent to inactive users.

Don’t skimp when selecting a SendGrid email API plan tier. SendGrid offers free and paid email API plans tiers.

The free tier allows for 100 authentication emails per day, but this limit can be reached and exceeded far quicker than is often anticipated. When limits are reached, site administrators will not receive email authentication notifications. Once the daily limit is reached, form responses and security notifications will not be received either.

Paid tier pricing for SendGrid email API Plans is very reasonable and we recommend that clients select a paid plan. The Essentials plan should be sufficient for a marketing website. For an e-commerce site that has a heavy volume of sales or customer activity, or if the potential for a surge or significant increase in volume is anticipated, the Pro plan is probably the best choice.

Keep in mind that regardless of the plan tier, there is still a per-email cost associated with every security authentication email — costs that can be eliminated entirely when a mobile authentication app is used instead of email. Another factor to consider: if spambots start hijacking contact forms, there can be a sudden surge of emails that far exceed normal, operational expectations. Mobile authentication protects against this possibility, as well.

Ensure that security is aligned with operational efficiency

2FA is an essential and highly effective security measure to protect the integrity of your website. Proactively configuring iThemes Security’s Notification Center in combination with restricting authentication methods to utilize authenticator mobile apps, is an essential strategic step to ensure that security measures do not wreak havoc on daily business operations.

Related resources