The security of your WordPress website is crucial – only a properly functioning website can bring you the benefits of running it. WordPress is an amazing CMS, but keeping it in good shape requires knowledge, time and experience, and tools to help protect it.
WordPress grew up as a free, open source CMS for everyone. Initially, it was used by bloggers. Over time WordPress has grown – until it’s in its present form, where, thanks to the system’s modular design, it can provide a platform for all kinds of sites.
The openness of the WordPress code is its advantage (it can be freely developed and modified) and at the same time its biggest disadvantage – anyone in the world can look into the source code and find out what the security rules are, what the process of logging in and authenticating users looks like, what PHP functions have been implemented.
That’s why it’s so important to manage your WordPress-based site wisely – in another post we described how automatic backups are an important mechanism. The next step in the process of making sure your site is secure is to add additional authentication to it.
Two-factor Authentication in WordPress
Two-factor authentication is logging into one’s account, during which a two-step verification of the user’s identity takes place.
- The first stage is standard – most often you need to enter your login and password.
- But then you will be asked to go through the second stage of verification – to provide a special code, which can be sent to your email address, by SMS or appear in a special application. Only after fulfilling these two steps will it be possible to log in to a service that requires two-factor authentication.
Two-factor authentication in WordPress is becoming increasingly popular as website owners look for more ways to secure their sites against unwanted infiltration. There are several really good ways that you can get WordPress 2FA in place. Today, I am going to show you how to do it using a plugin which we use in our projects – WP 2FA. You can find it by heading over to the Plugins page in the WordPress admin dashboard. It’s free and easy way to add an extra layer of security to your WordPress website login page and its users.
Basic configuration of 2FA
Immediately after installation, you will be redirected to a simple and intuitive wizard that will guide you step-by-step through the process.
- At the very beginning you need to choose the method of additional authentication – we strongly recommend choosing only One Time Code via 2FA App (TOTP). The second option – that is, receiving codes via email is much less secure.
- Then we will have the option to choose – which roles or individual users should have the ability or mandatory constraint to configure additional verification. We recommend that any user with access to the WordPress admin panel should be forced to configure this option.
- The last step of the wizard is to specify the amount of time the user will have to configure the Two-factor Authentication – we usually set 7 days here as a safe buffer in which any committed user should be able to handle this task with confidence.
After saving these settings, we get the option to set verification for our account.
Each of the users we pointed out in the previous step will see a popup in their dashboard stating that we require the configuration of two-step verification in their user profile.
Choosing an external 2FA application
At the very bottom of the sub-page for editing our profile, there is now a section for authentication settings.
After clicking the button that starts the setup, a button with a QR code will appear – scan it with the app of your choice. Some of the popular apps that WP 2FA supports and works with are:
- Google Authenticator
- Microsoft Authenticator
- LastPass Authenticator
- Duo Security.
At Esumo, we use Google Autenthicator. You need to install it on your secondary device – phone or tablet. This additional device is where you will generate the additional code needed each time you log into the WordPress dashboard.
After scanning the QR code that is displayed to us in the application you have chosen, your page should be listed and next to it a 6-digit code that will change every few tens of seconds.
If you have successfully paired the application with the site, you can click the I’m ready button and proceed to the last step, that is, entering the code generated by the application (in random cases, you will be forced to restart the application and generate a new code).
Once the code is entered and accepted Two-factor Authentication has been correctly configured and you will be asked to enter the code every time you log in again.
If you have any questions, problems regarding your site or 2FA configuration – we are at your service – write a comment or get back to us directly on email!