Adding Two-Factor-Authentication (2FA), also sometimes called Multi-Factor-Authentication (MFA), to your WordPress login page exponentially increases your website’s resistance to brute force attacks.
Using it on all your accounts can help to protect you against identity theft.
Why use two factor authentication?
Two factor authentication adds a second security element that needs to validate before access to your website is allowed. That makes three factors in all:
- Your username
- Your password
- The time-sensitive, one-time 2FA security code
It works on the basis of verifying your username against something you know (a password) and something you have (a device – e.g. your smartphone, tablet, etc – that displays the one-time 2FA code).
Combining the ‘Something you have’ element with the sign in process hugely increases the strength of your login protection.
Benefits of multi factor authentication
Multi-factor authentication adds an extra step into the login process, through issuing a one-time password, that you need to use within a defined period of time, to access your site.
The time-sensitive, one-time password is sent to a device you own, which must be in your possession for you to be able to access your site.
As long as your device is in your possession, the brute force hacker will not be successful at gaining access, because they will not have access to the one-time password.
As soon as you’ve used the one-time password, or when the time limit has been reached, it expires. So even if you don’t use it at that moment, and someone gains possession of your device, they won’t be able to use it later.
How to set up two factor authentication on WordPress?
The best way to add 2FA to your WordPress site is to use a plugin.
There are standalone 2FA plugins (just Google two factor authentication plugins for WordPress) and some security plugins offer it as part of their built-in functionality.
So, choose the plugin you will use, activate it, and then check which 2FA provider(s) your plugin works with.
There are two steps to setting this up
First step – link your website to a 2FA provider:
The plugin that you use will give you instructions on how to set up a 2FA account with the provider it supports, and then link your website to your 2FA account.
Although the process is pretty standard, it does vary slightly depending on the plugin you’re using.
Second step: link your website to your device
You will then need to install the provider’s 2FA app onto your device, and link the app with your website.
On Authy this is done by scanning a QR code after you’ve installed the Authy app on your device. Other providers may vary.
Again, just follow the instructions.
Once you’ve connected your WordPress site to your two-factor authentication account via the plugin, and to the 2FA app on your device via the QR code, save the settings and you’re all set.
Next time you log in to your website a new screen will be displayed after entering your username and password.
On this second screen you will be asked for the authentication code.
So fire up the app on your device, tap the account you’re logging in to and then type the one-time code it will display into the field on your WordPress login screen.
You’re home and dry.
What can go wrong with two factor authentication?
The biggest risk with using two factor authentication is being locked out of your website.
This happened to me when my phone crashed and I lost the means of getting my one-time codes.
Nothing to do with the 2FA app – it was purely coincidental..! (My phone’s motherboard died during an OS update).
To protect yourself against this there are a couple of things you can do:
- Make sure you choose multiple options for receiving the one-time password (you can usually choose email as well as the app on your device)
- Download and keep very safe the backup security keys that your 2FA provider will give you
I, of course, did neither of those things (duh..!).
So I was stuck until I had the brainwave of deactivating the plugin (by accessing the server and changing the plugin name – I could also have deleted the plugin via FTP).
That let me in and, once in, I was able to reactivate the plugin and turn off 2FA until I changed the notification method.
So make sure you have the backup codes stored in a very safe place and, if offered, make sure you use more than one medium for receiving the one-time codes.
Again, I strongly suggest you set up 2FA for your WordPress site – it increases protection against brute force attacks exponentially.
Have you used two factor authentication? How is it working for you? Let us know in the comments.
Owner – WP Security Basics