Two-factor authentication – commonly referred to as 2FA – adds an extra level of protection for user accounts. As much of our daily lives these days happens online with the use of mobile and laptop devices, it’s only natural that our accounts have become a target for criminals. This means that we need to adapt to new technologies to improve our security – and learning how to add two-factor authentication in WordPress can do just that.
Each type of technology has its own benefits and drawbacks – and two-factor authentication is no exception. Let’s see how it stacks up.
Two-factor authentication systems gained widespread popularity due to the next level of security it offers users. Briefly, it provides the following benefits:
- Stronger protection
- Low cost
- Easy to implement
This technology is a reliable and effective system that blocks malicious access to accounts. Like any other system, it still has some drawbacks.
- Takes longer to log in
Common Types of Two-Factor Authentication in WordPress
Various types of 2FA have been created and adapted in different environments to increase the level of protection. We’re going to cover this briefly in this section.
Probably the oldest method is the one that produces a token. They normally are in the shape of a key fob or a USB and produce a token key which is for 30 seconds.
This method is one of the most popular forms of producing tokens. It relies on some software on your mobile app, for example, to provide users with a one-time passcode.
Some of the big companies like Google have quickly come around to using voice/text message for tokens. Chances are that you’ve used this if you have a Gmail account.
In this method, after entering a username and password, the site sends a one-time passcode to the user’s phone to complete the login process.
Instead of getting a passcode, the sites send push notifications to a user’s mobile device to approve or deny access.
With new innovations such as detecting fingerprints and facial recognition, it’s now possible to treat the user as a token. It’s likely that this method will soon be the most popular.
Popular Plugins for Two-Factor Authentication in WordPress
Some WordPress plugins are available that allow you to quickly implement two-factor authentication in your website. We selected the following plugins based on their popularity and the number of downloads. We’ll briefly explain three of them in the following sections.
- Google Authenticator
- Two Factor Authentication
- Wordfence Security – Firewall & Malware Scan
- Duo Two-Factor Authentication
- Rublon Two-Factor Authentication (2FA)
Google Authenticator Plugin
The Google Authenticator plugin provides WordPress users with 2FA while also using the Google Authenticator app (which can be downloaded on any IOS or Android devices).
If you’ve taken steps to enhance your security, then you might have already downloaded the Google Authenticator app on your mobile device. This plugin is already in use for a number of other sites and services including Gmail, Dropbox, and Amazon.
- Fast setup
- Usage of software to generate codes
- Install the Google Authenticator plugin and activate it.
- Go to the Settings > Google Authenticator page and configure the settings as it fits your site.
Two Factor Authentication Plugin
You can secure your WordPress login with this Two Factor authentication plugin. Users for whom it is enabled will require a one-time code in order to log in.
- Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).
- Displays graphical QR codes for easy scanning into apps on your phone/tablet
- TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)
- TFA can be turned on or off by each user
- TFA can be required for specified user levels, after a defined time period (e.g. require all admins to have TFA, once their accounts are a week old) (Premium version)
- Works together with “Theme My Login” (both forms and widgets)
- Includes support for the WooCommerce and Affiliates-WP login forms
- Does not mention or request the second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)
- WP Multisite compatible
- Simplified user interface and code base for ease of use and performance
- Added a number of extra security checks to the original forked code
- Works together with “WP Members” (shortcode form)
Read more about this plugin here.
- Install the Two Factor Authentication plugin and activate it.
- Go to the Two Factor Auth page and enable it.
Wordfence Security – Firewall & Malware Scan Plugin
Included in the Wordfence plugin is an endpoint firewall and malware scanner, both of which were created from scratch to safeguard WordPress.
This plugin is an all-in-one stop plugin for security. Two-factor authentication is only one of its features.
- Two-factor authentication (2FA), one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.
- Login page CAPTCHA stops bots from logging in.
- Disable or add 2FA to XML-RPC.
- Block logins for administrators using known compromised passwords.
Read more about this plugin here.
- Install the Wordfence Security – Firewall & Malware Scan plugin and activate it.
- Go to Wordfence > Login Security and scan the codes with your authenticator app. If you need further guidance, you can read this article.
In this article, we first explained what 2FA is and the different ways in which it’s used. In today’s world, digital technologies play an increasing role in our lives, which means the importance of security now takes center stage. This is where 2FA comes into play: this system is crucial for almost all websites and it’s highly recommended that you use it for your website. We further highlighted some WordPress plugins specifically designed for 2FA and their features and provided the steps you need to take to seamlessly install each plugin.
Subscribe to Artbees Themes Blog for the best WordPress tips and insights.
[…] tip to secure your WordPress site is to use two-factor authentication. It requires a user to enter not only a password but also a security code which is usually sent to […]
Another important step in setting up RADIUS two factor authentication is configuring the software on the RADIUS server. Once this has been configured, you can use it to enforce two factor authentication for users in radius 2 factor authentication . Protectimus requires administrator access and user group permissions to connect to your RADIUS server.