Better Web Security Means Less Convenience – For Now

The web makes our lives more convenient. We can order a T-shirt or a pizza with a few clicks. We can conduct global research without leaving our seats. It has changed the way we do just about everything.

As web designers, we seek to add even more convenience. We employ systems to “remember” users. We store customer information in the cloud. These features make it easier for people to get things done.

A seamless user experience is the goal. It’s both well-intentioned and potentially lucrative. There is often a cost when it comes to security, though.

Malicious actors are taking advantage of this convenience. Methods like stealing session cookies are prevalent. Thus, staying logged into your website is a risk.

That’s just the tip of the iceberg. Indeed, making the web more secure means less convenience. Here are a few examples of what that looks like. In addition, we’ll talk about why these measures may be temporary.

Using Two-Factor Authentication Everywhere

It’s becoming harder to avoid two-factor authentication (2FA). This method is in place just about everywhere – including your WordPress site.

The idea makes perfect sense. The extra layer of authentication means a hacker needs more than a username and password. They can’t access your account without a 2FA code.

However, 2FA is far from perfect. The aforementioned stolen session cookies are proof. A hacker with a valid cookie can bypass other login requirements.

Plus, 2FA is a hassle for users. Think about all the extra time it takes to log into each website you use. It makes people want to stay logged in – and run the risk of a stolen session cookie.

Help may be on the horizon. Passkeys are poised to simplify the login process – while maintaining top security.

Passkeys rely on a user’s device to replace a username and password. Users authenticate using the same method they use to unlock their devices. PINs and biometrics are examples.

That may ease the burden. But we’re likely to be stuck with current methods a while longer.

Two-Factor Authentication has become a popular, if limited, security practice.

Locked down WordPress Files

The theme and plugin ecosystem are a big part of WordPress. You can add new items or update existing ones. It’s all done within a single dashboard. Once again, it’s a very convenient feature.

The problems start when a user account is compromised. A malicious actor can add all manner of malware. And they don’t have to be an administrator. Some vulnerabilities allow a lesser user to bypass WordPress permissions.

The answer appears to be locking down your WordPress install. For example, a site may allow its staging environment to write to files. That would allow you to add or update software. But it would also be protected by an HTTP login.

The production site would allow for uploading media files – but nothing else. That means any theme or plugin installations must come from staging first. The same goes for updates.

Yes, it’s an extra step. But it’s one worth taking. This method not only increases security. It is also a best practice for testing. It could prevent issues for mission-critical sites.

Not every web host offers staging, though. Or an easy way to lock down an install. But this may be the best option until something better comes along.

Speaking of that, security providers are devising new strategies. That could provide a balance between security and ease of use.

Hackers are taking advantage of writable file systems.

Limiting Code Execution within Site Content

Sometimes, we need to execute code within a site’s content. For example, we might embed JavaScript from an advertising network into a blog post.

WordPress facilitates this via its Custom HTML block. Some plugins enable adding code snippets as well.

It’s a handy feature. You can add all sorts of third-party widgets that engage users. They might also produce revenue.

It’s also an easy way to introduce malicious code. WordPress tries to sanitize input. However, not all themes and plugins follow best practices. Unsanitized code could infect your site – and impact users.

Limiting code execution is one way to prevent security issues. You might disable the Custom HTML block, for instance. You could also create HTTP security headers at the server level.

Artificial intelligence (AI) could soon be a factor. A tool that can detect malicious code in real-time might prevent a successful attack. That would empower users without creating as many security concerns.

 Allowing users to embed code into content is risky.

A Secure Website Requires Sacrifice

Security puts web designers in a difficult position. We strive to build great user experiences. We want to help our clients to do their jobs with ease.

But we also want our websites to be secure. That requires us to make some difficult decisions. Do we sacrifice convenience for safety?

The answer appears to be “yes” for now. Insecure login methods and writeable folders are risky. So is allowing users to execute code within their content. And it seems that malware continues to thrive in these environments.

As such, closing these avenues of attack makes sense. Even if it creates extra hurdles for users.

We can still hope for a better future, though. The advent of passkeys and AI-driven security might be just what we need. Their time can’t come soon enough.