It doesn’t take much duration for your digital life to be totally destroyed. Remembering usernames and passwords can be a real headache, so it’s not surprising that most people use the same information across multiple accounts, such as email, social media, and even banking. But if an account password is hacked and stolen, that security breach can compromise your other accounts.
Do you know what is WordPress Two Factor Authentication? It is one of the best ways to prevent unauthorized access to your WordPress account and increase overall security of your WordPress site. Unlike the traditional mode for checking authenticity, which is based on something you know (your password), 2F authentication goes a step beyond – by adding something you have (authentication with the help of one of your devices or external accounts).
If you manage a WordPress site or even multiple sites for clients, reinforcing the overall security of a site is not an easy task. Most users know how to strengthen passwords, but a harder way to combat brute force attack is two-factor authentication.
Even if a hacker guesses your username and password, he won’t be able to access your site without a code or token, which is usually connected to your smartphone.
According to Google, two-factor authentication stops 100% of automated bot attacks. This approach to account security is also effective in battling bulk phishing attacks, and can significantly help in targeted attacks.
Why You Should Start Using Two-factor Authentication?
Unfortunately, WordPress is a tempting target for malicious hackers. Regardless of the motives behind the attack, hackers are more likely to focus on WP websites that sites which run on other CMS’s. When your are in doubt or sure that your WordPress site gets hacked, you can take help of WordPress Malware Scanner like WP Hacked Help which can scan your website instantly and remove malware completely.
A common threat for WP users is using old, non-updated installations of the platform.
According to stats gathered from more than 40,000 WP sites in Alexa’s top 1 million, over 70% of them are vulnerable to cyber-security attacks. In January 2020, Microsoft reported that over 1.2 million accounts were compromised. In another study, Security Magazine said that a hacker attack happens on the web every 39 seconds on average, and the number is boosted by the use of non-secure account protection systems.
Here are some of our suggestions for bulletproof plugins to enable two-factor authentication on WordPress site:
In this summary, we will look at some of the best two factor authentication plugin for WordPress .
Table of Contents –
- Google Authenticator
- Duo Two Factor
- Shield WordPress Security
- iThemes Security Pro
Google Authenticator – WordPress Two Factor Authentication
The Google Authenticator plugin is probably the most popular security authentication plugin available for WordPress. This plugin offers two-factor authentication with the Google Authenticator app for iPhone, Android, and Blackberry.
Google Authenticator is the king of authentication. It enables smooth, easy and completely free 2 F authentication processes. This app and authentication method is actually used in many other 2FA plugins, so you can just circumvent other developers and install directly from Google.
The plugin pairs up with the Google Authenticator app (which you can get in the App Store or Google Play store) and uses your mobile device to prove that you’re the sole owner of the account you want to access.
The plugin is absolutely free, but that reflects on its features and possibilities. However, with 2FA, you don’t need a complex plugin with dozens of different perks. If you simply want to set up 2 Factor authentication in just a couple of minutes, Google Authentication is your guy.
- Once the plugin is installed and activated, the plugin settings will appear in User> Your Profile .
- From there, you can set a secret key or use a QR code.
- Then you must download the free Google Authenticator application on your smartphone and enter the secret key or QR code to be able to link the application to your WordPress site.
- Once all this is configured, every time you access your site you will have to open the application on your phone and enter the provided authentication key before the timer runs out.
This is a great complement if you want to easily increase the security of access to your WordPress Website.
UNLOQ – Two Factor Authentication (2FA)
Just like Google, to use the UNLOQ Two Factor Authentication Plugin as your 2FA method, you will have to install the app on your phone. Still, the setup process is very easy and fast and you’ll be ready to go in no time.
- To start, just download the plugin and the app for your phone.
- After you confirm your email, you will be asked to set up the plugin.
- You can choose to enter your WP dashboard with password only, UNLOQ only or both.
This is great for when you want to switch it up from time to time or ease up on 2FA when you’re on-boarding a new team member. This plugin makes it easier to shut down 2FA once it’s activated compared to other plugins.
You can also choose one of the three options for UNLOQ authentication: email, one-off time-based password or a push notification.
MiniOrange Two-Factor Authentication WordPress Plugin
MiniOrange Two factor Plugin is a powerful 2FA plugin that will enable you to set up a two-factor authentication that suits your needs and preferences the best. It’s one of the top favorites as per WP plugin reviews, experts and web developers. You can choose among these authentication options:
- Google Authenticator
- QR code
- miniOrange Token
- Push notifications
- Security Questions
As you can see, this plugin contains the widest versatility of different 2FA options of all other plugins out there.
“The miniOrange is very well-developed and secure plugin. Just ask any WP developer for a recommendation and they will likely mention this plugin”, says Neightan White, a blogger at SupremeDissertations.
Duo Two-Factor Authentication – WordPress plugin
Duo Two-Factor Authentication Plugin is very simple but very efficient. It allows you to set up an additional layer of security for your WordPress admin area in just a couple of minutes. Two-factor authentication allows you to add an extra layer of access security to your WordPress site using your smartphone. There are three authentication methods available:
- Duo Push notification
- Text Message
The plugin is very user-friendly and it’s likely that you won’t have a single difficulty during installation and configuration. Duo has deliberately focused on authentication methods that can work when you’re offline too such as callbacks, text messages and custom passcodes.
You will have to download and install the Duo plugin and application, and also create an account on the Duo Security website to obtain the security keys.
The next time you log in to your site, you will be directed to another login page where you can choose how you want to authenticate.
There are multiple ways to authenticate, including using the mobile application, one-time access codes generated in the application, one-time access codes delivered by SMS, a callback to any mobile or landline, and One-time access generated by an OATH compliant hardware token.
We prefer to use Duo Push, which sends a message to your phone and opens the Duo app, allowing you to approve or deny an access request.
WordPress Two-Factor Authentication | SecSign 2FA
SecSign WordPress Plugin advertises as a plugin that ‘secures all your logins and gets rid of any password problems’. The way they do this is by adding an extra layer of security based on your mobile phone or Apple watch.
Among all the other plugins that we presented, SecSign is the only one that uses fingerprints as an option for authentication.
Also, unlike other plugins on this list, with SecSign you won’t even use your WP credentials to enter the admin area. Instead, you can access your site with a personal SecSign ID.
Keyy Two Factor Authentication (like Clef) – WordPress plugin
With Keyy Two-Factor Authentication plugin, you can enter your WP site with the help of your mobile phone. You can access the site simply and instantly by scanning a code that’s provided through the app. We must say that Key is fantastic for a free plugin. This app and plugin combo allows you to replace the username and password of your WordPress site with your smartphone.
When you enter your regular WordPress area, you will be redirected to a custom Keyy login screen where you can continue the login process with a code or a key wave. (This also means that you won’t have access to your regular WP login screen as long as you have the plugin activated).
Keyy” the heir of Clef Two Factor Plugin made by UpdraftPlus. Here’s how it works:
- Download the app directly from the Apple iTunes or Google Play stores, then download, install and activate the Key plugin from the WordPress Plugin Repository.
- When you set up the smartphone app for the first time, you create a profile on your phone.
- Key uses that profile to generate a new digital signature every time you want to log into your site. Instead of logging in with a password, the login screen will be replaced by the “Wave”, which you will have to sync with another Wave on your phone.
- The smartphone app will then grant you a one-hour session to use your site, unless you increase the session time on your phone.
This is a great plugin/app and it’s definitely worth checking out.
Two-Factor Authentication – Wordfence
The WordFence Two-Factor Authentication is completely free and helps you add 2FA to any WordPress site via plugin. Not only this, but you will get access to other WordPress security features, such as live traffic monitoring, security scanner and a WordPress firewall.
There are two methods that you can use for two-factor authentication in WordFence:
- Google Authenticator or
- an SMS.
If you want to have a plugin that will simultaneously perform other security functions other than 2FA (which means that you’ll be giving it more trust and responsibility as well), WordFence is a good choice.
Shield WordPress Security – (2FA)
Shield WordPress Security Shield WordPress Security (formerly Simple Firewall) offers two ways of authenticating the two-factor connection, by e-mail and with YubiKey. Its e-mail authentication offers two methods (IP address and cookies) that allow users to choose their preferred method.
For example, an IP-based check may be chosen if the IP address does not change frequently, and you want to create multiple WordPress login sessions from a single network location or with multiple browsers on the same computer.
The advantages of this plugin are two-factor authentication by OTP sent by e-mail and YubiKey, IP address, and cookies. However, this plugin does not support authentication via Google Authenticator, SMS, phone call, push notification, or QR code.
Rublon Two-Factor Authentication
Rublon Two-Factor Authentication is our first recommendable two-factor authentication WordPress plugin that allows its users to set two-factor security on their site quickly and easily. All you have to do is to carry a two-way process; click download and click activate. Yes! That’s all.
Key features of Rublon Two-Factor Authentication:
- Simple and easy to use interface; does not require any training or coding knowledge
- Offers email security and mobile app scan to confirm the identity of the users
- Users can verify their identity by simply clicking on the link and scanning the code
- Provides multilingual support; English, German, Japanese, Turkish and polish
Rublon services are applicable for only one account per site. However, if you want to protect more accounts, you need to use their Rublon Buinsess API version.
iThemes Security Pro – Two-Factor Authentication
iThemes Security Pro (formerly Better WP Security), the paid version of the iThemes Security plugin, includes 30+ additional security features including two-factor authentication that works with Google Authenticator or Authy. You must have this application installed on your phone to configure it with your website.
You log in using your username and password and are prompted to enter a verification code that Google Authenticator automatically generates. This code only works for a single connection and changes after a few seconds.
WordPress Plugins That Implement and Manage 2FA Best Way
Two-Factor Authentication (2FA) or Two-Step Verification is an additional layer of security you add to your WordPress login pages. With 2FA it is virtually impossible for attackers to hijack your WordPress user, even if they guess the password.
After trying each of the above plugins, what impressed me the most was the Key. It is easy to install and have it working in minutes, plus the Key looks great.
The Google Authenticator is also a very popular and proven plugin, averaging 4.8 stars in the WordPress Plugin Repository. It is reliable and is regularly updated.
Duo is also solid plugin that is easy to install and use.
With so many different options, it is hard to make a choice. If you are looking for a very basic plugin go for Two-Factor or Uniloq, which has a bit more features than WordPress 2-Step Verification and Google Authenticator.
Do you use two-step authentication on your site? You can try any of these two factor authentication plugin Google Authenticator, UNLOQ, MiniOrange, Duo Two Factor, SecSign, Keyy, Wordfence, Shield WordPress Security, Rublon. If you go with my choice, i would recommend any of these Google Authenticator, UNLOQ, Wordfence or Shield WordPress Security.
What plugin do you use? And if you don’t use authentication, why not?
Additional Security Measures
If you want to have the optimal support and keep your WordPress site safe from attacks, you need to make sure that you always have the latest WordPress version installed.
As an admin, you can set up strict WP password policies for all new users that sign up on your website (or you make accounts for them).
A WordPress firewall is another great way to add extra security to your website, but it only goes so far in preventing attacks. Simply setting up a firewall is, unfortunately, not enough to fend off most hacker attacks on WordPress sites.
The very thought of someone hacking your WordPress site is scary, but don’t worry, there are specific steps that you can do to prevent that from happening. The first line of defense would be to implement two-factor authentication on your WordPress login area.
The process of setting it up is really not hard or time-consuming, just install and activate a plugin and let it figure out the rest.
Further Reading –