Improve WordPress security by controlling access with Latch

Last week a WordPress vulnerability was disclosed that under certain conditions will allow you to take control of the site by remotely resetting the password. The details are very well explained in this article from

Testing this vulnerability on a test site seemed like a good opportunity to talk about Latch and its WordPress compatible plugin that allows add an extra layer of login security. In this way, once the tool is configured, even if your password is stolen or changed, nobody will be able to access the blog.

Latch has been with us for several years, it is a great tool developed by the people of ElevenPaths (the company led by @chemaalonso) that allows us to add a second authentication factor in a wide variety of online services from email to bank accounts.

In WordPress its configuration is very simple, it does not take more than 5 minutes. Basically you have to create a Latch account, install the plugin in WordPress and configure it. I am not going to explain how to carry out the installation step by step since it is perfectly explained in this document (pdf).

Once Latch is operational, the users' login will have a second authentication factor, that is, even though the user and password are correctly entered, WordPress will not be accessible until access is enabled from the Latch App:

The blog can only be accessed once it is unlocked from the mobile app.

Something very interesting is that if someone tries to access with the real password and the site is blocked by Latch, an alert is sent indicating that an attempt has been made to access the service. In addition, the application has a log or log with date and time of all detected activity.

It's worth using not only because of the vulnerability I was talking about at the beginning, but also because a WordPress password can be compromised in several ways. For example with brute force attacks, but it can also happen that an attacker is sniffing our network and captures the password in plain text when traveling under HTTP, these kinds of attacks can be carried out in a hotel, a restaurant, an airport and even in our own house if the neighbor knows the password for the wifi.

Finally, comment that there are also plugins that limit login attempts such as Limit Login Attempts and others that also send alerts every time a login is made, such as Wordfence and Sucuri Security.

For more information about Latch in WordPress, I recommend reading this article where the changes it makes in the database are explained.