Two-factor authentication for WordPress is very useful for securing your site. It can prevent unauthorized and malicious users from gaining access to your WordPress website.
As the name suggests, two-factor authentication for WordPress basically means that you add an extra layer of authentication before login.
In this article, we will be learning the basics of two-factor authentication for WordPress as well as useful plugins to get it working on your site:
Introducing Two-Factor Authentication for WordPress
The question is, what makes two-factor authentication for WordPress that special? And, more importantly, why should you take it so seriously?
As already discussed, two-factor authentication for WordPress is all about adding an extra layer of security. Picture this scenario:
- You create a very strong password for your WordPress admin account.
- You follow all the security procedures: keep your WordPress as well as themes and plugins updated, change your password regularly, avoid unsafe plugins or themes, and so on.
- However, a malicious user figures out your password. Maybe it was a bot that kept hitting your login page until it gained access to your account, or maybe it was a sheer brute force attack wherein the attacker managed to guess your password.
- What happens next? Your WordPress admin account is compromised since a malicious hacker has gained access to it. Your website, in simple words, is hacked.
Now imagine, what if there was another layer of security? What if, after entering the correct password, WordPress were to send you an email or an SMS to verify your identity? In that case, if anyone gained access to your password, they would still not be able to access your WordPress account.
This is what two-factor authentication for WordPress is all about! Once you enter your correct login credentials, you are sent a secret key or code via text message, phone call or even email. You then enter that secret code and thereafter you are logged in.
Also, bear in mind that two-factor authentication is not a concept unique only to WordPress. Many popular email providers, such as Google, Outlook and Yandex, offer two-factor authentication with the same mechanism as described above. As such, it is a proven security procedure.
Big question though: what if you lose access to your mobile phone and/or email? You are locked out of your website, aren’t you?
Not really. Every decent two-factor authentication mechanism offers a failsafe measure. You can generate “emergency codes” and retain them elsewhere – maybe on a piece of paper in your wallet or likewise. If you do not have your phone anymore, you can still login by entering the said emergency codes.
So, now that we have established what two-factor authentication is all about and how it can help us, how do we implement it on our WordPress websites? There are a lot of plugins out there to help us accomplish that!
For the sake of simplicity (and also because you need just one plugin to handle the task), we will be looking at the most popular ones that are free (or offer a free version) and have a proven track record of regular updates and support.
Plugins to Implement Two-Factor Authentication for WordPress
1. Clef Two-Factor Authentication
Clef Two-Factor Authentication is a very popular plugin in its league with over 900,000 active users. This plugin adds two-factor authentication for WordPress within minutes and reduces the reliance on passwords.
Basically, it does away with passwords and asks you to login by means of one-time codes. Rather than storing your codes on a remote server, it uses your own smartphone to store private keys. Thus, you can login not by means of a simple password, but rather by using your phone followed by a fingerprint or PIN.
You can select user roles or accounts that require two-factor authentication. This way, for simple account levels such as “Contributor,” you can retain the routine password-based login mechanism.
2. Duo Two-Factor Authentication
Duo Two-Factor Authentication lets you add two-factor authentication by means of a mobile phone or hardware token.
This plugin offers various methods to identify users. For example, you can use the Duo mobile app to identify yourself, generate one-time use codes, have codes sent via SMS, get a phone call with the login code (works with landlines too), or rely on hardware tokens via oAuth. If you are looking for a simple solution to implement two-factor authentication on WordPress, this plugin is the right pick for you.
3. Shield WordPress Security
Shield WordPress Security is more than just a plugin for two-factor authentication. It is more of a security suite, comparable to the likes of Wordfence Security. It can block malicious access requests, spambots and offer a firewall for your website.
However, unlike other gigantic security plugins, Shield WordPress Security offers two-factor authentication in its free version. You can prevent brute force attacks and verify user identity by turning two-factor authentication on.
Note that Shield WordPress Security offers only email-based two-factor authentication (no phone calls or SMS) or via Google Authenticator.
4. Rublon Two-Factor Authentication
Rublon Two-Factor Authentication lets you add two-factor authentication to your WordPress website using two different ways. First, you can have a link sent to you via email that you need to click in order to login. Secondly, you can scan a code using the Rublon app.
You can use two-factor authentication for one admin account per website using the free version. If you wish to add it for more accounts, you will have to upgrade to the premium version. That said, Rublon is fairly simple and easy to use. Also, you can whitelist your own device such that it does not ask you to scan any code or verify an email link on your computer, but does so for every remote or public device that you use.
5. Google Authenticator – Two-Factor Authentication
Google Authenticator – Two-Factor Authentication is a WordPress plugin that secures your site by letting you add two-factor authentication using Google Authenticator (learn more about Google Authenticator here).
The process is simple: you login via your username and password, and then add an authenticator key sent via the Google Authenticator app. This plugin also supports authentication via other channels, but the free version lets you add the mechanism for one user account per site only.
There are several other plugins as well for implementing Google Authenticator on WordPress websites. However, not all of them have been updated in recent days and not all of them are very popular (this particular one has over 3000 active users, which, compared to the likes of Clef, is a very low number).
That brings us to the end of this article about implementing two-factor authentication for WordPress websites. Two-factor authentication is never an absolutely perfect mechanism and should always be used in sync with other security measures for WordPress. Also, be sure to have a failsafe mechanism such as an emergency code or a bypass route, just in case you ever lose access to your email account and/or mobile phone.
If you want to learn more about security-related issues in WordPress, check out our other post on the 4 most common WordPress attacks and how to combat them.
Which two-factor authentication plugin do you use? Feel free to share your views in the comments below!