Insight

Adding Two-Factor Authentication to your WordPress Website

By now you’ve no doubt run across two-factor authentication on at least one online service that you use. But did you know that you could do the same thing with your WordPress site? In fact, it’s a pretty straightforward process that you can set up in just a few minutes.

What Is Two-Factor Authentication?

Two-factor authentication (also referred to as 2FA, or multi-factor authentication), is an additional layer of security that prevents people from accessing your online accounts if your primary password is somehow compromised. Of course, the number one way of securing your online accounts, including your WordPress site, is to use strong, unique passwords for every account you have. (A good rule of thumb is if you can remember your password, it probably isn’t secure enough.) Using a password manager such as LastPass or 1Password can help with that. That way, if one service is compromised, a hacker won’t be able to log into your other accounts by trying the same set of credentials (known as a credential stuffing attack).

2FA works on the principle that security should depend on two of three things: something you know (your password), something you have (your cell phone), and something you are (biometrics). The first two are the most practical to implement, and of course you’re already implementing the first one every time you log into your WordPress site with your username and password. This article will explain how to implement the second one: something you have.

Installing the Plugin

We’ll start by installing a plugin that handles 2FA called, simply enough, “Two Factor Authentication“. It’s free and available on the WordPress plugin repository, although there is a premium version available with additional features. We’ll stick with the free version for this post.

Log into your WordPress site as an administrator and go to Plugins -> Add New. In the search bar on the top right of the screen, enter “Two Factor Authentication”. Click on the “Install Now” button on the first result, and the “Activate” button once it’s installed.

Adding the Two Factor Authentication WordPress plugin.

If you’re a client of Taupecat Studios’ monthly maintenance plan, this plugin has already been installed and activated for you.

Configuring 2FA

To retrieve the one-time password code, we’ll need to use a companion app on your smartphone. The one that we’ll be using is Google Authenticator. It’s a popular app for this purpose and is available for both iOS and Android. Despite its name (and author), it’s not just compatible with Google services, but for most instances of 2FA. You can also use your password manager or another standalone app for this purpose. The code that’s generated is time-sensitive, and is randomly created and expired in a span of thirty seconds.

On the left sidebar of your WordPress site’s administration, choose “Two Factor Auth”. Launch the Google Authenticator app on your cell phone, and use your phone’s camera to scan the QR code on that page.

The Two Factor Authentication WordPress plugin administration screen.

Once the code is scanned, the six-digit code on the admin screen should match the six-digit code in your Google Authenticator app. If they do, click on the “Enabled” radio button above the QR code and click the “Save Changes” button. Now your account is configured and ready to use 2FA.

The Google Authenticator screen.

Logging In

Now when you log into your WordPress site, you’ll need to enter the Google Authenticator code when you do.

Log out of your WordPress site, and then log back in. You will see a second login screen, asking for your One Time Password. Enter the Google Authenticator code and click “Log In”. You will then be brought to your WordPress dashboard.

The "One Time Password" login screen

Conclusion

Implementing 2FA on your WordPress site is a simple way of adding another layer of protection against brute force and other login attacks. However, you should still be using strong, unique passwords for your WordPress site along with a reliable password management tool. You should also never use the name “admin” for your main administration account, as this was the WordPress default years ago, and a common account name for brute force attack bots to try and use.

Would you like to know other ways to keep your WordPress site secure? Check out our other posts about WordPress and security.

Would you like Taupecat Studios to maintain not just your WordPress site’s security, but also common maintenance tasks such as backups, core and plugin updates, and uptime monitoring, so that you can focus on your business? Drop us a line on how to enroll in our WordPress maintenance plan.