(A Step By Step Guide)
TABLE OF CONTENTS
Have you ever completed the two-factor authentication while logging to your account for some popular sites like Facebook and Google? Yes, there are several websites which are now giving you the option to add two-factor authentication in WordPress to improve security.
Like any other site, you can now Add WordPress Two-Factor Authentication (TFA) easily. This ensures the highest security for your WordPress site.
In this detailed article you will learn about what it is & how to setup two-factor authentication in WordPress🔐. Also find compilation of 8 best Two-Factor Authentication (2FA) WordPress Plugins👍.
What is Two-Factor Authentication In WordPress?
In April 2013, WordPress announced Two Step Authentication as an optional new feature to help its users keeping the WordPress.com account secure. For those of you who don’t use Two-Step Authentication will come to know how useful this feature is for keeping your account secure.
Logging in with a password is single-step authentication. It is a reliable way to protect your site until and unless a server breach or hack can leak them. Even if you make good passwords and change them regularly, they need to be stored wherever you’re logging in, and this way they’re relatively easy to break.
Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. In practice, however, current two-step implementations still rely on a password you know, but use your Phone or another device to authenticate with something you have.
Why Add 2-Factor Authentication for WordPress Login?
One of the most common hacking technique used nowadays by smart hackers is brute force attacks on wordpress sites. By using automated scripts, hackers try to guess username and password to break into a WordPress site. If they steal your password or accurately guess it, then they get control over your website and can infect your website with dangerous malware.
To protect your WordPress website against login attack attempts, adding two-factor authentication is the easiest solution that will effectively maintain the security of your website. On implementing this, even if someone stole your password, they will need to enter a security code from your phone to gain access. This is why you need to add two-factor authentication for WordPress.
How To Set Up Two-Factor Authentication In WordPress?
Before you begin to use the 2 Factor Authentication, lets understand how the second step works. The code that you input during the verification can be received by you in any one of the following ways,
- Email Services: the code is sent to your email when you try to login
- SMS: Sent to your mobile phone.
- App Generated Codes: Apps like Google Authenticator and Authy will automatically generate a new code at very short time intervals.
- USB Tokens: You will simply have to insert a token into your USB port (and maybe enter a token password).
There are two ways to add two-factor authentication in WordPress:
- SMS Verification – where you receive the verification code via text message.
- Google Authenticator – Fallback option where you receive the verification code in an app.
Let’s take a look at how to add two-factor verification in WordPress login for free.
📣 1. Adding 2-Step SMS Verification to WordPress Login Screen
This method adds a 2-Step SMS verification to your WordPress login screen. When you enter the WordPress username and password, you will be asked to enter the code which you will receive through a text message on your phone.
For this, you will need to install the Two Factor Authentication WordPress plugin given below (SCROLL DOWN). Select any one.
Let’s say you are downloading Two Factor plugin. Make sure you download the latest version of the plugins. The Two Factor plugin provides you multiple ways to set up 2-step verification in WordPress. The second plugin, which is called Two Factor SMS is an addon that supports 2-Step SMS verification. You will need both these plugins activated on your website.
Steps to activate the SMS authentication:
- Download the two plugins and successfully install them.
- Upon activation, select the ‘Users’ option. There you will see ‘Your Profile’, click on it.
- On clicking you will headed towards Two Factor Options section.
- Check the box next to ‘SMS (Twilio)’ option and also click the radio button to make it your primary verification method.
- Now, scroll down to the Twilio section. Here you will asked to input your Twilio account information.
- If you have an already existing account of Twilio, go the Twilio dashboard and click on the Get Started Button.
- In case, you don’t have any account, visit their website. Click on the Sign Up Option. On the signup page, you will be asked for the usual personal information.
- Afterwards, you will be asked which products you would like to use first. Select the SMS and choose select 2-factor authentication for ‘What you are building’ option. Finally select PHP for your programming language.
- Once your Sign Up process is complete, you will be redirected to Twilio Dashboard, Thus, get started with it.
- This will take you to a settings wizard where you need to click on the ‘Get your first Twilio number’ button.
- A pop up will appear on the screen with a US based phone number. Copy the number and save this number in a text file. Now, click on the ‘Choose this number’ option.
- Exit the wizard. Now go to the settings options and choose Geo Permissions page.
- You will need to select the countries where you will be sending SMS. Therefore, select the country you live in and countries you travel to.
- Go to the Twilio console dashboard to copy your Account SID and Auth Token.
- Now that you have all the information, therefore, go to the user profile page on your WordPress site and enter your Twilio Account SID, Auth token, and sender phone number.
- Add your own phone number as the ‘Receiver Phone Number’.
- Now save the information you entered by clicking on the ‘Update Profile’ button.
- Now, logout from your WordPress site to see the plugin in action.
- Now when you go to the login screen, first you will provide your WordPress username and password. After that, you will receive a SMS notification on your phone, and you will be asked to enter the code you received.
After entering the SMS code, you will be able to access your WordPress admin area.
📣 2. Adding 2-Step SMS Verification to WordPress with Google Authentication:
It is important to keep a backup for every situation. What if you are travelling and are unable to receive text messages on your phone number? This is where fallback option comes to play.
As a fallback option, we will setup 2-Factor verification using Google Authenticator. With the help of this method, you’ll still be able to login using the Google Authenticator app on your phone.
Let’s have a look how to setup this authentication:
- As we did earlier, Head over to Users » Your Profile page and scroll down to two factor options section.
- Click the Enabled checkbox next to ‘Time Based One-Time Password (Google Authenticator)’ and then click on ‘view options’ link to begin Google Authenticator setup.
- Now you will need to scan the QR code with the Google Authenticator App.
- Install the app on your phone After installation, open it and click on the add button.
- Scan the QR code shown on the plugin’s settings page using your phone’s camera. The app will detect and add your website.
- Next, you will get a six digit code which you need to enter in the plugin’s settings page.
- Click on the ‘Update Profile’ button to save your changes.
- Now logout of your WordPress site to see if the plugin is functioning right.
- When you will login your wordpress site using username and password, in the next step you will be asked to enter SMS verification code.
If you are unable to receive the SMS code on your phone, then you can choose ‘Use backup method’ link and enter the code generated by Google Authenticator app on your phone.
8 Best Two-Factor Authentication Plugins for WordPress
✔️Two-Factor Authentication (by miniOrange)
This plugin enables you to set up two-factor authentication by SMS, push messages, device ID or even QR codes. You can choose any of the second layer security option through these methods and set up within minutes.
If you want to get an OTP verification on your mobile, you can use another plugin, SMS Verification/Email Verification. It is a great plugin that acts as a protective barrier for your website. While most of the popular websites are preserved by very high-security logins are protected by two-step authentication today
✔️Duo Two-Factor Authentication
Using the Duo Authentication lets you add Duo two-factor authentication to your WordPress site by providing an extra layer of security.
In addition to login, it enables your admins or users to pass the verification process through one-time pass codes generated by Duo’s mobile app. Its an easy to set up plugin with a user-friendly interface.
✔️Keyy Two-Factor Authentication (Clef Alternative)
Keyy provides you one-click access to all your WordPress websites and also offers you a 2-factor authentication but with a difference. The plugin replaces passwords with a sophisticated RSA public-key cryptography, that will result in a stronger security and a better user experience. It has a 2048-bit RSA digital key that is created and stored on the user’s handset.
✔️WP Simple Firewall – Shield Security for WordPress
It acts as a great plugin that acts as a protection barrier for your website from trouble using a host of security features. This can be considered as the only plugin that can protect itself and will prevent access to its settings so that anyone may not screw up your security settings.
✔️Rublon Two-Factor Authentication
Rubion’s two-factor authentication relies either on your email or its mobile app.To start with, you have to confirm your identity through any process and once it is verified, you simply need to enter your WordPress login credential if you try to login through the same browser on the exactly same device.
However, for each new device, you will need to fulfil this login criteria. This plugin is perfect for those WordPress site owners who rely on a specific set of devices in order to access their website.
The plugin allows the visitors to use their OpenID if they are willing to post a comment instead of registering another local account. It can be used by the users who want hassle free login to the websites. The plugin offers an OpenID provider that enables the users to login to the OpenID-enabled websites.
✔️5sec Google Authenticator
5sec Google Authentication taking you to the next level of WordPress security. This is a premium plugin in which a one-time password is generated on the same mobile number provided in the registration process. Anyone can only access the account through this OTP. It is one of the most secure plugin that assures protection from brute force attacks.
✔️WP Google Authenticator for WordPress
The Google Authenticator plugin generally offers you two-factor authentication using the Google Authenticator app for iPhone/Android/Blackberry. If you want security, you should have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail/Dropbox/Lastpass/Amazon etc. The requirements can be taken on a per-user basis.
As the name implies, the two-step authentication is adding a step to the login process which is making it long and frustrating. While most very high-security logins are protected by two-step authentication today, many websites barely offer it as an option if they want it to implement. This is because users get annoyed if they have to log in to a service with two step authentication everyday or more than twice a day.
Two-step authentication can also prevent legitimate logins. If a user forgets their phone at home and has two-step authentication enabled, then they won’t be able to access their account.
Disable Two Step Authentication
We don’t recommend disabling Two Step Authentication, as it’s much less secure, even if you believe your password is very strong. Still if want to disable the feature, follow these steps:
- Go to your Two-Step Authentication page.
- On this page,you can easily find the Disable Two-Step Authentication button.
- Click on this option. This will prompt you to enter a code to confirm that it’s you who originally set two step authentication up.
- If you’re using an authenticator app, open it and provide the code it lists. If you’re using SMS, you’ll be sent a code to use.
- Click Disable after entering the code and your account will no longer be protected by Two Step Authentication.
Moving to a New Device
If you want to switching to a new device, and you have enabled Two Step Authentication, take the following steps to avoid being accidentally locked out of your user account.
If you are using an authenticator app to generate verification codes:
- Print a set of backup codes for your user account.
- Now, install the authenticator app on your new device,.
- Disable the Two Step Authentication link with your old device by following the aforementioned steps.
- Set up your user account to link to your new device.
- If you are prompted to enter your verification code, use a code from your list of backup codes. Keep in mind that the backup codes are one-time use only.
- You can now uninstall the authenticator app from your old device.
Note: If you are using SMS verification to receive authentication codes, you do not need to update your settings unless you are also changing to a new phone number. In that case, you will want to set up a new recovery number prior to disconnecting your old SMS number.
Lost your Device
If your phone is stolen, lost, the app is accidentally removed or you are locked out of your WordPress account, backup codes is the only solution that will help you regain access to your account. Print out some backup codes to keep in a safe place — your wallet, a filing cabinet or your document safe in case your phone is lost or stolen. You can print backup codes right from your WordPress.com Security tab.
Unable to add 2-Step Authentication?
If you are still incapable of performing this double step verification process, there is a possibility of website infection. It is essential to find if there is any hidden malware or loophole that is giving an access to the hacker again and again. Don’t worry. We are here to help you!
More About Us
WP Hacked Help Scanner will detect your website for malware and starts cleanup instantly. (TRY IT FREE) We check the files with our database for malicious code and keep you updated throughout the entire hacked WordPress cleanup process. The featured list of all the infections we remove is given below:
- Malware Injections
- Google Blacklist Warnings
- Defacements With Gibberish Keywords Hack
- WordPress Backdoors
- WordPress Pharma Hack
- Japanese SEO Spam
- Phishing Files
- WordPress Malicious Redirects