One of the easiest ways that hackers can get access to your WordPress website is by using your login. Why is this? Most users use a 1-step login. The typical 1-step login process allows a user to enter a user name and password in order to enter the site. Anyone that has, or can guess, the user name and password can log in. User names are easy to find and passwords can be guessed and phished. Once someone gets your login credentials they have the same access that you do.
Hackers can get your passwords in several ways:
To help improve security many sites add a CAPTCHA (for robots) or limit the login attempts (for brute force attacks). This does help, but there’s one problem: they don’t keep hackers from getting your password, and all that’s all they need. That’s the advantage of 2-Step Verification (also commonly known as 2-factor authentication) - it makes logging in a 2 step process.
First, you would enter your user name and password as normal. However, instead instantly having access to the site, you then receive a code to enter as a second step of verification. This code usually comes to you as a text on your smartphone.
This adds an extra layer of protection to your login. If they figure out your username and password they still have to have the authentication code or they cannot access your website.
There are several companies that provide a 2-Step verification service. I want to discuss Google.
Google 2-Step Verification is a popular free authentication service and it has a lot of benefits. You receive the code your phone as either a text, voice, or by using an app. The code is created specifically for your account and only when you need it. The code can only be used one time.
For improved security you can use a USB security key. The security key provides better protection against phishing because you don’t actually see the code. Also you don’t have to type the code in, saving you time and the headache of mistyping something. The security key is recommended unless you’re using a mobile device to access your website or you’re not using Google Chrome. Even when you have a security key you still have the option of using a code. The key uses an open standard called “FIDO Universal 2nd Factor (U2F)”. They can be purchased on Amazon. Prices start at $6.
If you travel outside of an area that doesn’t have phone service you can still use the 2-Step authentication with either the USB security key or downloading and printing a one-time use list of backup codes. The authentication process even works without an Internet connection.
If you sign in on the same computer then you’ll only have to use 2-Step verification if you sign out and then back in. If anyone uses your login on another computer they’ll have to use 2-Step verification.
You can provide backup phone numbers so you can receive your code if your primary phone is not available.
The reason this works so well is it requires the person logging in to have something that only you have: either your phone or your USB security key.
In order to implement Google 2-Step Verification you need the app on your phone and a plugin installed on your WordPress website. The app is available from Google for Android, iOS, and Blackberry devices. Running it on WordPress requires a third-party plugin. There are several good plugins to implement it and they have a range of features. Here’s a quick look at a few of them.
Google Authenticator for WordPress is a free plugin that allows you to set the 2-Step authentication process based on each individual user. You can limit the number of logins that are allowed without setting it up and set a reminder on the dashboard. It allows for clock discrepancies. Admins can reset the counter if users are locked out. It stores old passwords in a database and compares them so they can’t be reused. It will generate a QR code using Google Charts API and HTTPS.
Two-Factor Authentication from miniOrange adds more levels of security and more authentication options. You can enable 2-Step verification based on the user’s role. If you don’t have access to your phone you can get the code via email by answering security questions or from a one-time passcode. It supports Soft Token, QR Codes, and push notification.
It supports several apps including:
This plugin supports multiple authentication methods, device identification, custom login pages, special security questions for mobile browsers, and more.
The premium version adds user management, inline registration, phone verification, voice verification, OTP over SMS, custom redirect after login, customized login screens, custom email and SMS templates, and more. It will also remember the device. The premium version starts at $1 per user per year.
Two Factor Authentication supports multiple protocols including Google. It will display the code as a QR code so you can scan it with your smartphone or tablet. It provides authentication based on the user’s role that you set. It’s multisite compatible. The premium version adds shortcodes for the dashboard with custom designing, emergency codes, require 2-factor authentication after a certain period of time, admin access to turn off/on codes as needed, and more. The premium version starts at $22.49.
2-Step verification is a simple and effective way to protect your WordPress account. The reason this works so well is it requires the person logging in to have something that only you have: either your phone or your USB security key. Using the various plugins you can choose which features work best for you. The security key makes it even easier to use and is especially helpful for those times when you don’t have phone access. With a login system this painless it’s easy to see why Google 2-Step Verification is a highly recommended method of improving your website’s security.
Your turn. Do you use Google 2-Step Verification? Have you had any issues with it? Do you prefer the codes on your phone or the USB security key? Do you prefer another provider? Let us know about your experience in the comments below.
WordPress is a widely popular Content Management System (CMS) that powers over 40% of all…
WordPress is a popular platform that empowers more than 60 million websites worldwide. Millions of…
In this article, we will cover ten crucial WordPress site maintenance tasks that every website…
In this blog article, we will explore the various WordPress security solutions you can implement…
Plugins are an integral part of WordPress, as they offer countless benefits and features that…
In this article, we will explore various strategies that can help you enhance your WordPress…
View Comments
How does this work if you have a web designer or person that helps with coding on your site? How do you both get the 2-step when someone you trust needs to work on your site?
Hello Cathryn. Each user can follow the 2 Factor Authentication from within their profile page, then setup their code and they are good to go.
Thank you, I appreciate that and will follow through with the 2-step authentication.
I saw this https://wordpress.org/plugins/wordpress-2-step-verification/ what's different? There is app password and i dont know how to use
WordPress 2-Step Verification is another way of adding 2 step verification for your site.
Hi, I hope you can help, I have the two step authentication thingy. I go through the process and then I am supposed to receive a code via text message, but it never, ever comes. this has been a problem since before forever. Do you have any idea how I can get help with this??
Hello Nana.
I assume you mean that the first step, registering the Google app with your phone fails. If so did you try using the Voice Call option?
Hi Nana. The first thing I would try is to have the code sent to a different phone. This will help narrow down the cause of the problem.
heloo,
Do you have implementation code for Google 2-Step Verification ?
i want to implement Google 2-Step Verification in my website.
any idea how can i implement this ?
Didn't you follow the guide found in this post?