Editor’s note: This post was originally published on Sept. 9, 2014 by Christopher Carfi, and was revised on July 24, 2017.
When it comes to logins, there’s nothing wrong with a bit of paranoia. Using a password manager? That’s sensible. Keeping different passwords for different sites? That’s a good habit, too. And, wherever possible, using two-factor authentication for WordPress to add an additional level of website security? Oh if only more people did that!
What is two-factor authentication?
Two-factor authentication (2FA) is an extra layer of security that helps validate the people trying to gain access to an online account are actually who they say they are. In the first step, a user will enter their username and a password. Then in the second step, instead of obtaining immediate access, the user will be required to provide another piece of information.
Two-factor authentication relies on a few different things:
- Something you know — like a password.
- Something you have — like a smartphone.
- Something you are - like a thumbprint.
While using two-factor authentication for WordPress doesn’t guarantee that your website won't be compromised, it certainly raises the bar for anyone trying to gain access.
It's kind of like The Club device for your car. While a determined car thief might eventually be successful in getting your wheels, they’ll also be more inclined to move onto their next potential (and hopefully easier) target.
And so it goes with 2FA. With two-factor authentication enabled on your website, you’re making it harder for the bad guys to get in.
Implementing two-factor authentication for WordPress
A default WordPress installation doesn't come with two-factor authentication. That said, it's pretty easy to beef up your WordPress security and enable 2FA. Below are a few plugins to make it happen.
We came up with this list by looking at how often the plugins were updated, what the user ratings and reviews were like, and what documentation was available. We kept plugins that were out-of-date, poorly reviewed, or poorly documented off the list.
Duo Two-Factor Authentication
Duo isn’t just a plugin with an app. They’re a full-on technology security company that provides two-factor authentication solutions for businesses like Etsy, Kayak, Threadless, Yelp, Toyota, and many more.
If you’re looking for a comprehensive security solution beyond just 2FA on a website, Duo might be a good fit for your needs.
There are a number of plugins that add support for Google Authenticator to WordPress. So which plugin should you use? The most popular plugin comes from Henrik Schack. It hasn’t been updated in a year, but appears to still get the job done. The Google Authenticator plugin from miniOrange appears to be under more active development, but it requires a paid upgrade if you need 2FA for more than one user.
It supports standard TOTP and HOTP protocols, so it plays nice with a variety of 2FA apps on both Android and iOS. You can set 2FA on a per-role and a per-user basis; it supports WooCommerce forms; and it’s WP Multisite compatible. The Premium version unlocks a bunch of additional features, as well.
Rublon takes a different approach from most of the other two-factor authentication plugins mentioned in this list. Rather than sending you a one-time code via text message or mobile app, Rublon sends you an email to complete the login process. Once successfully logged in, Rublon remembers the device you logged in from.
The free version of the plugin enables 2FA for a single user account. For additional users, you’ll need to upgrade by contacting the Rublon sales team via email. If you’re not keen on dealing with 2FA every time you log in, Rublon might be worth a look.
iThemes Security Pro
iThemes Security Pro is a premium upgrade to the popular all-in-one security plugin for WordPress. The Pro version includes two-factor authentication. Like the Two-Factor Authentication plugin mentioned above, iThemes Security Pro relies on the TOTP standard, so it’s compatible with a variety of apps on Android and iOS.
If you’re working on a new site, or haven’t set up a security plugin yet, iThemes Security Pro might be worth investigating as a comprehensive all-in-one solution.
Wordfence is another popular all-in-one security plugin for WordPress, and like iThemes Security Pro, the premium (paid) version of Wordfence adds support for two-factor authentication. You have two options for configuring 2FA in Wordfence: You can either use Google Authenticator, or you can get a one-time code sent to a phone number via SMS.
In my experience, choosing between iThemes Security and Wordfence as your all-in-one solution comes down to preference.
Just make sure you’re not running both security plugins at the same time.
Shield Security, formerly known as WP Simple Firewall, is another all-in-one WordPress security plugin. Unlike iThemes Security or Wordfence, Shield Security claims that they’re not locking any features behind a paid or premium upgrade — instead, Shield Security appears to be a foot-in-the-door for iControlWP, a centralized WordPress management dashboard like ManageWP (mentioned below).
Shield Security doesn’t rely on a mobile app to verify a user’s identity. Instead, it sends an email to complete the login process.
ManageWP lets you manage all of your WordPress websites from a single dashboard. (It’s really, really useful for WordPress professionals who are taking care of a bunch of WordPress sites.) In the latest ManageWP release, called Orion, you can enable two-factor authentication for your ManageWP account.
So why are we including it in this list? Well, if you’re managing more than a few WordPress sites, ManageWP will make your life a lot easier. But if you’re controlling all of those sites in ManageWP, you should really make sure that your ManageWP account is as secure as possible.
Full disclosure: ManageWP joined the GoDaddy family in September 2016. For additional perks beyond the standard ManageWP features, check out GoDaddy Pro.
WordPress.com Secure Sign On via Jetpack
Jetpack is a beast of a plugin from the team at WordPress.com. It includes a bunch of features <https://jetpack.com/features/>, ranging from site optimization to security to social sharing, and much more.
An interesting feature of Jetpack is enabling users to register and sign into your site using their WordPress.com account credentials. With some tweaks to your theme’s functions.php file (or, better yet, the creation of a functionality plugin), you can enforce two-factor authentication on WordPress.com sign-ins.
If you’re already using Jetpack, or are working on a blog that you’d like to tie into the WordPress.com ecosystem, then the WordPress.com SSO might be a good fit for your needs.
There’s no excuse for you to not have 2FA on your WordPress site
Sure, it might add an extra step to your sign-in process, but the security it adds is worth the minor inconvenience. To secure your site even further, combine two-factor authentication with regular backups, site monitoring, and firewall protection.
Related reading from the GoDaddy blog: