Tutorials UPDATED: 17 October 2022

Two Factor Authentication and WordPress

Tassos Antoniou

6 min read
Image for Two Factor Authentication and WordPress

Two-Factor Authentication (2FA) is a security measure that asks a user to provide a piece of information that only they know prior to logging into a service.

You can see 2FA under various names like Multi-Factor Authentication (MFA), Dual-Factor Authentication, or 2-Step Verification. 2FA is widely used especially in situations where security is especially important, such as for online banking.

The 2FA Significance

You might have heard of a type of online attack called a ‘brute force’ attack. These are all too common and involve an automated bot that tries to guess the username and password of a user on a website. Repeated login attempts are made until access is gained. These types of attacks are relatively easy to mitigate by locking down access to a login page when repeated, unsuccessful attempts are made.

But what happens if the bot ‘gets lucky’ and manages to login prior to a pre-defined number of unsuccessful attempts being reached? Or, more likely how can malicious logins to websites and apps be prevented by users who have stolen login credentials? The latter is of a particular problem with barely a day going by without a high-profile business reporting a data breach that may, or may not, have compromised some of their customer’s data.

A more robust way of ensuring that you and only you are able to login to a website/app/account is by using a system called Two-Factor Authentication.

How Does Two-Factor Authentication Work?

Two-factor authentication works by requiring the user to enter not only their username and password on login but also a second piece of information that is generated separately and that will continually vary. This typically is in the form of a 6-digit code sent via SMS to the users mobile phone. The idea behind this is that only the genuine user will have access to this device thereby thwarting login attempts that are undertaken by brute force or as a result of a data breach that reveals usernames and passwords.

Since the inception of 2FA, authentication apps have become more prevalent. Instead of using SMS messages to send users one-time passcodes, an app that is installed on the user’s devices generates random codes instead. This is recognized as being even more secure as an authentication method as it eliminates the possibility of an SMS message being intercepted or, a mobile number being cloned or spoofed.

Authentication App Options

There are plenty of excellent two-factor authentication apps that can be used to generate the required login codes.

If you have an Android device, you can choose between Google Authenticator, Microsoft Authenticator, Twilio Authy, Cisco Duo Mobile, FreeOTP, and many more.

On iOS 15, some of the most popular apps are Google Authenticator, Twilio Authy, OTP auth, Step Two, Microsoft Authenticator, FreeOTP, and the iOS built-in authenticator.

On Windows, you can use the WinAuth and Twilio Authy authenticator apps among others.

On macOS, some of the options are the Step Two, OTP auth (paid version only), and Twilio Authy.

Two Factor Authentication On Your WordPress Site

It’s not only banking websites that can benefit from 2FA… your own WordPress website can as well! Hackers love to target just about any CMS and WordPress is no exception. Using the right hosting provider and well as making sure your website is kept up-to-date can go a long way in thwarting any hacking attempt. Adding 2FA to your WordPress website makes it even harder for unauthorized users to access your site.

Host your website with Pressidium

60-DAY MONEY BACK GUARANTEE

SEE OUR PLANS

Because it’s WordPress, you’ll find no shortage of excellent plugins that can help you setup 2FA quickly and easily. Let’s take a look at a few.

The WP 2FA Plugin

Two Factor Authentication, WordPress plugin: The WP 2FA Plugin

The WP 2FA – Two-factor Authentication plugin is a popular solution. Once you install and activate the WP 2FA plugin, you will see this screen:

Two Factor Authentication, WordPress plugin: The WP 2FA Plugin wizard

Follow the wizard, it will walk you through setting up all the necessary options and more:

  • The primary 2FA methods you will allow users to choose from.
  • The options on whether you want to force 2FA on all or some users or roles.
  • The grace period during which users will have to configure 2FA.
  • The configuration of the 2FA authentication.

Skip the wizard and you can find all these settings under the plugin’s menu and the extra section that is added at the bottom of your profile’s admin screen (under Users > Profile).

Two Factor Authentication, WordPress plugin: The WP 2FA Plugin admin settings

The plugin also allows you to choose whether you want all the 2FA-related data to be deleted from the database upon plugin uninstall.

The Two-Factor Plugin

The Two-Factor plugin developed by Plugin Contributors is a user-friendly plugin that is quick to setup.

It adds a section under Users > Your Profile, where you can enable the authentication methods and select which will be primary. There are available configurations for Email Authentication codes, Time Based One-Time Password (TOTP), FIDO U2F Security Keys and Backup Verification Codes.

The Two-Factor Plugin options

The plugin also offers a list of action and filter hooks that can come in handy for developers.

The Google Authenticator Plugin

The Google Authenticator plugin is another popular 2FA plugin that can be utilized to enhance your WordPress site’s security. This completely free plugin provides a wide variety of two-factor authentication options, including SMS and, of course, using the Google Authenticator app. Very little time or effort is required to get this set up. When you activate the plugin, you’ll see some on-screen options you can configure under Settings > Google Authenticator.

The Google Authenticator settings

Just choose the roles to which the 2FA will be applied and save the settings. Pretty easy.

2FA – The Pressidium Dashboard

To further help protect your WordPress websites, you can choose to activate 2FA for your Dashboard login. Check out our KB article on this feature.

Pressidium Two Factor Authentication

Conclusion

For important websites, 2FA really should now be considered mandatory. If you’ve been given the option of adding 2FA to any of your accounts but chosen not to do this, it might be worth thinking again! For WordPress websites, enabling 2FA login is pretty easy. With little to lose, why not make it even harder for a hacker to ruin your day (well, your website at least!).

Host your Website with Pressidium!

View our price plans

OUR READERS ALSO VIEWED:

wp-config.php – All About The WordPress Configuration File

Always wanted to know all about the WordPress wp-config.php file? In this article we look at what it is and how it can be edited!
Tassos Antoniou
Tassos Antoniou
13 min read

Building a CI/CD Workflow – Automatically Deploying a WordPress Theme with GitHub Actions

Streamline your WordPress deployment process using GitHub Actions and a CI/CD workflow. Automatically build and deploy a WordPress theme to your Pressidium WordPress site.
Konstantinos Pappas
Konstantinos Pappas
22 min read

Types of Cross-Site Scripting (XSS) Attacks

In this article, on XSS attacks we're going to deep dive cross-site scripting examples to better understand how these types of attacks work.
Tassos Antoniou
Tassos Antoniou
6 min read

5 Best Tips For Web Developers When Coding For eCommerce Websites

So how can you become a successful web developer when coding for ecommerce websites? Check out this article to find out!
Daryl Bush
Daryl Bush
7 min read
SUBSCRIBE