Have you ever wondered how popular sites like Facebook and Google are giving you the ability to add two-factor authentication to improve security? Similarly, you can add two-factor authentication to your WordPress site also. Two-Factor Authentication (2FA) or Two-Step Verification is an additional layer of security you can add to your WordPress login pages to further harden the overall security of your WordPress site. With 2FA it is virtually impossible for attackers to hijack your WordPress site, even if they guess the password.
Why Add Two-Factor Authentication for WordPress Login?
Single-factor authentication is when a website requires just a user ID and password to log in. In this case, an attacker can gain entry to a site by simply guessing the right login credentials. Two-factor authentication protects your site from cybercriminals and brute force attacks by reconfirming a user’s identity upon login.
One of the most common tricks hackers use is called brute force attacks. By using automated scripts, hackers try to guess the right username and password to break into a WordPress site. Two-factor authentication prevents your site from cybercriminals and these brute force attacks by reassuring a user’s identity upon login. Specifically, multi-factor authentication requires each user to obtain a verification code from their smartphone to complete the login process.
In this article, we are going to show you how to add two-factor authentication to WordPress using a two-factor authentication plugin. Let’s dive in.
Plugins That Help Add Two-Factor Authentication
There are several plugins that can help you add two-factor authentication such as
- WP 2FA – Two-factor authentication for WordPress by WP White Security
- Google Authenticator by Ivan Kruchkoff
- Google Authenticator – WordPress Two Factor Authentication by miniOrange
- Two Factor Authentication by UpdraftPlus
- Secured WP by WP-Secured
- Two-Factor by Plugin Contributors
Guide to Add Two-Factor Authentication Using WP 2FA
Now we will show you how to add two-factor authentication using the WP 2FA plugin.
First, you need to install and activate the WP 2FA – Two Factor Authentication for WordPress plugin.
After activating the plugin, follow the configuration steps. Click on ‘Let’s get started!’ option to start the configuration process.
Next choose which two-factor authentication method you want to activate – one-time code via 2FA App or email or both. Choose the option via 2 FA App only if you have access to a smart phone. You can also choose whether you want to enable backup codes to log in to the website in case the primary 2Fa method is unavailable. Then click on ‘Continue Setup’.
Select if you want to enforce 2FA for all, some, or none of the users. When 2FA is not enforced, users will still have the option to set up 2FA if they want to, but it will not be mandatory.
If you would like to exclude individual user(s) or users with a specific role, you can exclude them in the next step.
Next select the grace period you want to provide your users with. By default, users for whom 2FA is enforced are given a 3-day grace period to set up 2FA. It can be extended, reduced, or even removed entirely from the plugin’s settings.
Then click ‘All Done’.
Users that have 2FA enforced will be prompted to configure 2FA the next time they log in. Depending on plugin configuration, users will be asked to choose between one-time code generated with app and on-time code send over email.
If they choose one-time code to be generated by an app (which is more secure), the wizard will provide a key, which the user must scan using their chosen authentication app.
Once completed click the ‘I’m Ready’ button to complete the process. The next time the user logs in, they will need to use 2FA to log in to WordPress successfully.
Setting up an Authenticator app for your WordPress 2FA
An authenticator app generates a temporary one-time password for the accounts that you save in it. There are many such apps available for free. Let’s take Google Authenticator as an example.
First install the Google Authenticator app on your smart device. The app is available on both Google Play and Apple Appstore. Basically, all you need to do is launch the Google Authenticator app on your phone. Give it permission to access the camera on your phone so that it can scan the QR code.
Tap the add new website icon (a plus sign), and select ‘Scan a QR code’ to scan the QR code. It will now save your website account and show a one-time password that you can use to log in.
Enter this password/authentication code in the window that opens when you click the ‘I’m Ready’ button in the above step. Then select ‘Validate & Save Configuration’ option.
There is an amazing option to generate and save the backup codes. These codes can be used in case you don’t have access to your phone. You can print or download these backup codes and keep it somewhere safe.
It’s always good idea to generate backup codes, otherwise if you ever loose access to your Google Authenticator app, your phone etc you will get locked out of your website. You can use one of the backup codes to login to your website in case you cannot get a one-time code from the Google Authenticator app.
Logging in to WordPress with 2-factor authentication
The next time you need to login to your WordPress, after typing in the credentials you will be asked for a one time code. Simply launch the Google Authenticator app and type in the code.