WordPress had its fair share of vulnerabilities but the most common attack vector used against WordPress is guessing of weak passwords. Statistics from several hack dumps show that users tend to use easy passwords such as 12345678, making it easy for attackers to guess the password and gain access to a WordPress website or blog.
You can try to encourage users to use strong passwords though that does not work. So how about using two-factor authentication and stop worrying about the complexity of your users’ passwords?
What is Two-factor Authentication?
Two-factor authentication is also known as 2FA, two-step authentication and multi-factor authentication. This type of authentication mechanism requires two types of information from the user to login; the username as the identifier, the password and another piece of information which is typically retrieved from a device which is unique to the user, such as the user’s smartphone.
A daily life example of two-factor authentication is online banking. To login to an online banking portal you need to specify a username, a password and a one-time code generated from a smartphone application or from a device provided to you by the bank. Since the device is owned by you, unless the attacker has access to the device he cannot login to your account, even if he guesses your password.
WordPress Two-Factor Authentication
Two-factor authentication is a pretty neat solution and saves you all the hassle of trying to convince your WordPress users to use strong passwords. The good thing is that there are a number of plugins and services that you can use to implement two-factor authentication on WordPress.
Plugins for Two-factor Authentication on WordPress
To see a list of plugins that allow you to enable two-factor authentication on WordPress search for two-factor authentication on the WordPress plugin repository.
Some of them work by using email as the second authenticating factor. Hence each time you try to login the plugin sends you an email to verify the login. The good thing about using email is that users are not required to have a smartphone to login to WordPress.
Another common method these plugins use is Google Authenticator. Therefore each time you try to login to WordPress you have to enter the username, password and a one-time code from Google Authenticator, an application you can easily install on your android or iPhone. Irrelevant of which method or plugin you use the concept is always the same:
- Enter username and password
- Enter a one-time code or allow the login via email or another means
The most popular WordPress plugin for two-factor authentication is Google Authenticator. Once installed and configured, to login you must specify the username, password and the onetime code as shown in the below screenshot.
Another upcoming good plugin is Two-Factor Authentication (Google Authenticator) by miniOrange. This plugin supports several different types of verification methods, such as email verification, phone call verification, one-time code from Google Authenticator and much more.
Services for WordPress Two-factor Authentication
There are also several online services that enable you to configure two-factor authentication on WordPress such as Clef and Rublon. The main advantage to using a service and not a plugin is that usually they are a bit more hassle free for the users, such as allowing automated logins without the need to add the one-time code.
Use Two-factor Authentication for WordPress
The security of your WordPress is as weak as its weakest link. And if you have a multiple users working on your WordPress, your website’s security cannot rely on the strength of their passwords.
So by implementing two-factor authentication on your WordPress you can put your mind to rest because even if users’ passwords are weak, hackers still cannot gain access to the WordPress users’ accounts when they guess their password.