via ithemes.com => original post link
We’re releasing iThemes Security Pro 7.3.2 today. This maintenance update will initiate a phased rollout that encrypts 2FA secret codes in the WordPress database by default.
Historically, iThemes Security didn’t encrypt the random secret codes for two-factor authentication in the database. This could mean that if an attacker is able to leverage a hypothetical read-only SQL injection vulnerability, and if the attacker also had compromised a user’s password, they could bypass the 2FA protections available for that user.
In October 2022, we added support for encrypting 2FA secrets. At the time, encryption was enabled by default for all new installs. Since then, existing installs have been shown a temporarily (30-day) dismissible notice prompting users to enable encryption in the Security Message Center. Our intention then was to automatically turn this feature on as a default setting for existing installs when we were confident it wouldn’t be disruptive.