Over time, there has been an increase in the number of cyberattacks, data hacks, and more on the web. Due to this, various leading websites, like Facebook, Instagram, Google, etc., have enabled two-factor authentication. If your site is on WordPress, there is a possibility that your site might be a prime target for cybercriminals, as WordPress is the leading CMS worldwide.
Whether you have faced any brute-force attacks, hacking on your site or not, enabling two-factor authentication on your WordPress site is recommended. Two-factor authentication WordPress (2FA) is easier to set up than you might think, and adding WordPress two-factor authentication to your website will improve its security. You may have a question, how?
Due to 2FA, even if the bad guys have access to your password, they can’t access your site as they also have to enter a one-time password.
In this blog, we will provide steps to enable WordPress multi-factor authentication using SMS, Google Authenticator, and various WordPress 2FA plugins. Before we look into that, let us look at some basics.
What is a Two-Factor Authentication (2FA)?
Two-factor authentication (2FA), also known as two-step verification or dual-factor authentication, is a security method in which users verify their identity using two different authentication factors.
This procedure is carried out to protect the user’s credentials and the resources the user has access to. Single-factor authentication (SFA), in which the user provides only one factor — typically a password or passcode — provides a lower level of security than two-factor authentication (TFA). Two-factor authentication requires a user to provide both a password and a second factor, usually a security token or a biometric factor like a fingerprint or facial scan.
Because knowing the victim’s password alone is not enough to pass the authentication check, so two-factor authentication adds an extra layer of security to the authentication process, making it more difficult for attackers to access a person’s devices or online accounts.
Two-factor authentication has long been used to control access to sensitive systems and data. And online service providers are increasingly implementing 2FA to protect their users’ credentials from hackers who have stolen a password database or obtained user passwords through phishing campaigns.
Why Add Two-Factor Authentication to Your WordPress Site?
WordPress sites are vulnerable to a wide range of security threats. Brute-force or ‘dictionary’ attacks are among the most dangerous and common types, in which attackers use bots to guess login credentials until they find the right combination repeatedly.
They can infect your website with malware if they steal or correctly guess your password. Therefore, it is highly recommended that you use strong passwords that include complex combinations of letters, special characters, and numbers. However, if you want to take your WordPress login page security a step further, we recommend using two-factor authentication (2FA). Even if your password is stolen, someone will need to enter a security code from your phone to gain access.
Article Continues Below
For an unwanted intruder to gain access to your WordPress site’s login page, they’d need to know your login credentials and have access to your phone or email inbox. This additional layer of protection can help deter cybercriminals.
Two-factor authentication can also help protect your customers’ sensitive data, boosting trust and loyalty. Furthermore, using a mobile app and plugin, you can quickly and easily integrate it into your WordPress site.
In WordPress, there are two ways to set up two-factor authentication:
- SMS Verification – the verification code is sent to you via text message.
2. Google Authenticator App – as a fallback, you can receive the verification code via an app.
How to Add Two-Factor Authentication in WordPress via SMS?
This method adds two-factor authentication to your WordPress login page. When you enter your WordPress username and password, you will be prompted to enter a code sent to your phone via text message.
The first step is to download and install the plugin. Let’s say you want to enable Two-Factor Authentication, which allows you to customize SMS verification in various ways.
The second plugin, Two-Factor SMS, works as a complement to the first. Both of the plugins should be installed and activated.
To activate SMS authentication, follow these steps:
- After activating the plugins, you must go to the ‘Users’ > Your Profile page. Then, please scroll down to the Two Factor Options section and select it.
- Select the SMS (Twilio) option from the drop-down menu. Also, click the round button to make it your primary verification method.
- Scroll down to the Twilio section after that. You must enter your Twilio account information here.
- If you already have a Twilio account, go to your Twilio dashboard and click the Get Started button.
If you don’t have an account, visit their website and select the Signup option from the drop-down menu. You will be asked for your usual personal information on the signup page.
- It will take you to the wizard to set up. To get your first Twilio number, go to this page and click the ‘Get your first Twilio number’ button.
- It will then provide you with a phone number in the United States.
- Save the number and select it using the ‘Choose this Number’ button.
- Exit the wizard and go to the Geo Permissions page under Settings. Here, you can select the countries to which you want to send an SMS. You, on the other hand, are using this service for your own benefit. So, pick a country where you live and visit frequently.
- Copy your Account SID and Auth Token from the Twilio console dashboard.
- Return to your WordPress profile page and fill in the Twilio account information.
- Then, in the ‘Receiver Phone Number’ section, enter your phone number and click ‘Update Profile.’
You’ll need to enter a unique code sent to your mobile device the next time you log in to WordPress.
How to Add Two-Factor Authentication in WordPress with Google Authenticator
- The first thing you need to do is install the Google Authenticator app on your phone.
- Let’s return to your WordPress dashboard now. We’ll come back to the Google Authenticator app once we’ve completed the WordPress setup.
- Let’s install and activate the Google Authenticator plugin for WordPress.
- In the WordPress menu, click on Users » Your Profile. You will see Google Authenticator Settings there.
Active – If you check this box, your blog will now use Google Authenticator (tick this box when you’re finished with the setup).
Relaxed Mode – Your Google Authenticator code expires every minute by default. When you use the relaxed mode, you can use a single code for up to 4 minutes. Unless you type very slowly, we don’t recommend turning this on. You should be able to complete the code in under a minute because it is only 6 characters long.
Description and Secret Key – These are self-explanatory options. In the Google Authenticator app, the description will serve as your account name. If you don’t want to use the QR code, you’ll need the secret key. Note that you cannot use spaces in your description when using an iPhone. If you add spaces, the QR code may not work, and you’ll have to enter the information into the app using the key manually.
Enable App Password – This is only required if your blog uses XML-RPC (remote publishing). It can be either the WordPress iOS app or the Windows Live Writer app. Remember that enabling this will reduce your overall login security, but if you enjoy using remote publishing, go ahead and enable it.
- Now that we’ve configured the WordPress part, let’s return to our iPhone’s Google Authenticator app. To add a new account, click the + icon next to the Google Authenticator app icon.
- You’ll be asked to scan the QR code or enter the key provided. You can get both of these from your website’s Google Authenticator settings.
- If your description doesn’t have any spaces, scan the barcode. To see the QR code, go to WordPress and click the Show QR code button.
- When you log in, a two-step verification field will appear, asking for your Google Authenticator code.
How to Add Two-Factor Authentication in WordPress Using Plugins
Here are some of the best WordPress 2FA plugins you can leverage to implement two factor authentication on your site.
1. Google Authenticator – Two Factor Authentication by miniOrange
It is one of the most popular WordPress two factor authentication plugins that ensure your site is secure. The plugin is free, simple, and quick to install. Using two-factor authentification ensures that no one else can access your WordPress website when you’re logging in. You can also configure the plugin for any TOTP-based Authentication Method to provide an additional layer of security (multi-factor authentication). miniOrange also supports one-time passwords (OTP) via SMS and email during the login and registration.
- $1/100 transaction with email, SMS, and OTP verification
Steps to Add Google Authenticator – Two Factor Authentication by miniOrange to WordPress
- Install and activate Google Authenticator – Two Factor Authentication by miniOrange
- Register with miniOrange
- After you’ve submitted your information, miniOrange will send you an OTP (One Time Password) to verify your email address, which you’ll need to enter on the next screen. This is what your email will look like:
- Simply copy and paste that code into your WordPress dashboard’s Enter OTP box.
- Next, you can choose from various pricing options. Unless you need something like WooCommerce two-factor authentication, you can choose the free plan. To do so, go to the top right and click the Ok, Got It button.
- Set up your security questions by clicking on the notification prompt that the plugin displays. Enter all three questions and answers, and then click Save.
- Choose login settings. You can customize a few key details on the Login Settings tab, such as enabling two-factor authentication for specific user roles in the premium version (unfortunately, this feature isn’t available on the free version).
You’ll find the Select Login Screen Options if you scroll down a little further. To begin, decide how you want users to log in by choosing between two options:
- Log in with your password and the two-factor authentication code – To log in, you’ll need to enter both your password and the two-factor authentication code.
- Login with only the 2nd Factor – all you need is your username and the 2nd Factor (not recommended as it will no longer be two-factor authentication).
You can choose whether or not to enable the “Remember Device” option if you select password + 2nd Factor, which is recommended.
- Configure your two-factor authentication method(s).
2. Duo Two-Factor Authentication
To protect against account takeover and data theft, Duo Security offers two-factor authentication as a service. In just a few minutes, you can add 2FA using this WordPress two factor authentication plugin.
Duo’s authentication service adds a second layer of security to your WordPress accounts, rather than relying solely on a password, which can be phished or guessed. Duo allows your administrators or users to verify their identities using something they already own, such as a smartphone or a hardware token, resulting in strong authentication and increased account security.
Duo is simple to set up and operate. There is no need to install any additional hardware or software with Duo; simply sign up for the service and install the plugin. Then, without setting up user accounts, directory synchronization, servers, or hardware, you can choose which user roles you want to enable two-factor authentication for—admins, editors, authors, contributors, and/or subscribers.
- Duo Free-Free
- Duo MFA-$3/user/month
- Duo Access-$6/user/month
- Duo Beyond-$9/user/month
Steps to Add Duo Two-Factor Authentication
- Setting up Duo account
First, sign up for a free account with Duo Security. To create an account, you must use your current phone number.
- Once you’ve set up the Duo account, you’ll automatically be redirected to the admin panel.
- If you’re starting from scratch, go to your account and select Integrations > New Integration from the left menu. Then, under Integration Type, choose WordPress.
- The Integration Name can be anything you want; in this tutorial, we’ll use “My WP Site.”
- Select the Create Integration option.
- We’ll now copy and paste the secret keys into our WordPress site to establish the connection between our WordPress site and Duo Security.
- Go to WP Dashboard > Settings > Duo Two-Factor to do so. This page contains the necessary settings. Copy and paste the Duo Security admin interface keys into the appropriate fields. The connection is established after you click Save Changes. Your site now has two-factor authentication enabled.
- Each WordPress user should have an authentication method.
To do so, you must first log out of the WP Dashboard and then log back in. After logging in, you should see something similar to this:
- Add an Android device to your Duo Security Account.
- Select your Device.
- Now install Duo mobile on your device.
- Click the Key icon in the Duo Mobile app on your device to launch the barcode scanner. Scanning the barcode on the screen will turn your tablet or phone into an authentication device. Then click Continue.
- This confirmation indicates that the user ‘john’ has an Android device as a recognized or enrolled device in his account.
- Everything is in place now. Keep your phone/tablet close by and enter your password to proceed to stage one. You’ve arrived at the Two-Factor Authentication point.
- As a login method, you can use Duo Push or Passcode. Click login if you’ve chosen Duo Push. Your Android/iOS device should display a notification.
- Select Approve from the Duo Mobile app. You should see something like this right away:
You’ve completed the second stage of the two-factor authentication process and can now access the WordPress Dashboard. Congratulations on your achievement!
3. WP 2FA
It is a powerful WordPress two factor authentication plugin that is simple to use for both the admin of the website and the users. The main purpose of the plugin is to enhance the security of the WordPress site’s authentication, improve team productivity, and ensure your customers & business partners keep data secure.
The plugin has support for various custom login pages, post login redirects, and multiple login page & process modifications. And the best thing about this plugin is that even if you don’t have access to the dashboard area, you can configure 2FA from custom pages and other front-end dashboards and customer portals using the shortcodes & different options.The plugin integrates well with third-party services like Authy and Twilio to provide users with some extra authentication channels like Push Notifications and SMS.
WP 2FA offers different licenses depending on the requirements of the users. You can choose a plan as per your needs.
- WP 2FA Starter – $29 per year
- WP 2FA Business – $69 per year
- WP 2FA Professional – $59 per year
- WP 2FA Enterprise – $99 per year
Steps for Two-Factor Authentication
Configuring 2FA WordPress on your site is simple yet effective using the WP 2FA plugin. Let us quickly go through the steps:
- Install & activate the plugin.
- After activating the plugin, go to users -> Your profile and scroll down to view the ‘WP 2FA Settings’ section.
- Here, you have to click on “Configure Two-factor authentication (2FA).”
- The plugin then asks you to select an authentication method. It has two options, a one-time code generated with your app of choice and a one-time code sent to your email.
- The best option is to choose authentication via application as it is more secure & reliable. Choose the method and click on next to move forward.
- The plugin displays a QR Code, which you have to scan via the authenticator app. For those who don’t know, the Authenticator app is a kind of mobile app that generates one-time-password for the accounts you save for two-factor authentication. You can use any popular 2FA app like Google Authenticator, LastPass, 1password, etc.
- For your reference, we have chosen the Authy app. Now, click on the + icon in the authenticator app.
- The app then asks for camera permission on the phone. You need to give this permission to ensure the app scans the QR code on the plugin’s page.
- The app will now store the website account and provide a one-time password that you can use to log in.
- Click the “I’m Ready” button on the plugin’s setup wizard.
- The plugin requests you verify the one-time password. Go to your account in the authenticator app, and it will display a 6-figure one-time password you must enter.
- Later, the plugin allows for generating and storing the backup codes. You can use these codes when you are unable to access your phone. Also, you can print and save these notes in a proper place.
- Lastly, exit the setup wizard.
It is a popular WordPress 2 factor authentication plugin that is free. You can find all the 2FA WordPress settings on the user profile page. The plugin lets you configure two-factor authentication in various methods, as given below:
- Authentication codes through email.
- Time-based one-time password. It is possible through the Google Authenticator app.
- Universal 2nd Factor with the help of third-party services like FIDO.
One of the most effective ways to prevent unauthorized access is to enable two-factor authentication. It’s a great way to keep your security up to date. Although logging into your WordPress site takes a little longer, the extra effort is rewarded with peace of mind.
We hope you understand how to set up WordPress multi factor authentication on your site using SMS, Google Authenticator, and plugins. Also, you would have familiar with the best WordPress 2FA plugins.
The plugins we’ve looked at in this post are incredibly easy to set up and configure. You can choose a 2FA WordPress method according to your needs and enable the same on your website.
Frequently Asked Questions
Does WordPress have 2FA?
Yes, WordPress has built-in 2FA on the website from version 5.6. The built-in 2FA called “Two-factor Authentication – Time Based” uses the Time-Based One-Time Password (TOTP) algorithm, which users can enable in their profile settings.
Apart from this option, WordPress provides a wide range of plugins to implement 2FA on the website, like Google Authenticator, Unloq, Duo Two-Factor Authentication, etc.
How secure is 2FA?
If we compare 2FA with standard protection, it is highly secure. Ultimately, it requires something you only possess, such as email, phone number, private email, etc. Due to this, the possibility of website hacks is reduced, ensuring 2FA is a more effective method to prevent various types of attacks.