SafeStep

Detailed Documentation

The Anatomy of a Brute Force Attack

WordPress sites face millions of brute force attacks every day. Attackers run automated tools that try thousands of username and password combinations. Even with a strong password, a single data breach can leave you exposed.

Two-factor authentication mitigates this risk at its root. Even if your password is stolen, no one can access your account without the second factor. SafeStep installs that second layer using the RFC 6238 standard — the same protocol used by Google, GitHub, and major banks.

RFC 6238: Industry-Standard TOTP

SafeStep implements the Time-based One-Time Password (TOTP) protocol per RFC 6238. This produces 6-digit codes that refresh every 30 seconds. Codes are generated locally on your device — they are never transmitted to the server. A captured code is invalid 30 seconds later.

It works with Google Authenticator, Authy, Microsoft Authenticator, and any TOTP-compatible app — including Bitwarden, Aegis, and 1Password. You don't need to install a special app — your existing authenticator works.

AES-256-CBC Encryption

SafeStep encrypts TOTP secret keys using the AES-256-CBC algorithm. The encryption key is derived from WordPress's AUTH_KEY constant. In this architecture, even if your database is compromised, secret keys cannot be decrypted — the attacker would need access to both your database and your wp-config.php file.

Backup codes are stored hashed with bcrypt. Each code is single-use and becomes invalid after use. This ensures that even if backup codes are stolen, an attacker cannot reuse them.

Role-Based Enforcement

SafeStep lets you define different 2FA policies for different user roles. You can require 2FA for the Administrator role, leave it optional for editors, and disable it entirely for authors and subscribers.

You can define a grace period during which users without 2FA are prompted to set it up at next login. After the grace period expires, accounts that haven't configured 2FA are automatically locked.

Hidden Door Integration

When SafeStep and Hidden Door are used together, login security is protected by two independent layers. Hidden Door obfuscates the login page URL — the attacker can't even find the login page. SafeStep then provides a second authentication layer to any attacker who does find it. Together, these two layers form a strong defense against brute force and credential stuffing attacks.

SafeStep automatically detects whether Hidden Door is active and adapts to its URL hiding mode. No additional configuration is required.

CVSS-Based SLA

SafeStep applies a CVSS-based prioritization system to security vulnerabilities. For critical vulnerabilities scored CVSS 9.0 and above, a 24-hour response and patch commitment is provided. This is a standard expected of enterprise security products and is rare among WordPress plugins.

HMAC-SHA256 Activity Log

All 2FA activation operations and successful or failed login attempts are recorded in an HMAC-SHA256 signed activity log. This log meets audit trail requirements under ISO 27001 A.8.15. Log records are viewable from the admin panel and can be exported as CSV.

Compliance Notes

• ISO 27001:2022 — A.8.5: Secure authentication. The TOTP second factor satisfies this control.
• ISO 27001:2022 — A.8.3: Information access restriction. Role-based 2FA policy.
• ISO 27001:2022 — A.8.15: Logging. HMAC-SHA256 activity log.
• ITIL v4 — Access Management: User access control and authentication.
• COBIT 2019 — DSS05: Security services management.