WordPress and 2FA (Two Factor Authentication)

by Vipe Team in WordPress Development; Published on 01.12.2020

READING TIME: MIN

It’s a well-known fact that a great password is essential for the security of your WordPress website. In recent times, though, it’s better-known that you’d need more than a password to protect against the most common threats like brute force attacks.

Two Factor Authentication, or 2FA, has been implemented widely enough that you might have heard of it at least once before, perhaps to secure your email or your Facebook, or a host of other services that now use this method.

Today, we’ll look at 2FA and how we can implement it in WordPress to prevent unauthorized access.

Two Factor Authentication (2FA) and Why We Need It

As the name suggests, 2FA adds an extra step, a hurdle for trespassers, so that you need two factors – the password, of course, but also another authentication of identity. It could be anything from the user’s texts, email, a QR code, or notifications. Ideally, an attacker won’t have access to any of these avenues.

In this age of password leaks and breaches, it only makes sense to add a free and opt-in but strong layer of security like 2FA to help keep the undesirable elements out of your website.

How Two Factor Authentication Works

Head over to this Google page for a quick demonstration of how 2FA would work on your website.

A Guide to Stripe Payments in WordPress

Usually, without 2FA, you’d enter a username-password combination on the WordPress login page, and you have instant access, and so all anyone has to figure out to compromise your security are those two words – the username and the password.

2FA steps in to prevent a scenario like this. In WordPress with 2FA, you would still enter the combination, but once you click on ‘Log In’, it’ll ping your phone or email with a notification that has a one-time password or PIN, or maybe a QR code to scan or a link to click. Do as instructed in the notification, and you’ll have secure access.

Setting Up Two Factor Authentication with Plugins

Your hosting provider will often have 2FA as a feature that you just need to enable – but in case they don’t, you guessed it, we have WordPress plugins that can help:

1. Rublon Two-Factor Authentication

This simple plugin from Rublon lets you easily block unauthorized access. Install and activate the plugin, then on the next login, you’ll be emailed a verification link. At this point, you can decide to save the device you’re on and have the convenience of skipping the authentication from that browser, or you could take the extra step and keep 2FA enabled even on your own device.

The free version is more than enough for a single-user website, and it’s a breeze to install and activate. You can upgrade to the paid version by logging in here if you want a multi-user setup to be secured. While it only used to support email verification, it now has a mobile app that can handle anything from TOTPs (Time-Based One Time Passwords), QR codes, push notification confirmations, and even codes via texts sent to your phone!

Maximizing Performance and Scalability in Enterprise WordPress Websites

2. Duo Two-Factor Authentication

If Rublon was simple, Duo is advanced. How advanced, you ask? Well, for one, you can configure the 2FA according to the user’s role – so while you can mandate 2FA for Authors or Editors, you can keep the process simple for Subscribers, who – let’s be honest – can’t really harm the website. It also supports a variety of verification options – including phone callback, hardware tokens, mobile app notifications – you name it.

However there’s no multisite support, so you might want to keep that in mind, but the free version does let you enable 2FA for a maximum of 10 users. For more users to be secured, you can upgrade by spending as little a month as $3 per extra user.

3. Google Authenticator

Those of you who have been acquainted with 2FA for a while have no doubt already heard of Google Authenticator, and probably use it. More than even Duo, this plugin from miniOrange lets you use any kind of verification you can think of, and it can be configured for user roles too. It’s also well-integrated with the likes of WooCommerce and other popular plugins and offers additional features like IP blocking and user monitoring.

It even lets you set 2FA so that you don’t even need to remember a password, and just use the authentication method of choice. The free version is great for up to 3 users on your website, but there are yearly upgrade plans for $30 and upwards.

Don’t Reinvent the Wheel: Use WordPress as an Application Framework

That’s a wrap from us at Vipe Studio, and we hope you’re now on your way to confidently upgrading the security of your WordPress!