Use WordPress Two Factor Authentication (2FA) to Protect Your Users

Keeping your website safe and secure should be a priority. After all, a hacked website can harm both your business and your site’s visitors. WordPress Two-Factor authentication is your organization’s shortcut to better user security.

Better security starts with protecting your site’s user accounts. It’s one of the foundational pieces of hardening WordPress. A compromised or stolen user login is dangerous. A hacker could use it to deface your website, install malware, or even create more unauthorized users.

The basics of user security include using strong passwords and not sharing or reusing them. Taking advantage of WordPress user roles and capabilities is also a good idea. You can use them to ensure users only have access to what they need.

Two-Factor authentication (2FA) is another tool to improve security. This technology provides an additional layer of protection for your users. Even better – it’s easy to add to your WordPress site.

Today, we’ll fill you in on all the details. We’ll review how 2FA works and show you how to get it up and running. In addition, we’ll share some tips for getting the most out of this helpful tool.

What Is Two-Factor Authentication and How Can It Help?

2FA is an electronic authentication method that requires users to verify their identity via multiple types of authorization. A user will typically provide an account password and at least one other piece of verification data (also referred to as a “factor”).

That data often takes the form of a security code. The code can be delivered via email, an SMS text message, or a mobile app. Other potential sources of authorization include biometrics, hardware-generated security tokens, and PINs.

This method of logging in may be less convenient. However, it makes your account that much harder to crack. A hacker would need your password and access to that second piece of verification data.

That’s possible if they already have access to your email (another reason to avoid reusing passwords). It becomes much harder to do with mobile apps or other factors.

We should note that 2FA isn’t foolproof. Your account could still be compromised by malware or an info stealer on your device. The best way to prevent that is by using security software and regularly scanning for viruses.

Despite that, 2FA does stand in a hacker’s way. That alone might be enough to thwart an attack.

How to Add Two-Factor Authentication to Your WordPress Website

By default, WordPress doesn’t include 2FA. But it’s easy to add this feature by installing a plugin.

Several plugins offer 2FA. Some large security suites such as Wordfence, Solid Security, and Really Simple Security include it as part of a broader set of tools. They’re all reasonable options for defending against multiple types of attacks.

The easiest and most efficient plugin for adding 2FA is Two-Factor. It’s maintained by the WordPress plugins team and is laser-focused on a single feature. It also includes several options for verifying your account.

Here are the steps for setting up the Two-Factor plugin on your site:

Step 1: Install Two-Factor

To start, log in to your WordPress website and navigate to Plugins > Add New.

Search for “Two-Factor”. Find the plugin in the search results and click the “Install Now” button.

Allow the installation process to complete. Next, click the “Activate” button.

Step 2: Enable 2FA on Your User Account

Now that Two-Factor is installed and activated, it’s time to enable 2FA on your account. Navigate to Users > Profile and scroll to the bottom of the screen.

You’ll find multiple verification options for authenticating your account:

• Email: Enter your username and password and an authentication code will be sent to the email address associated with your account. Then paste the provided code into the WordPress login screen.
• Authenticator app: This option combines Two-Factor with a Time-Based One-Time Password (TOTP) app, such as Google Authenticator (Android, iOS). Our favorite at SiteCare is the TOTP functionality built into 1Password. Codes are randomly generated every 30 seconds. You’ll need access to the app in order to log in successfully.
• FIDO U2F Security Keys: A hardware-based authentication method, such as a USB key. You’ll need to insert the security key into your device to complete the login process.
• Recovery Codes: Two-Factor will generate a set of codes that can be used if you can’t access your email, authenticator app, or security key.

You can enable one or more of these options on your account. In addition, you can set one of them as the primary verification method. It will be used by default. Users will be able to switch to any enabled method, however.

For simplicity’s sake, we set up our website to use email as the primary verification method. We also enabled recovery codes – just in case we need them down the road.

*Note that you’ll need to repeat this step for each user who uses 2FA.

Step 3: Test It Out

Let’s try logging in to test our 2FA setup. First, we’ll enter our username and password:

Next, we’ll be taken to a screen that asks for a verification code:

The code was sent to our email address:

Finally, we’ll copy and paste the verification code to the above field on our site’s login screen. If everything works, we’ll be automatically redirected to the WordPress dashboard.

Tips for Getting the Most Out of WordPress Two-Factor Authentication (2FA)

The advantage of using 2FA with WordPress is that it’s simple to set up and very flexible. However, it’s worth considering how the technology best fits your workflow.

Here are a few tips for getting the most out of the experience:

• Choose a verification method that works best for you: Email is the most convenient option but also the least secure. TOTP apps require a bit more effort but are harder for hackers to access. FIDO U2F is the most secure but requires an investment in hardware. Consider which option makes the most sense for you and the other users on your site.
• Determine whether 2FA should be mandatory for all or some users: At the very least, your site’s administrators should use 2FA. These accounts have the most potential to do harm if they fall into the wrong hands. Other user roles might benefit from the extra security – particularly on membership or ecommerce websites.
• Ensure email delivery is working: If you use the email verification method, you’ll want to make sure those messages are being delivered. Otherwise, users will be unable to complete the login process. SiteCare can help, as our plans include guaranteed email delivery.
• Enable 2FA recovery codes: Recovery codes come in handy when you can’t access your email or device. We recommend enabling this option, generating backup codes, and storing them safely.

By doing the above, you’ll create a 2FA setup that matches your needs. And you can adjust anytime.

A Simple Step Toward a More Secure Website

Think of website security as a puzzle. There are many pieces that help keep you and your site’s visitors safe. 2FA provides another barrier to prevent your site from being hacked.

It’s also one of the easiest and most inexpensive security enhancements. You can be up and running within minutes. The Two-Factor plugin simplifies the process. And it’s great for most use cases.

However, sites with a lot of users may want something more robust. For example, you may want to automatically require 2FA for each new user without manually configuring their account. In that case, other options are available.

Our WordPress experts are here to help! We can implement a 2FA plugin that keeps you secure and makes your life easier. Get in touch to discuss your needs.