In the Feature Spotlight posts, we are going to highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature.
Today we are going to cover Magic Links, a useful website security feature in the iThemes Security Pro plugin that is designed to improve user experience with iThemes Security’s brute force protection.
What are Magic Links?
iThemes Security Pro is great at locking out bad guys. However, if a bad guy used the username “Bob” in a brute force attack, and Bob is an actual user on the site, Bob would, unfortunately, be locked out along with the attacker.
The next time Bob tries to log in, he is met with the iThemes Security lockout message. If Bob is the site administrator, he would either have to wait for the lockout to expire or manually disable iThemes Security Pro via FTP.
If Bob is your client, he is likely to overestimate the seriousness of the lockout, and frantically reaches out to you, wondering why you let his site get hacked. This would require you to explain that this is evidence of you protecting their site and then clearing the lockout using Sync Pro or logging into the site and clearing the lockout from the iThemes Security widget to allow him to log in again.
Even though it feels great to stop bad guys from breaking into a site, we don’t like it when security affects the experience of real users. So, we wanted to create a way to allow Bob to login even when his username has been used in a brute force attack. We never want a site manager to have to spend their valuable time clearing lockouts.
Magic Links Explained
Magic Links allow you to log in to your WordPress site while your username is locked out by the iThemes Security Local Brute Force Protection feature.
When your username is locked out, you can request an email with a unique login link. Using the emailed link will bypass the username lockout for you, while brute force attackers are still locked out.
3 Reasons You Need Magic Links for Your WordPress Site
Here are three great reasons you need magic links for your WordPress site:
- Real users can potentially get locked out of your website if a brute force attack occurs with their username. Because of the way that iThemes Security brute force protection works, real usernames can potentially get locked out. This means they’ll have to either wait for the lockout to expire or contact a website admin to manually release the lockout for them.
- Magic links allow users to bypass lockouts of their username by sending them an email with an authorized login link. This secure login link allows a user to log in successfully.
- Eliminates the need for a website admin to release a user’s lockout before they can login. Free your team from mundane tasks like removing the need to manually clear a lockout.
Are Magic Links Secure?
Yes. iThemes Security delivers the Magic Link email to the email address associated with the username, so an attacker would also need access to the email account of the user. Once the Magic Link is clicked, a username and password must still be entered successfully to login to your WordPress website. Plus, if you have Two-Factor Authentication enabled (which we highly recommend), Magic Links require this secondary code to successfully log in.
How to Use Magic Links in iThemes Security Pro
To get started with Magic Links, navigate to the security settings’ Features menu and enable Magic Links.
If you encounter a lockout after enabling Magic Links you will be presented with an option to send a Magic Link to your email address.
Simply click the “Send authorized login link” link to receive your Magic Links email.
Once you receive the email, use the link, enter your credentials and you will be back in your site!
Note: You’ll still need to enter both your username and password to successfully log in from the Magic Link in the email.
Wrapping Up: Get iThemes Security Pro Today!
As you can see, both Magic Links can add a strong layer of security to your site without any added inconvenience. Magic links helps make sure bad actors and bots are locked out, but real users can log in.
Kristen has been writing tutorials to help WordPress users since 2011. As marketing director here at iThemes and Restrict Content Pro, she’s dedicated to helping you find the best solutions to build and run effective WordPress websites. Outside of work, Kristen enjoys journaling (check out her side project, The Transformation Year!), hiking and camping, cooking, and daily adventures with her family, hoping to live a more present life.