In this article we show how to add 2-step verification in WordPress using free tools. There are various plugins you can use. Here, we’ve used five.
Two-factor authentication is a popular security measure to secure online accounts. You might already be using two-factor authentication for your Google account or social media accounts like Facebook, Twitter, etc. It’s also known as two-step verification. Many websites now require you to have this feature enabled in order to secure your account. But did you know you can utilize WordPress two factor authentication as well?
Yes, you can use two-factor authentication for your WordPress website. This ensures that even if someone gets ahold of your password, they can’t enter your website without your permission. This is an extra layer of security that doesn’t only protect your accounts but also gives you peace of mind.
Every website owner wants to secure their WordPress website and two-factor authentication is a fantastic way of doing it. Now the question is how you can add 2-factor authentication to a WordPress website.
In this article, we’ll discuss the importance of two-factor authentication. Also, we’ll show you different methods of adding it to your WordPress website. So let’s get started.
What is WordPress two factor authentication?
Two-Factor Authentication or 2FA in short is an extra layer of security that you can add to your WordPress login page. When you enable this option, you need two things. Your regular credentials (username and password) and your phone/OTP (one-time-password). And that is why this is known as a two-factor authentication process.
The way this works is that after you put in your username and password, a code will be sent to your phone. You need to enter this code to access your WordPress admin dashboard. So even if hackers know your password, they can’t enter your website. This is basically how it works. But there are some more authentication methods. We’ll discuss them too.
Get Latest Post Notifications!
Why WordPress 2 factor authentication is important
It is a well-known fact that WordPress websites are mostly attacked by hackers due to their popularity. WordPress holds 43% of the market share when compared to other platforms like Drupal, Joomla, Magento, etc. While this is good news for all WordPress users, this also makes WordPress a high-priority target for hackers.
Another reason for which WordPress websites get hacked is due to the negligence of security by many beginner WordPress users. Due to lack of experience, many users leave backdoors to their websites open, giving hackers the chance to hack their WordPress websites.
In 2016 WordFence conducted a survey and asked WordPress website owners a question “if you know how your site was compromised please describe how the attackers gained access”. 61.5% of people responded that they didn’t know how the hackers compromised their website.
In order to keep your WordPress website safe from malware and hackers, there are several malware removal tools and services you can use. You could also choose to change your WordPress login URL. This will knock off malicious programs that are constantly scanning the web looking for a way to breach your site. Another simple solution is to choose a strong password.
Although this might sound pretty small it is very important and let me tell you why. One of the widely used hacking methods attackers use is the brute force attack. In this method, they try to guess your username and password using automated scripts.
If they somehow find the correct username and password, your website’s security is in grave danger. Now one of the best ways of protecting yourself from hackers is enabling your two-factor authentication WordPress. Then even if the attacker gains access to your username and password, they cannot access your dashboard without the second-factor verification.
Whether you are new to WordPress or an experienced user, hackers will or already have tried to hack your website. To ensure your security, two-step authentication is very important.
How to enable WordPress Two Factor Authentication?
There are many ways you can use to enable WordPress 2 factor authentication. There are several plugins to help you setup your 2FA quickly and easily. Let’s look at some of these plugins that you can use to enable WordPress 2-step verification.
This is one of the easiest methods of applying two-factor authentication on your WordPress website. Two-Factor is a plugin and it has 40,000+ active installations.
What we like about this plugin is not only does it provide great 2FA options, but it’s also very easy to use. Simply download the plugin from your WordPress dashboard or from wordpress.org.
After installing and activating the plugin, go to Users > Your Profile and you will be able to configure one or multiple two-factor authentication providers for your account.
Two-Factor provides you with the following configuration for your 2FA:
- Receive authentication codes via email
- Time-Based One-Time Passwords (TOTP)
- FIDO Universal 2nd Factor (U2F)
- Backup Codes
- Dummy Method (only for testing purposes)
However, it is important to mention that the plugin doesn’t have a global setting to enable 2FA across all users. If you want to enable 2FA for all the users, then as an admin you have to enable it individually for all accounts.
The Two-Factor plugin also has a backup code option so if you can’t verify the 2nd factor to login into your WordPress dashboard, you can use one of the backup codes.
Another great way to activate 2FA for your WordPress website is by using the Google Authenticator plugin made by Ivan Kruchkoff. There’s another Google Authenticator-based plugin by miniOrange which is also great but we recommend the plugin by Ivan Kruchkoff as it has more 5-star ratings and more active installations.
This plugin allows you to apply two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry. Of course, you need the Google Authenticator app installed on your smartphone. You can decide which role of the user would the two-factor authentication be applied for.
After you install this plugin, go to Settings > Google Authenticator.
Next, you can see two settings. One enables the two-factor signing and the other asks you what users require two-factor authentication.
Mostly that’s what you need to do. The next time you want to login into your WordPress dashboard, you need to enter the code that appears in your Google Authenticator app.
Using Google Authenticator, you can easily enable two-factor authentication for the users registered via other WordPress plugins such as WooCommerce, BuddyPress, bbpress, LearnDash, and more.
Another plugin that you can use to enable two-factor authentication for your WordPress website is “Two Factor Authentication” from the authors of UpdraftPlus. If you don’t know, UpdraftPlus is one of the best WordPress plugins to backup your WordPress website.
Like the previous plugin (Google Authenticator by Ivan Kruchkoff) 2FA can be made available on a per-role basis. It also gives you a QR code for scanning into your apps on your phone or tablet.
Another special feature of Two Factor Authentication is that you can define a time period for users within which they must setup their two-factor authentication. Let me clarify, it means that you can assign a time period (e.g a week or so) within which all admins must enable their 2FA. So when they are logged in, they will be taken to a special page for setting up their two-factor authentication. This is however a premium feature and you need to purchase it to get this feature.
To select the user roles, go to Settings > Two Factor Authentication. From there you can set the user roles, and make two-factor authentication compulsory for all users (premium feature), default algorithm, XMLRPC requests, etc.
Now WordFence is one of the most popular security plugins for WordPress. It has many features to protect your WordPress website from malicious attacks and threats. Two-Factor Authentication is one of its features. If you are a user of WordFence you probably have already seen this feature.
WordFence offers many security features including the following login security features:
- Two-factor authentication (2FA), is one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.
- Login Page CAPTCHA that stops bots from logging in.
- Disable or add 2FA to XML-RPC.
- Block logins for administrators using known compromised passwords.
After you install and activate WordFence, from your WordPress dashboard, go to WordFence > Login Security. Here you can enable 2FA. You can scan the code generated here to apply two-factor authentication to your account. Some apps allow you to put in text code instead of scanning, you can find this code below the QR code.
You can use the Google Authenticator app to scan the QR code, it will then generate a 6-digit code that you must put in the appropriate field (the input field with “123456” place holder in it). Then click on activate.
After you click Activate, you will be prompted to download some recovery codes. Make sure to download these codes. Because if you somehow lose access to your authentication device (smartphone/tablet) you can use one of the 5 recovery codes given here. Note that these codes can only be used once.
There is another plugin from WordFence called WordFence Login Security which only includes the login security features of WordFence. You can also try that in case you already have another security plugin installed on your WordPress website.
Jetpack is a very popular multi-purpose WordPress plugin by Automattic. It provides you with security, performance, marketing, and many other tools. Well, lucky for us, it also has the two-factor authentication feature.
After you install Jetpack, you’ll see the Jetpack option on your admin dashboard. (However, if you are using WordPress offline or on localhost, you might not be able to set up Jetpack.)
To enable the two-factor authentication of Jetpack you need to enable a feature called WordPress.com login. From your WordPress dashboard go to Jetpack > Settings > Security.
Enable this option and the 2nd option that says “Require accounts to use WordPress.com Two-Step Authentication”. There are other security options such as “Downtime Monitoring” and “Brute Force attack protection” which you should also enable.
There are times when you might think why to go through so much trouble enabling two-factor authentication. It takes more time to log in to your website. But this is something that you should not ignore as it plays a big role in your WordPress website security. As we’ve mentioned earlier in this article, WordPress websites are a big target for hackers.
Every day, hackers are looking for a backdoor to your website or weakness they can exploit. New scripts and malicious programs are being developed to crack your username and password. Therefore, it is essential to have a strong password and add 2FA or Two-Factor Authentication just to be on the safe side. Because even if hackers manage to crack your strong password, they will not be able to access your website without your second factor.
So are you using two-factor authentication for your WordPress website? Let us know your experience in the comments section.
Disclaimer: This post may contain affiliate links and we may receive a small commission if you purchase something by following them. However, we recommend services/products that we believe good to serve your purpose.