As you know WordPress is a very useful platform for content management and blogging. The flexibility in WordPress has made it an enticing target for hackers. An important feature here in this list is WordPress two factor authentication. That can all be for naught that someone knows your login credentials. Fortunately, you can bring the added security of two-factor authentication to WordPress. Here’s how.
What Is Two Factor Authentication?
Unlike passwords, two-factor authentication (2FA) is a two-step process that requires two or three proofs of identity before granting access. Implementations of two-factor authentication use something you know (the password) and something you have (such as a smartphone, an e-mail account, or a hardware key, etc.)
WordPress offers two-factor authentication via plugins. These plugins require additional identification factors including:
- A unique password (OTP) sent by SMS/e-mail
- A phone call
- A QR code
- A push notification
- Hardware-based key generators such as YubiKey, SolidPass, etc.
Why Add Two Factor Authentication to WordPress Login?
One of the most common tricks hackers use is called brute force attacks. By using automated scripts, hackers try to guess username and password to break into a WordPress site.
If they steal your password or accurately guess it, then they can infect your website with malware.
One of the easiest ways to protect your WordPress website against stolen password is to add two-factor authentication. This way even if someone stole your password, they will need to enter a security code from your phone to gain access.
There are two ways to setup two-factor authentication in WordPress:
- SMS Verification – where you receive the verification code via text message.
- Google Authenticator App – Fallback option where you receive the verification code in an app.
Let’s take a look at how to easily add two-factor authentication to your WordPress login screen for free.
Add WordPress Two Factor Authentication
1. Roll Your Own Two Factor Authentication for WordPress
There are many ways to skin a cat. This is doubly true when it comes to two-factor authentication. You might want to authenticate with your cell-phone. You might want an e-mail sent, containing a unique link or code. Or, you might just have your own unique system that you concocted yourself using an Arduino and an Ethernet shield.
Whilst rolling your own two-factor authentication isn’t easy, it’s certainly doable. WordPress allows you to override pretty much everything, including the log-in function. All you need is a rudimentary understanding of how PHP works, in addition to a bit of WordPress development know-how.
2. Shield WordPress Security
Shield WordPress Security (formerly Simple Firewall) offers two ways of authenticating the two-factor connection, by e-mail and with YubiKey. Its e-mail authentication offers two methods (IP address and cookies) that allow users to choose their preferred method.
For example, an IP-based check may be chosen if the IP address does not change frequently. And you want to create multiple WordPress login sessions from a single network location or with multiple browsers on the same computer.
The advantages of this plugin are two-factor authentication by OTP sent by e-mail and YubiKey, IP address, and cookies. However, this plugin does not support authentication via Google Authenticator, SMS, phone call, push notification, or QR code.
3. Duo Two Factor Authentication
Duo Security’s plugin for WordPress two-factor authentication has been downloaded 15,000 times since it was initially released, and has over four stars on WordPress.org. But what makes it so good?
Well, simply put, it’s amazingly versatile. You can authenticate with a simple press of a button on their family of mobile applications. If you are out of cell coverage and you need to authenticate, you can even generate a one-time passcode.
They can even phone your landline or mobile phone, and authenticate you that way. Sounds expensive, right? Wrong. Duo is free for up to 10 users, and if you need more than that, you will only need to pay a monthly fee of $3 per user.
4. Authy Two Factor Authentication
Does Duo sound a bit complicated? Want something a bit simpler? You might be interested in checking out Authy Two Factor Authentication.
Installing Authy into your website is a matter of grabbing an API key, installing the plugin and registering with your cell phone number. Whenever you try to log in to your WordPress installation, it will send a one-time token via SMS.
Whilst lacking the bells-and-whistles of Duo, it is a vastly simpler product and has been used by a number of well-known technology companies, including Bitcoin trading site Coinbase, and CloudFlare.
5. Clef Two Factor Authentication
Clef Two-Factor Authentication is a unique two-factor authentication system that uses “Clef Wave” to verify the logging-in user’s identity. This plugin totally changes the way you log in to WordPress. No more usernames and passwords are required. Using this plugin, you only need your smartphone with Clef app installed, and logging in becomes as easy as holding up your phone.
Clef Two-Factor Authentication makes your WordPress highly-secure, and protects against password-related breaches. It replaces passwords with secure two-factor logins using proven RSA public-key cryptosystem. Its single sign on functionality lets you enjoy one-click sign ins to and sign outs from all websites. You can set to make Clef as the mandatory sign in method for all user roles for your WordPress site.
6. Google Authenticator – Two Factor Authentication (2FA)
Google Authenticator – Two Factor Authentication (2FA) is the most advanced WordPress two-factor authentication plugin. It takes proactive steps against potential threats and provides multiple backup solutions to help users during severe attacks.
With this plugin, administrators and users can activate the two-factor connection service, configure their own connection options, and can connect to WordPress website using username + password + two-factor authentication or username + two-factor authentication.
The advantages of this plugin are two-factor authentication via SMS, OTP sent by e-mail, software key, QR code, push notifications, shortcode for customized login pages, and identification of the device to avoid repeated attempts. However, this plugin does not support WordPress multisite, authentication via phone call and YubiKey.
7. Two Factor Authentication
Two Factor Authentication plugin allows you to enable 2FA-based on user roles. It can be enabled or disabled for individual users and displays two-factor authentication on the login page only for authorized users. It also allows the editing of front-end parameters via a shortcode and helps you display parameters without allowing users access to the dashboard.
Two Factor Authentication plugin supports the WooCommerce login form and the Theme My Login plugin allows you to customize login pages with two-factor authentication for users.
The premium version offers more features such as customized layouts, emergency backup codes, better control of administration, user codes, and more.
The advantages of this plugin are two-factor authentication using the TOTP & HOTP protocol, and QR code. This plugin also supports WordPress multisite, Google Authenticator, Authy, and various other systems. However, this plugin does not support authentication via SMS, phone call, OTP by e-mail, shortcode, and YubiKey.
8. YubiKey Two Factor Authentication
Need a hardware solution? YubiKey has you covered. As hardware based two-factor authentication goes, it is pretty hard to beat. It consists of a single button and when plugged into your computer, the device is registered as a USB keyboard.
When you press the button, it then generates a one-time key. With the key being generated on the device rather than on the server, making the key significantly harder to be intercepted mid-transit.
A number of premium web hosts already bundle YubiKeys with hosting packages. Although, you don’t need to sign up to an expensive contract to get your hands on one of these devices and integrate it with your WordPress installation. All you need to do is to grab a YubiKey and install the YubiKey plugin.
The Las Word about WordPress Two Factor Authentication
Whether you have a blog that you manage alone, or in collaboration with a team of writers and editors, or you build websites for clients, two-factor authentication plugin for WordPress will help you better protect your websites.
From the above list, my favorite plugin is Shield Security, because of its unique authentication system which makes it a first-class security system. If you have a different favorite, do leave a comment and tell the readers why you like the plugin.
There are many, many ways to add two-factor authentication to your WordPress installation beyond these four. What do you use? I’d love to hear all about it.