Two Factor Authentication (2FA) For WordPress
It’s vital to create a strong password to secure your WordPress website. However, a password alone won’t deliver adequate protection against many threats that pose a serious risk to your site, such as brute force attacks.
If unauthorized users gain access to your back end, you may lose your website, and even put your visitors at risk. For this reason, you need a plan to maintain WordPress security.
Using Two Factor Authentication (2FA), you can add an additional layer of security to your WordPress sites. It’s relatively simple to set up, and this feature will significantly reduce the risk of unauthorized users gaining access to your site.
In this post, we’ll introduce 2FA and explain how it can be used in WordPress. We’ll then show you how to implement this feature using plugins.
Let’s get started!
What Is Two Factor Authentication (2FA) For WordPress?
Two Factor Authentication (2FA) is a layer of security that requires both a password and an additional verification of the user’s identity. This verification comes from something only the authorized user can access, such as text and voice messages, email links, QR codes, or push notifications. 2FA is secure, because attackers don’t have access to these external channels.
Why Do I Need Two-Factor Authentication?
Two-factor authentication (also known as two-step authentication or two-step verification) helps prevent bad actors from gaining access to your sites and potentially hurting your business. It’s a second line of defense to help keep the bad guys out and ensures that even if your password is compromised, your account will remain secure as long as that second factor stays out of reach for an attacker.
WordPress two factor authentication is an opt-in feature, meaning you only have to use it if you want to. But it’s free, and it adds an extra layer of protection, so why not?
How Does 2FA for WordPress Work?
On a typical (i.e. non-2FA) WordPress login page, the user enters a username and password and is automatically granted access to the website’s back end. This means anyone who figures out your username and password can easily gain access to all aspects of your website.
As mentioned above, 2FA can help prevent this from happening. So how does it work in WordPress?
With 2FA set up, when you enter your password and username on the login page, a notification will be sent to your phone or email address. This notification will contain a one-time pin, or possibly a link or QR code.
To access the website, you then must do as the text message or email instructs—such as clicking on the link or entering the PIN on your site.
How Secure Is 2FA?
When compared to standard password protection, 2FA is much more secure.
After all, it requires leveraging something you alone possess (your phone, your private email account, etc) in order to gain access to your site. This means the likelihood of a website hack is reduced, making 2FA the best way to better prevent various security issues (particularly brute force attacks).
Now that you understand the benefits of 2FA and how it works, let’s discuss how you can actually incorporate this feature into your WordPress site.
How Do I Get Started with Two Factor Authentication?
If you’re a WP Engine customer, you can enable 2FA in the WP Engine User Portal. If your site is not hosted on WP Engine, you can still implement a two factor authentication method (or even a multi-factor authentication method), but it requires the help of WordPress plugins.
WordPress 2FA Plugins
As a WP Engine customer, you can implement 2FA via the User Portal. Non-WP Engine users can also implement 2FA, but it requires the help of WordPress plugins. Here are a few WordPress 2FA plugin options you can try out for yourself.
Rublon Two-Factor Authentication is a simple 2FA WordPress plugin, enabling you to rapidly secure your website against unauthorized logins.
When first logging into your WordPress account with the security plugin installed, you’ll be required to click the verification link that’s sent to your email address. You can then choose to save your device, which means you’ll no longer need to verify your identity while using the same browser.
This is an excellent option for websites with only one user, although it can be applied to multi-user websites as well (if you upgrade to the paid version).
Pros: This plugin offers one-click installation and activation, and requires no configuration or training.
Cons: It only supports email verification, which can be less secure than text messages or push notifications.
Cost: The personal (one website) plugin is free, but a business (multi-website) version can be purchased by contacting the sales team.
As one of the more advanced 2FA plugins, Duo Two-Factor Authentication enables you to set up 2FA based on WordPress user roles.
For example, you can require that Authors and Editors use 2FA to log in, while Subscribers just need to enter their password.
Duo Two-Factor Authentication also provides various options for verification, including via SMS, a mobile app, or a phone call.
Pros: This plugin supports user role configuration, and includes various verification methods.
Cons: There’s no support for WordPress Multisite and this plugin has not been tested with the latest version of WordPress.
Price: The free plugin enables 2FA for up to 10 users on your website, but you can increase that limit starting at $3 per user per month.
Finally, miniOrange’s Google Authenticator offers a variety of verification methods to protect your website from unauthorized access—including QR codes, email messages, and push notifications.
As with Duo Two-Factor Authenticator, you can use this plugin to set 2FA for specific user roles.
miniOrange’s Google Authenticator can be configured to require a username, strong password, and factor, or just a username and factor.
Pros: This plugin supports specific-role 2FA, and offers a wide array of verification methods (including QR, SMS, phone calls, and push notifications).
Cons: The free version is fairly limited in terms of features.
Cost: The free plugin offers 2FA for only one user, but you can upgrade starting at $15 per year.
It’s important to remember that your WordPress website is only as secure as your Admin login page, and a password alone is not enough. Implementing a two-factor authenticator can help keep your site visitors safe.