Requesting 2FA - system to be built into the CMS

Hi their People

with the state of the online sercuity now, and the need for 2FA or simila protocals on logins and useless users being given access. I belive that the CMS needs to have more built in sercuity options like 2FA, or at least free addons to support it. I hate wordpress but they at least have multiple addons to handle sercuirty options from firewalls and IP blocking and Geo Location etc avaiable not only for free addons but paid ones.

I have over 20+ Sites customers using Concrete5 and I have not had any real issues so far, but with the dramitic increasse in sites hacks this year and bots hitting all the servers and sites. I woudl love to have some better sercuirty options avaiable for at least the Big Corp Sites I Do .

All I have found so far is a couple of 2FA addons which are expensive for what they seem to do, and so far very little V9 support for addons.

Please advise
Carl a

1 Like

For the kind of budget a big corp site should have, the 2FA addons in the marketplace represent excellent value, costing less than the equivalent of an hour or two of professional developer time and better value still for multiple sites with a 5-pack. They also cost less than the price of a typical corporate lunch.

An advantage of addon packages from an active developer over extending core functionality is that an active developer will provide a personal support contact and fix problems a lot more quickly than waiting for the next core version.

And since I’m the developer behind the 2 2FA packages in the marketplace, I would add that they are both very well supported and work with v9.

Also, I’m not sure what you mean by “for what they seem to do”. Is there anything else you’d like them to do?

@carl101lee I’m unfamiliar with the WordPress environment (I don’t like it either), but a quick Google search shows that they provide 2FA, and you can enable the plugin for free.

The approach of colleagues above for around $65/100 (I understand they are defending their wallet), or developer hours, the client’s wallet wealth argument is unacceptable to me, proving that they do not understand the problem and miss the point.

I also assume that this is not the position of the Portland Team @frz .

In my opinion, your query is definitely worth considering, and a response from the people at Portland Labs.
Major CMS systems (WordPress/Drupal/Wix… or Webflow) have had this bundled for years.

In my opinion, 2FA should be a bundled option these days. Especially if you have the US Army or .gov in your portfolio.

ps. I’ve written about it before.
Moderators should not sell their products - it’s not ethical.

Thank you people

Yes I do believe, In my opinion better options for built in security should be included. I also think that a cookie system should be built in. As I am in the EU and this is a requirement for all sites and their is a big lack of add-on to support these options and GDPR management. -
But i see your point about it that developers and Paid add-on can get updated quicker. So I can see that being an option, but V9 has so little add-on available ATM, and i am recommending to all my clients they need to keep it up-to-date to keep the server secure. Long gone are the days a web site can sit their for 5 years just working, with no updates.

I would be happy to Purchase a Improved security Feature add-on which does more like a lot available on wordpress(even if its sh**). Their is a huge range of features to help prevent hacking on their sites.

I would be happy to pay the $20-30 for a basic 2fa - But for the $60-90 mark i would expect a security package that includes some of these you get on free Wordpress plugins.

Auto IP - blocking
Geo-location restrictions blocking (Russia and china) .
file permissions checkers
Database Injections protection
Web App Firewalls
Live traffic reports - with login attempts - enforcing google recaptcha v2/v3 on logins and signups if more that 2 failed attempts - With active IP blocking
Custom login urls/ removals of standard admin users
HTTP Headers

I have 20 + Sites which I need to secure and as a server manager and developer the cost of putting 2FA on all my sites is going to mostly hit me… I can bill out the big corp sites and they will pay it… Even if it takes them 2 months to actually pay, but all my smaller sites is gonna have to come out of my pocket, because i believe this to be a must do. Due to the huge amount of online hacking currently hitting my servers, and the smaller sites(clients) wont want to pay out.

Concrete 5 out the box should have basic 2FA/Cookie System and GDPR protocols - Other wise it puts the set-up of a basic 5 page site cost to $200 of add-on’s before you even get started.

Personal I would be happy to buy an advanced security add-on that did a bit more.

Thanks all . - Don’t get me wrong this CMS is so much better than most. I Work and manage a number of sites from joomla/wordpress/Perl/ and more, and concrete is my preferred CMS.


1 Like

FYI I’ve purchased one of the 2FA systems and it works great - even on the latest version of Concrete. From a cost perspective, it doesn’t seem like that much to build into a cost of a site if required.

Of course, like anything it’s always nice when included.


In the UK it is compulsory.
If I may suggest a free solution recommended by UK ICO - Cookie Control from CIVIC | CIVIC UK

Configuration on the website, but also via GTM (better) is quite simple.

What an interesting conversation !
Having recently been hacked ( they were very clever ) I was very interested. At present I’m turning everything on my laptop and mobile to 2FA.
I no longer have many sites, getting too old but have one or two which I will put the 2FA on for the clients.
Very interesting and I will look into the free GDPR. I live in Greece.

@ampersand because I defended the fact that my work was very well-supported and asked for clarification on a specific comment? Really?

@carl101lee I understand your position and the need for all the things you listed.

What I would point out is that what you’re describing is a full-fledge security plugin, not just 2FA. Some of what you are asking for already exists in Concrete (Auto-IP blocking, Database injection protection, IP blocking on failed login)
I would also point out that Concrete and WP don’t have the same outreach or market share, so comparing price points might be a bit unfair.

@mnakalay I will try to be very precise.
In this particular case, no one points to direct links to products, which is already a significant improvement in the forum.

However, the only products on Marketplace that address a user’s issue are yours.

I understand your line of defense for the product – I also don’t know what more to require from a 2FA plug.
I also understand your arguments that the user @carl101lee did not check what Concrete CMS has in the package. He should, before he made his arguments about other safeguards - it’s strange.

I will say more.
Your contribution to solving user problems is invaluable (John’s as well) – thank you for that, I think I will not be alone in this.
You’re doing a great job – thanks for that.

However, I will now try to answer your main question on a matter of moderators related to ethics in particular.

Hmmm. How to put it so as not to offend anyone again?
Maybe preferably according to the definition.

" Volunteering is a voluntary act of an individual or group freely giving time and labor for community service."

  • A conflict of interest in volunteering may arise where the volunteer acts in his or her own interest or in the interest of a third party rather than in the interest of the organisation or person he or she is facilitating.

Of course, I do not know 100% what the relationship between Portland Labs and moderators looks like – I do not need this knowledge for anything, but the declaration that moderators are volunteers is already binding for me. This declaration also leads me to mention the potential conflict of interest in this and several previous cases.
The marketplace is for sale products, there’s plenty of room to do it - I believe we can do it better.

I am aware that my opinion may adversely affect the status quo prevailing here, and I may meet with ostracism, which I think I have even begun to experience, but in my opinion, it is more important to develop this project (Concrete CMS) so that it is more user-friendly than supplying developers’ coffers.
I think that’s a transparent point of view.

By the way – to everyone supporting Concrete CMS.
I am happy that you find time, you have the desire to help – it is glorious and invaluable.
You have reasons to be proud.
Yes, it’s volunteering. Thank you for that.

Could it be that the philosophical questions surrounding being a moderator and what it means to volunteer are a bit tangential in this particular thread?

Mind you, I’m never against a deeper dive into the philosophical aspects of behaviours in forums, whenever such a discussion arises, but a separate thread might be the better idea for this.

I think we have an answer, regardless of if it was “sold” or not. There are two 2FA solutions in the marketplace, at a price that some might find a bit steep.

I agree, in this day and age, that it would be nice if there was some 2FA solution built into ccms by default, but we aren’t there today. What happens going forward, if someone wants to volunteer time and effort… I guess we’ll have to see.

1 Like

Proposition/Suggestion (With Many IF, AND, THEN Statements)

Just a thought. Perhaps a version of open-source->commercial cooperation has been suggested before.

IF a developer creates an add-on deemed worthy and vital to the ConcreteCMS Core;
AND the developer is willing to sell the code;
AND Portland Labs accepts the quality of the code;
AND Portland Labs is willing to maintain the code in the Core;
THEN the developer can set an asking price and paid by date;
IF open-source users pool resources and meet the developers terms;
THEN open-source users get the function they desired;
THEN Portland Labs gets a desired function;
THEN the developer compensated and relieved from future version maintenance;

This is not a philosophical question, but a precise answer to the question of conflict of interest.
Of course, as above, I agree 100% that 2FA should be in the core.

I agree. We have to wait for it.

This is a very interesting approach.
I don’t know how it works between Portland Labs and developers, but your point of view seems to make sense and benefit everyone.

Maybe someone’s opinion from the core would be useful - can it work like this?
@EvanCooper, can you tell us how it works now?

@ampersand I think this is a good query to submit for the upcoming Town Hall :+1:

1 Like

@EvanCooper can you ask this question?
I think you will do it much better than me, and I don’t want to be the only one asking these uncomfortable questions :wink: