An online business dealing with personal customer information needs to enforce a robust verification mechanism to prevent unauthorized access.
Two-Factor Authentication (2FA) adds a strong security layer and creates a formidable obstacle for potential attackers. Implementing 2FA in WordPress is a straightforward process, thanks to a number of easy-to-use authentication plugins.
Follow the instructions in this guide to learn how to install and implement 2FA for your WordPress website.
Why Implement 2FA in WordPress?
A third of all websites use WordPress, making these websites a frequent target of brute-force attacks. The username and password are the only things standing between the WordPress admin area and a potential attacker.
By gaining access to a website’s admin area, an unauthorized individual could control every aspect of that website. To protect yourself, your customers, and your business, use additional authentication layers.
2FA is a highly secure method that delivers a one-time password to a physical device, for example, a smartphone, to verify the WordPress user’s identity before they can log in.
Even if attackers manage to guess or obtain valid WordPress credentials, they still need access to the device.
How to Install Popular WordPress 2FA Plugins
Two-factor authentication is an advanced system that merges several software solutions and devices. Users without technical expertise can quickly implement 2FA using a free WordPress plugin. The most popular free plugins include:
- WP 2FA – Two-factor Authentication for WordPress - An easy-to-implement and intuitive solution that supports numerous mobile verification apps such as Duo, Google Authenticator, LastPass, Authy, etc.
- Google Authenticator by miniOrange – WordPress Two Factor Authentication (2FA, MFA) - Provides essential authentication services for free and paid enterprise-level upgrades for large organizations. It also works with time-based one-time passwords (TOTP) apps like Google Authenticator, Authy, LastPass, Microsoft Authenticator, etc.
To install a 2FA plugin, access the WordPress dashboard:
1. Select Add New from the Plugins menu.
2. Type 2FA in the Search Bar.
3. Install either the WP 2FA or the Google Authenticator plugin by clicking Install Now.
4. After installing the preferred plugin, click Activate.
A setup wizard guides you through the implementation process.
Note: Learn more about curl basic auth, an authentication method where the server declares that the client must submit a username and password to access a resource.
Implementing 2FA in WordPress
Before setting up 2FA, decide what type of authentication method you want to implement. Time-based one-time passwords (TOTP) generated by mobile apps are well-suited for a business environment with multiple website administrators.
The process looks like this:
1. A user enters their username and password to login to WordPress.
2. Instead of gaining access, the user is presented with a new field requesting a one-time password.
3. The password is generated randomly and regularly within an authentication app installed on a mobile device.
4. The user enters the current code and gains access to the WordPress admin area.
Some of the most popular TOTP apps for mobile devices are Microsoft Authenticator, Duo, Authy, LastPass, and Google Authenticator. This article explains how to implement WP 2FA with LastPass and the Google Authenticator plugin by miniOrange with the Google Authenticator app.
Option 1: Setting up WP 2FA with LastPass
Once you have installed and activated the WP 2FA plugin, a setup wizard launches automatically:
1. Click Let’s get started!
2. A one-time password can be generated by an authentication app (recommended) or sent via email. Once you select the code delivery method, click Next.
3. Install the LastPass Authenticator app on your mobile device.
4. Use the LastPass app to scan the QR code on your computer screen. Alternatively, enter the randomly generated key from the setup wizard into the LastPass app.
5. Click I’m Ready within the WP 2FA setup wizard.
6. Scanning the QR code generates a one-time password in the LastPass app. Enter the code into the given field within the WP 2FA wizard and click Finish.
7. If your website has multiple admin users and roles, select Continue & configure the settings to set up general plugin rules for these users.
8. Check the box to define the authentication method for other users and click Continue Setup.
9. Apply the 2FA to all users or limit the authentication to specific users. Select Continue Setup to proceed.
10. If authentication is a requirement for all users, implement exceptions to this rule by excluding individual users and roles. Click Continue Setup.
11. Decide if other users should configure 2FA immediately or set an extended time-frame for them to comply. Select Continue Setup to proceed.
12. Check the box to inform WordPress users via email to implement 2FA and select All done.
13. Losing or getting locked out of a phone would prevent you from accessing the WordPress account. Click Generate backup codes to create ten static backup codes and avoid getting locked out.
14. Download or Print the generated codes and store them in a secure location.
To modify plugin settings from the WordPress dashboard, click Two-factor Authentication within the Settings menu.
Accessing the WordPress admin page is now only possible after entering a one-time password the LastPass app generates.
Option 2: Setting up 2FA with Google Authenticator
After installing and activating the Google Authenticator – WordPress Two Factor Authentication plugin:
1. Select the Logout and Configure option.
2. Enter your WordPress credentials and Log In.
3. Select the Google/Authy/Microsoft Authenticator option to enable one-time password app-based authentication.
4. Install the Google Authenticator app on your mobile device.
5. Select Google Authenticator from the dropdown menu and use your phone to scan the QR code.
6. Once the scan is complete, a verification code appears in the Google Authenticator mobile app. Enter the 6-digit code in the Code field within the setup wizard.
7. Click Verify and Save.
8. Select Download Codes to download and store a set of backup codes. These codes allow you to log in to the WordPress account if you no longer have access to your phone.
9. Click Finish to complete the setup process.
Entering the credentials to access WordPress prompts the system to ask for the authentication code from the Google Authenticator mobile app. Submitting the correct code grants access to the WordPress admin.
To modify plugin settings, select the Two Factor option in the miniOrange 2-Factor menu. Access the Settings tab to change general plugin settings.
The Settings section in the free version provides limited options for managing two-factor authentication and controlling users and roles.
You have successfully implemented 2FA in WordPress and increased your WordPress admin security. Even the most sophisticated attacks will find it hard to compromise your website.
Explore the Best Payment Authentication Methods and Tools to secure and upgrade other segments of your online business.