How to Improve Security on Your WordPress Site via Two-Factor Authentication
Will Morris, January 8, 2019
The sad truth is that no matter how small or large your site may be, sooner or later someone is going to try and force their way in. Cleaning up after a hack or other attack can be stressful and time-consuming, so it’s best to avoid security breaches wherever possible.
There are a lot of ways to tighten up your site’s security, but one of the most effective techniques is to implement Two-Factor Authentication (2FA). This adds an extra layer of protection to your site’s most vulnerable element – its login page – and keeps malicious users out.
In this post, we’ll discuss why it’s vital to ensure excellent security on your WordPress site. Then we’ll explain what 2FA is and how it works, and show you how to implement it quickly. Let’s get to work!
Why Your WordPress Site’s Security Should Be a Number-One Priority
WordPress is a fantastic platform for building your website. This is true regardless of whether you’re putting together a small personal blog or a booming e-commerce site. It’s beginner-friendly, yet flexible and powerful enough to meet just about any need.
What’s more, WordPress also stands out as a very secure platform. Its developers place prominent importance on keeping the core software safe to use and release frequent security-focused updates and patches. These ensure your site is ready to combat the latest threats.
However, no platform is perfect, and WordPress has experienced some known security problems in the past. This is mainly because the platform is so incredibly popular – powering about 27% of all sites on the internet. This makes it a prime target for hackers, who are constantly looking for new vulnerabilities and holes that can be exploited.
Therefore, you don’t want to rely solely on the platform’s built-in security features. Instead, you’ll need to put together a comprehensive security plan for your site, in order to cover all the necessary bases. Not doing this can result in:
- Stolen data, either from you or your site’s users
- Malicious content added to your site, such as links and downloads
- Performance problems and down time
If you want to avoid these scenarios, you’ll want to start attending to your site’s security needs now. To do so, the best place to start is with your login page.
The Importance of Securing Your Site’s Login Page
If you think of your website as a house, its login page is the front door. A burglar trying to break into your home would most likely try and make their way through the main entrance – and the same is true of your site.
This is especially relevant for WordPress, as by default the platform will give your site’s login page a very predictable URL (such as www.example.com/wp-login.php). The fact this address is so easy to guess means your ‘front door’ is simple to find. After, all a hacker needs to do is force their way in.
Fortunately, there are plenty of ways to protect the entryway to your site. For example, you can change the location of the login page, giving it a unique URL that’s much harder to guess. You can also limit the number of login attempts permitted from each IP address. Since most ‘brute force’ attacks involve a bot trying many username and password combinations until something works, locking a user out after several failed logins is a useful preventative measure. If your website is hosted with Savvii, this number is already limited.
Both of those techniques help to reduce hacking attempts from making their way into your site. However, perhaps the best way to protect your site’s most vulnerable entryway is to use something called Two-Factor Authentication (2FA).
An Introduction to Two-Factor Authentication
You’re no doubt familiar with the standard login process for WordPress. Even if you’re not, it’s a system you’ve seen many times. You simply enter a username and a password, and you’re granted access to the back end of the site.
This is a tried-and-true method, and it works well enough. This is especially true if you choose a unique username and a strong password. However, if a hacker or bot manages to guess these two credentials, they’ll have complete access to your site.
Enter 2FA comes in. This technique adds a second layer of protection to your site – hence the name ‘two-factor’. With 2FA activated on your site, you’ll still need to log in using your username and password. Yet you’ll also need one more piece of information – a unique one-time code.
In most cases, this code will be sent to your email address or mobile device when you attempt to log in. You’ll have to enter the code along with your credentials, before you’ll be granted access to your site. Each time you log in, you’ll receive a different code (usually a string of numbers and/or letters).
This does make logging into your site a little more time-intensive, and can seem like a hassle. However, it’s well worth the effort for most sites. After all, with 2FA set up, no one will be able to log in using your account unless they not only have your credentials, but also access to your private email or device. Since this is highly unlikely, 2FA is an excellent way to secure your login page.
You can even set up each user on your site with this system, so anyone logging in will need to enter a code each time they do so. You’ll also be able to pick and choose who should be granted access. As such, a hacker would somehow have to get their hands on one of those people’s phones or email accounts in order to force their way in.
How to Secure Your Site via 2FA (Using 2 Plugins)
As with so many things in WordPress, the best way to implement 2FA is to use a dedicated plugin. Fortunately, there are many options that can help you add an extra layer of security to your site quickly.
In the following sections, we’ll introduce two of the best WordPress plugins for setting up 2FA. Either one is an excellent option – which one you use will largely come down to personal preference. We’d suggest reading through both methods before choosing the approach you’d like to use.
Method 1: The Two Factor Authentication Plugin
Sometimes, the best WordPress plugins are the ones with the most obvious names. Such is the case with Two Factor Authentication, a tool that lets you know exactly what it does upfront:
This plugin is developed by the creators of UpdraftPlus – an incredibly popular security plugin for WordPress. It lets you easily set up 2FA on your site, and configure the way your system works.
Two Factor Authentication:
- Supports many popular authentication methods, such as Google Authenticator and Authy
- Enables easy app setup via QR codes
- Makes it possible to configure who 2FA is set up for, including specific users and user roles
All of the above are included in the free version of the plugin. However, there’s also a premium version with a few extra features. These include emergency codes (in case you lose your linked device), and the option to let administrators view other users’ codes.
For now, we’ll stick with the free version of the plugin. To get started, you’ll need to install and activate it on your WordPress site. Then, navigate to the new Two Factor Authentication section of your dashboard:
Here, you can set up your own personal 2FA settings. Changes made here will apply only to your specific account. First and foremost, you’ll want to check Enabled under Activate two-factor authentication and then save your changes.
At the bottom of the page, you’ll also be able to choose which algorithm should be used to generate your one-time 2FA codes:
TOTP is generally the more reliable method and the one we’d recommend. This will create codes that are each valid for 30 seconds (while HOTP generates a series of codes in a sequence that does not rely on time).
Then you can scan the QR code on this page with your mobile device, which will enable you to quickly set up a 2FA app.
If you have any other users on your site, you’ll also want to configure your global 2FA options. To do so, head over to Settings > Two Factor Authentication:
Here, you can choose which user roles should be able to use 2FA. If you have the premium version of the plugin, you can also make 2FA mandatory for any or all of those roles. The rest of the settings on this page are best left at their defaults for most users.
Once you save your changes, your new 2FA system is ready to go! Don’t forget to let all affected users know about it. They’ll each need to scan their account’s QR code and set up the app on their devices as well.
Method 2: The miniOrange Authenticator Plugin
If you’re looking for a solution that’s a little simpler and more straightforward than the above method, the miniOrange Authenticator plugin is also worth a look:
With this tool, you can set up 2FA on your site in just a few minutes. The free version of the plugin will provide you with 2FA for one user, via any one of a variety of methods (including Google Authenticator, Authy, and LastPass).
There’s also a premium version, which will let you enable 2FA for multiple users and/or user roles. You’ll also be able to configure the information needed for each login – for instance, you can require just a username and 2FA password.
After installing the plugin on your site, you’ll be prompted to choose which authentication method you’d like to use:
While you can select any option, Google Authenticator is an excellent pick if you don’t already have a strong preference. Either way, hit Configure to walk through the process of setting up your chosen authentication method on your mobile device:
After, you’ll want to select the Test Authentication Method button at the top of the page. This will let you run a trial, to make sure your 2FA system is working. At this point, the plugin is ready to go – there’s no additional configuration required. This is an incredibly simple way to get 2FA up and running on a WordPress site. Although as we mentioned, you will need the premium version of the plugin if you want to enable this login method for multiple users.
For any website owner or developer, security should be a top priority. While WordPress is a security platform, there are a lot of hackers out there constantly searching for vulnerabilities and trying to force their way into as many sites as possible.
As we’ve discussed, one of the best ways to secure your WordPress site is to prevent malicious users from begin able to log in. This means setting up 2FA, so anyone who wants access will need a username, a password, and a code sent to a pre-determined email address or mobile device. The good news is that you can set up 2FA easily, using a plugin such as Two Factor Authentication or miniOrange Authenticator.
Do you have any questions about how to set up 2FA using the plugins introduced above? Let us know in the comments section below!
Image credit: Dean Sas.