Skip to main content

Fortress Overview

Security Modules

  1. Authentication
  2. Password Security
  3. Rate limiting
  4. Session Management
  5. Code Freeze

These are the three things that may change the workflow of you and your team members:

  1. 2FA is required for administrators and editors. It is not optional.
  2. Password resets are disabled by default for administrators and editors, so this must be done via a request to our support.
  3. For anyone working inside the website for extended periods, the session timeout is 10 minutes by default but can be increased. This means you can still navigate around the UI, but to make changes like install/delete a plugin or start editing a post, they will be required to authenticate.

And a stricter password policy:

  • Passwords can be between 12 and 4096 characters, with no character restrictions and full Unicode support.
  • Strong passwords will be enforced

2FA Rate Limiting

By default, the system allows five failed 2FA attempts (configurable). The failed attempts counter is reset after a successful 2FA login.

If the rate-limiting threshold is exceeded, it will “lock” the user account, which means:

  • Destroying all sessions (including the current one) for the associated user.
  • Resetting the user's password to a completely random one.
  • Sending the user an email about the incident.

Password Security

Secure password hashing

  • WordPress uses an outdated md5-based hashing scheme for password security that is no longer considered secure.

  • Hashing is updated, and keys are stored on the server and encrypted, not in the database.

Password policies

  • Passwords can be between 12 and 4096 characters, with no character restrictions and full Unicode support.
  • Disabling password resets for privileged users
    • Admins and editors cannot request a PW reset or change their password via the admin. If they need a new PW, you must contact us to send a secure reset link.
    • This prevents changing an account should a user's login ever be compromised.

Rate Limiting

Rate limiting is a technique used to control the rate at which requests are made to a system or service to prevent overload and to protect against malicious attacks

Our system Restricts the number of login attempts and PW reset requests to protect against different attack vectors.

Secure Sessions - The most common source of a site hack

WordPress uses cookies to authenticate users, containing a session token that links to an actual WordPress session. An attacker can steal already valid cookies via network communication or malware on a user’s infected computer. Many viruses are built for the sole purpose of cookie harvesting.

To defend against this:

  • Sessions will expire a session regardless of user activity after the absolute timeout has passed.
  • To protect user sessions from being exploited if their session token is stolen.After a certain period of time (default is 20 minutes), the current user session is copied to a new session token, and the old token is invalidated.