The Trusted Devices module provides an additional layer of security against Stolen Session Cookie attacks, a common threat in WordPress websites.
This provides you with a method to get notified of an unrecognized device attempting access, which you can confirm via email or from the admin bar.
Key features include optional email notifications for unrecognized logins, restricting capabilities on unrecognized devices, protection against session hijacking, and seamless integration with two-factor authentication to remember trusted devices.
Settings:
When Trusted Devices is ON, you’ll see two settings that can be turned on/off:
- Restrict Capabilities — This lets you restrict a user’s administrator-level capabilities and prevent them from editing their login details, when they are logged in on an unrecognized device.
- Note: This requires the “Unrecognized Login” email notification to be enabled within the Solid Security Notifications.
- Session Hijacking Protection — Session hijacking, sometimes called Cookie hijacking, is a strategy used by hackers to take control of your account while you are using it, effectively becoming the owner. Enabling this setting can prevent session hijacking by ensuring that a user’s device does not change during a session.
- If a user’s device changes during a session, Solid Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins. You can find more information about Session Hijacking here.
How Trusted Devices work?
After enabling the Trusted Devices module, administrators will see a Login Alerts tab in the WordPress admin bar with pending unrecognized devices.
When you're logged-in on an unrecognized device and Restrict Capabilities is enabled, you will see a prompt from Solid Security informing you that you're currently in Unrecognized Login Mode.
You can either confirm the device or choose to continue the session with limited access:
Depending on the environment, Solid Security can also inform you via the Login Alerts tab:
Clicking either the "Send confirmation email" button or "confirm this device" link will trigger an Unrecognized Login email notification with a button to approve/disapprove a device.
Note: You'll need to log in again after confirming a device.
Optional Email Notification
In addition to the WordPress admin login notice, an Unrecognized Login email notification (optional but recommended) can also alert you whenever an unrecognized device has been used to log in.
To receive this email notification, first, you’ll need to enable the “Restrict Capabilities” Trusted Devices setting.
Then, go to Security > Notifications > Unrecognized Login and enable it.
WordPress User Profile with Trusted Devices Info
You can manage your trusted devices via the WordPress User Profile page.
If a device is marked as “Pending”, you can update it to either “Approved” or “Denied”. But once a device is approved/denied, the status cannot be changed. Solid Security can also auto-approve a device if it recognizes it as similar enough to an existing trusted device.
Administrators can see the Trusted Devices of the site users and approve/deny a device. This is helpful when you, an admin, cannot fully-access the site due to the Trusted Devices module kicking in and cannot confirm the Unrecognized Login email for some reason, so another admin can approve the device for you.
Note: Users are recommended to approve or deny devices via the Unrecognized Login email notification. The Trusted Devices list in the Profile page is intended as a support tool for site administrators if a user locks themselves out accidentally.
Integration with Two-Factor Authentication
Trusted Devices powers Solid Security’s “Remember Me” setting in Two-Factor Authentication. If the device doesn’t look the same, users are forced to re-enter their Two-Factor code instead of bypassing it.
To have the “Remember Me” option during log in, you'll need to enable the “Allow Remembering Device” option in Security > Settings > User Groups.
Note: While remembering devices is convenient, it is more secure to require users to enter a new Two-Factor token each time they log in.