Home

Awesome

Virgil Pure WordPress Plugin

Introduction | Features | Installation | How To Use Plugin | F.A.Q | License | Support

Introduction

<p><img src="https://cdn.virgilsecurity.com/assets/images/github/logos/pure_plugin.png" align="left" hspace="0" vspace="0"></p>

Virgil Pure Wordpress Plugin is a free tool that protects user passwords from data breaches and both online and offline attacks, and renders stolen passwords useless if the database is compromised.

Virgil Pure is based on a powerful and revolutionary cryptographic technology that provides stronger and more advanced security than salting and hashing, and it can be used within any database or login system that uses a password, so it's accessible for businesses of any industry or size.

Learn more about the Pure technology here.

Features

Available

Coming soon

Installation

Currently the plugin is available only for PHP7.2 and PHP7.3!

To install the Pure Plugin you need to go through the following steps:

Step #1. Add the crypto extensions into your server before using the Plugin

Extension installation example

Our web stack is: Linux, nginx, php7.2-fpm

Now it's time to add the Virgil Pure Plugin to your WordPress project.

Step #2. Install Virgil Pure WordPress Plugin

The Pure Plugin should now be activated:

<p><img src="https://raw.githubusercontent.com/VirgilSecurity/virgil-pure-wordpress/master/_help/s-4.png" width="70%"></p>

How To Use Plugin

Set up Credentials

To start working with the plugin, in the plugin tab on your WordPress dashboard, you'll need to input some credentials in the corresponding fields via the following steps:

Generate Recovery Keys

You’ll need to generate a recovery key so that the password hashes that are currently in your database can be recovered if you ever need to deactivate the Pure plugin. Your recovery key will encrypt the original password hashes and will store the encrypted values in a (wp_usermeta) table in your database.

The recovery key utilizes a public and private key pair. The public key will be stored in your database and the private key must be stored by you securely on another external device. Please read our FAQ section for best practices and more information.

Migration

Migration is the process by which the plugin requests cryptographic data from the Virgil server to associate user passwords (user_pass) with cryptographic enrollments provided by the server. New enrollment records are then created and stored in your database (wp_usermeta) place of the of user passwords.

Once the Pure plugin is configured in your system, simply click the "Start migration" button to start the migration process.

Records Update (optional)

This function allows you to use a special UPDATE_TOKEN to update all of the enrollment records in your database. This action doesn't require changing user passwords or modifying the scheme of the existing table.

Navigate to your Pure application panel at Virgil Dashboard, press "BEGIN ROTATION PROCESS", then “SHOW UPDATE TOKEN” button to get the UPDATE_TOKEN. Insert the UPDATE_TOKEN into the field at the Virgil Pure plugin tab.

This can be used when a database is known to be breached. For security reasons, we recommend proactively updating records every one week.

Recovery (optional)

When you need to deactivate the Pure plugin, you can go through the Recovery process via the Wordpress dashboard and use the recovery key to restore the original password hashes in place of the cryptographic values generated by the Pure plugin.

F.A.Q.

- Do users have to change their passwords if the database has been compromised?

If a database has been stolen, users do not need to change their original passwords. However, you will need to rotate all user records in your database. This will use cryptography to disconnect the compromised Pure records from the original passwords, leaving any unauthorized party empty handed.

- How does the Recovery Key work?

Recovery Key is a key pair that allows you to recover the original user password hashes if you ever need to deactivate the Pure plugin. The Recovery Key encrypts the password hashes, and stores the encrypted values into the wp_usermeta table in your database.

The Recovery Key utilizes a public and private key pair. The public key is stored in the wp_option table and the Private Key must be stored by you securely on an external device.

- How much does it cost?

Pure is a FREE toolkit. All libraries are open source and can be found on GitHub, where they are available for free to any user.

- What if an App Private Key gets lost?

There is no way to restore the APP_SECRET_KEY. The database records become inaccessible and therefore useless. So, it is highly recommended that you immediately create a backup of the key in a secure location to avoid losing it.

License

See LICENSE for details.

Support

Our developer support team is here to help you. Find out more information on our Help Center.

You can find us on Twitter or via email at support@VirgilSecurity.com.

Also, get extra help from our support team on Slack.