Hi @glashsix, thanks for your question!
We did receive feedback on how to improve our 2FA secret handling from an independent security researcher during 2022, and have implemented some improvements based on this feedback. At no point were 2FA secrets directly threatened – any exploitation would have required an attacker to have already compromised a site database, which would involve finding an unpatched SQL injection vulnerability on a site as well as bypassing the Wordfence firewall’s built-in SQL injection protection.
For the vast majority of our users’ threat models, having functional, easy-to-use 2FA is a significant security improvement. The implementation improvements simply added additional roadblocks to slow down an attacker in the extremely unlikely event that they made it past the first few security layers. We strive to align our implementation with best practices to the maximum extent practical in a WordPress environment while maintaining compatibility for as many customers as possible.
Thanks,
Peter.
