Setting up two-factor authentication for WordPress

2FA is your friend

Editor’s note: This post was originally published on Sept. 9, 2014 by Christopher Carfi, and was revised on July 24, 2017.


When it comes to logins, there’s nothing wrong with a bit of paranoia.

Using a password manager? That’s sensible.

Keeping different passwords for different sites? That’s a good habit, too.

And, wherever possible, using two-factor authentication (or “2FA”, if you’re feeling all acronym-y) to add an additional level of security? If only more people did that!

What is two-factor authentication?

Two-factor authentication (2FA) relies on two things:

  1. 1. Something you know — like a password.
  2. 2. Something you have — like a smartphone.

(We use two-factor authentication to protect customer accounts at GoDaddy.)

Two-factor authentication isn’t foolproof.

Using 2FA doesn’t guarantee that your site won’t be compromised, but it certainly raises the bar for anyone trying to gain access.

It’s kind of like The Club for your car. While a determined car thief might eventually be successful in getting your wheels, they’ll also be more inclined to move onto their next potential (and hopefully easier) target.

And so it goes with 2FA. With two-factor authentication enabled on your website, you’re making it harder for the bad guys to get in.

Two-factor authentication for WordPress

A default WordPress installation doesn’t come with two-factor authentication. That said, it’s pretty easy to beef up your WordPress security and enable 2FA. Here are a few plugins to make it happen.

(For the curious: We came up with this list by looking at how recently the plugins were updated, what the user ratings and reviews were like, and what documentation was available. We kept plugins that were out-of-date, poorly reviewed, or poorly documented off the list.)

 

Duo Two-Factor Authentication

Duo isn’t just a plugin with an app. They’re a full-on technology security company that provides two-factor authentication solutions for businesses like Etsy, Kayak, Threadless, Yelp, Toyota, and many more.

If you’re looking for a comprehensive security solution beyond just 2FA on a website, Duo might be a good fit for your needs.

Two-Factor Authentication Duo Plugin

Google Authenticator

Google Authenticator is a free app for iOS and Android. It works like this: You enter your username and password, then you’re prompted to enter the passcode generated by the app.

There are a number of plugins that add support for Google Authenticator to WordPress. So which plugin should you use? The most popular plugin comes from Henrik Schack. It hasn’t been updated in a year, but appears to still get the job done. The Google Authenticator plugin from miniOrange appears to be under more active development, but it requires a paid upgrade if you need 2FA for more than one user.

 

Two-Factor Authentication

The Two-Factor Authentication plugin comes to us from the team behind Updraft Plus. It supports standard TOTP and HOTP protocols, so it plays nice with a variety of 2FA apps on both Android and iOS. You can set 2FA on a per-role and a per-user basis; it supports WooCommerce forms; and it’s WP Multisite compatible. The Premium version unlocks a bunch of additional features, as well.

Two-Factor Authentication Updraft Plugin

Rublon

Rublon takes a different approach from most of the other two-factor authentication plugins mentioned in this list. Rather than sending you a one-time code via text message or mobile app, Rublon sends you an email to complete the login process. Once successfully logged in, Rublon remembers the device you logged in from.

The free version of the plugin enables 2FA for a single user account. For additional users, you’ll need to upgrade by contacting the Rublon sales team via email. If you’re not keen on dealing with 2FA every time you log in, Rublon might be worth a look.

Rublon Two-Factor Authentication Plugin

iThemes Security Pro

iThemes Security Pro is a premium upgrade to the popular all-in-one security plugin for WordPress. The Pro version includes two-factor authentication. Like the Two-Factor Authentication plugin mentioned above, iThemes Security Pro relies on the TOTP standard, so it’s compatible with a variety of apps on Android and iOS.

If you’re working on a new site, or haven’t set up a security plugin yet, iThemes Security Pro might be worth investigating as a comprehensive all-in-one solution.

 

Wordfence

Wordfence is another popular all-in-one security plugin for WordPress, and like iThemes Security Pro, the premium (paid) version of Wordfence adds support for two-factor authentication. You have two options for configuring 2FA in Wordfence: You can either use Google Authenticator, or you can get a one-time code sent to a phone number via SMS.

In my experience, choosing between iThemes Security and Wordfence as your all-in-one solution comes down to preference.

Just make sure you’re not running both security plugins at the same time.

 

Shield Security

Shield Security, formerly known as WP Simple Firewall, is another all-in-one WordPress security plugin. Unlike iThemes Security or Wordfence, Shield Security claims that they’re not locking any features behind a paid or premium upgrade — instead, Shield Security appears to be a foot-in-the-door for iControlWP, a centralized WordPress management dashboard like ManageWP (mentioned below).

Shield Security doesn’t rely on a mobile app to verify a user’s identity. Instead, it sends an email to complete the login process.

 

ManageWP

ManageWP lets you manage all of your WordPress websites from a single dashboard. (It’s really, really useful for WordPress professionals who are taking care of a bunch of WordPress sites.) In the latest ManageWP release, called Orion, you can enable two-factor authentication for your ManageWP account.

So why are we including it in this list? Well, if you’re managing more than a few WordPress sites, ManageWP will make your life a lot easier. But if you’re controlling all of those sites in ManageWP, you should really make sure that your ManageWP account is as secure as possible.

Full disclosure: ManageWP joined the GoDaddy family in September 2016. For additional perks beyond the standard ManageWP features, check out GoDaddy Pro.

 

WordPress.com Secure Sign On via Jetpack

Jetpack is a beast of a plugin from the team at WordPress.com. It includes a bunch of features <https://jetpack.com/features/>, ranging from site optimization to security to social sharing, and much more.

An interesting feature of Jetpack is enabling users to register and sign into your site using their WordPress.com account credentials. With some tweaks to your theme’s functions.php file (or, better yet, the creation of a functionality plugin), you can enforce two-factor authentication on WordPress.com sign-ins.

If you’re already using Jetpack, or are working on a blog that you’d like to tie into the WordPress.com ecosystem, then the WordPress.com SSO might be a good fit for your needs.

There’s no excuse for you to not have 2FA on your WordPress site.

Sure, it might add an extra step to your sign-in process, but the security it adds is worth the minor inconvenience. To secure your site even further, combine two-factor authentication with regular backups, site monitoring, and firewall protection.

 

Related reading from the GoDaddy blog:


Also published on Medium.

Image by: joelogon via Compfight cc