Security has become a major issue to the WordPress and other CMS software tools nowadays and hackers still get a way to manoeuvre this no matter the cost. The most common attack that they use to acquire website access through the normal login authentication is the brute force attack. This tactic uses automated scripts which are configured to query your website where hackers incorporate a guessing strategy for both your username and passwords.

Passwords like qwerty, 123456 and others will be prone to enter into the hackers trap. 

Two-factor WordPress authentication is very effective when it comes to safeguarding your website. It will block unauthorised and fraudulent users from accessing the WordPress site.

As its title indicates, two-factor WordPress authentication simply means that you introduce an additional layer of security before signing in.

Two Factor Authentication (2FA) Explained

Two-factor authentication has long been used to monitor access to confidential apps, websites and other systems, and internet service providers are also using 2FA to secure their client’s credentials from ever being manipulated by hackers who have compromised a password/username database or using brute force attacks to gain user passwords.

There are a number of different ways that one could be authenticated using more than one authentication process. Nowadays, most authentication techniques rely on information factors, such as a standard username and password, whereas two-factor authentication methods either incorporate a location factor or a time factor. Below are some of the factors considered for this method.

  1. Location factor
    Usually, the location at which an authentication event occurs may be implemented by restricting authorization attempts to various devices at a given location. This can also be achieved by tracking the geographical source of the access attempt made by use of IP address, GPS or any other geographical location obtained from the user’s device.
  2. Possession Factor
    This would be considered to be something the user needs in order to accept authorization requests, such as an Identification card, a security key, a cell phone, a computer or a smartphone app.
  3. Time Factor
    For this factor it normally limits user verification to a specified time period which mostly enables signing in and constrains access to the WordPress core beyond that timeframe.
  4. Knowledge Factor
    This is a factor considered as something the user identifies, such as a password, a PIN (personal code ) or some other form of private code.
  5. Inherence Factor
    This is considered to be a user based physical self. Commonly used as a biometric factor, facial and voice recognition. This may also include user behaviour characteristics such as keystroke dynamics.

Having mentioned such factors it’s important to note that wordpress is only based on a few of them since not all fit to be used in a live online based system.

Even though one can use two elements from the same category for instance a pin or private code, which belong to the same category of knowledge, this is termed to be single factor authentication (SFA). On the other hand if the user implements two elements from different categories like a private code and a location data, this will be considered a multiple factor authentication (MFA) . Most CMS systems such as WordPress implement a standard login method and then incorporate a Single factor authentication hence a 2FA.

Pros of 2FA in WordPress

There are various benefits of using 2-factor authentication for your WordPress site, which include the following:

  • Enhanced strong security, one can login using username + password + two-factor or username + two-factor.
  • This two-Factor can be enabled for role wise and it can be deployed for your entire user base in minutes.
  • All types of devices are supported Smartphones (iPhone, Android, BlackBerry), Basic Phones, Landlines, etc.
  • It can use various factors to secure your site. In case your phone is lost or stolen or discharged, there are alternate login methods like OTP Over Email and Security Questions (KBA). If the phone is offline, one can use a one time passcode generated by the app to login. In short, there is support for multi factor authentication for all types of devices.

How does two-factor authentication work?

  1. The user is requested to sign in via the software or the website.
  2. The user enters whatever they have set — normally the username and password. The web server would then locate a connection and identify the user.
  3. For CMS systems that do not involve passwords, the website creates a special authentication code for the user. The authentication method scans the code and verifies if the user is registered in the site.
  4. The website subsequently prompts the user to undertake a second authentication process. Even though this method will take a variety of forms, the user needs to ensure that he/she really owns something that no one else could have at that specific time, such as an authentication code, an Identification card, a smartphone or other electronic device that describes his ownership. This basically describes the possession factor as discussed above.
  5. The user needs to enter the one-time code that was provided during Step 4.
  6. The user will thus be authenticated and given access to the application or website after providing all required elements in the used factor of authentication.

How To add Two Factor Authentication On WordPress

This should be considered one of the best measures to safeguard your WordPress website once the site’s credentials have been compromised. This means, when someone hacks your site to obtain your password, he/she will need to input the required security code sent to your other device to get through the site.

As mentioned earlier, WordPress does not use all the factors of 2FA , normally there are two common ways to configure two-factor authentication in WordPress: 

  • SMS Verification – you obtain a verification code from a text message sent to your device. This uses the knowledge factor.
  • Google Authenticator App – Considered as a fallback alternative where you get the authentication code in the app. It implies that it’s using the possession factor.

Including a 2-Factor Verification with Google Auth App to WordPress

This approach introduces a 2-step SMS authentication on your WordPress login page. After submitting your WordPress username and password, you should receive a text message with a verification code on your phone.

However for this process to happen you’ll need to add a two factor verification plugin first. For this case we would recommend the Google Authenticator plugin which also has the SMS verification capability. Google Authenticator provides a range of authentication mechanisms to secure the website against malicious access, including QR codes, email notifications and push notifications.

2FA Google Authenticator
Authentication Using Private Key Option

The plugin – application operates by generating a key after every 60 seconds. The six-digit code created by the app is used as a one-time password (OTP). This OTP verifies the user at the access point to validate the username and password.

  • Install and activate the Google Authenticator plug-in on your WordPress site. Tap Dashboard > Plugin > Add New and search for the ‘Google Authenticator’ plugin.
  • To find the settings for the settings for the plugin head from your dashboard and click on Users >> Your profile. Here you should obtain the authentication settings.
  • From the image above it indicates various settings, first for Active mode settings it basically means that your WordPress site will now be accessed using the Google Authentication. It’s normally checked by default after installing the plugin. Next is the relaxed mode, which simply bypasses the 60 seconds rule of changing the generated code. In this mode it extends the change of the code to around 4 minutes hence the name relaxed mode.
  • To fully implement the use of 2-factor authentication, you do need to get the Google Authenticator app installed on your smartphone. Once done, open the app and add a new account configuration by clicking on the plus (+) icon.
  • You will then be prompted to either scan the QR code or enter the provided secret key from the plugin. In this case now we are dealing with the provided key since you can achieve both from Google Authenticator settings on your website.
  • On the plugin, ensure you click the active link, hit the Update Profile button, and log out of WordPress to see the changes.
  • The app will remember your website when you enable your account. Once you insert the Secret Key, the description of your WordPress site should show in the Authenticator app below the unique 6-digit number with a 1 minute timer beside it.
  • Finally on the login screen after refreshing you will find a two-step verification field that asks for your username and password then the Google Authenticator code generated from your smartphone.

WordPress Two-Factor Authentication Plugins

Out of the box, WordPress download package does not come with 2FA thus one will require a third party plugin to make it available for your website.  From this section we’ll cover some of the best two-factor authentication plugins available for WordPress.

Two-Factor Plugin

Two-Factor is a downloadable free plugin, which is often updated and maintained. The 2FA configurations are included on the WordPress users  >> your profile section. You can customize some of the following 2FA techniques: 

  • One-time codes using the Google Authenticator app (Time Based One-Time Password) 
  • Authentication codes sent via email
  • Universal 2nd Factor FIDO (requiring a third party device).
  • Allows backup of the codes
Two Factor Authentication

Two Factor Authentication plugin lets users create 2FA-based user roles. This could be activated or deactivated for specific users and shows two-factor authentication just for authorized users from the login section. This sometimes lets you select front-end specifications with a shortcode, and allows you to show specifications without providing access to the dashboard.

The practical benefits of this plugin with the two-factor authentication feature is by using the TOTP and HOTP protocols and the QR barcode scanner. This plugin also supports multi-sites for WordPress, Google Authenticator, Authy as well as several other systems. Even so, this plugin doesn’t really support SMS, phone call, OTP email, shortcode, and YubiKey authentication.

MiniOrange

MiniOrange authentication plugin has a security system intended to prevent the disclosure of confidential data. This WordPress plugin is designed to provide simple accessibility with the Google Authenticator app. However, you could implement alternative authentication techniques such as scanning of QR barcodes, push alerts, simple code tokens, and security query. miniOrange allows you to download and install its mobile app in either your android or ios device in case you want to use more advanced authentication mechanisms such as push notifications and QR codes.

The free edition restricts 2FA to a single user for every account. If you want to create 2FA for more than a single user, you will have to take into account a premium option. 

Duo Two-Factor Authentication

Duo Two-Factor Authentication provides the concept of having a convenient 2FA authentication for your site which is straightforward to set up and provide effective security to overcome hackers. As indicated below, once users sign in using their regular WordPress password, they should be prompted to double-check their identities using some of the specified Duo authentication techniques below.

The breakdown of authentication mechanisms supported by Duo consists of: 

  • Single-tap verification access using the Duo app, enabling it to be fast and simple to confirm your identity.
  • Custom Confirmation code provided by the application.
  • Functions also in offline mode.
  • An SMS-based custom confirmation code sent to your phone number. 
  • Again, convenient in case you don’t have access to the internet.
  • Supports callback to both landline and mobile phone numbers.

Final Wrap Up

By reading and implementing this guide, you’ll have discovered that it is important to create a good and strong password to protect your WordPress site. Nevertheless, a password by itself does not offer enough security against malicious attacks. By understanding how to implement two-factor authentication for your WordPress site with either a free Google Authenticator plugin and many other suggested plugins to do the same, you’ll have combated these security threats. Securing your WordPress websites has just gotten easier! Check out our more detailed WordPress Security Guide to find out how to really secure your website.

Contributor
No Comments
Comments to: Two-Factor Authentication(2FA) in WordPress

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Privacy Preference Center

Functionality

We use third-party analytics services to help understand your usage of our services. In particular, we provide a limited amount of your information (such as sign-up date and some personal information like your email address) to 3rd party service and utilize it to collect data for analytics purposes when you visit our website or use our product.

__cfduid,intercom-id-*, intercom-lou-*, intercom-lou-*, intercom-session-*, intercom-session-*, intercom-visitor-session-*

Performance

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

_ga, _gat_gtag_UA_106868094_1, _gid
IDE
AID
NID,1P_JAR

Advertising

Necessary

These cookies are necessary for the website to function and cannot be turned off. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.

You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

PHPSESSID, wordpress_logged_in_*, wordpress_sec_*, wp-settings-time-1, gdpr[privacy_bar], gdpr[allowed_cookies], gdpr[consent_types]