export default "data:image/svg+xml;base64,PHN2ZyBhcmlhLWhpZGRlbj0idHJ1ZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB2aWV3Qm94PSIwIDAgNjAgNzUiPjxkZWZzPjxzdHlsZT4uYXtmaWxsOiNmZmY7fTwvc3R5bGU+PC9kZWZzPjx0aXRsZT5UUlEtTEdPLVEtUkdCPC90aXRsZT48cGF0aCBjbGFzcz0iYSIgZD0iTTkuNzEsOS41NGEyOC44LDI4LjgsMCwwLDAsMCw0MC42NGwuMTMuMTJoMEwzMy43NCw3My44NlY1OC4yNWExOS43LDE5LjcsMCwwLDAsMi4zOS0uMzUsMjguMjksMjguMjksMCwwLDAsMTQuMTYtNy43MkEyOC43MiwyOC43MiwwLDAsMCw5LjcxLDkuNTRaTTQyLjQ0LDQyLjMyYTE3LjQ2LDE3LjQ2LDAsMCwxLTguNzcsNC43NVY1OFMxOC4wNSw0Mi44LDE3LjU2LDQyLjMxYTE3LjYsMTcuNiwwLDEsMSwyNC44OCwwWiIvPjwvc3ZnPg=="
Torque

How to Implement Two-Factor Authentication on Your WordPress Website

Avatar photo

Filed Under

Beginners

Published

August 29, 2017

No Comments

Security is becoming increasingly important as the digital age continues to mature. If you don’t keep up with the latest security technology, you are leaving your site open to unnecessary risks.

One of the standards for website security is two-factor authentication. It is available when logging into the likes of Google and Twitter, for their users’ additional peace of mind. Thankfully, you can easily add two-step authentication to your website using Google’s Authenticator app with WordPress plugins.

With the above in mind, in this article we will explain how to use Google Authenticator to tighten security on your WordPress website. Let’s get started!

How Two-Factor Authentication Works (And Why It’s a Valuable Security Measure)

Two-factor authentication example
DigitalOcean is an example of a website that uses two-factor authentication.

A common method of attack for hackers is running a script that attempts logging into your website until it successfully guesses the correct password. This strategy is called a brute-force attack. A simple way to prevent brute-force attacks from being successful is to require a secondary step in the login process where the user has to verify their identity. This is known as two-factor authentication.

With two-factor authentication, the user must first know the correct login details (typically a username and password). The site will then send a unique passcode to a mobile device, secondary application, or email account. The user must have access to this time-sensitive code in order to log in. This second step of identity verification can make life very difficult for a hacker, as they have to guess both your login details and access the unique, time-sensitive code.

Obviously, there is no such thing as a silver bullet that fixes all security issues. So, keep the following in mind before implementing two-factor authentication:

  1. You will need to provide training for your users so that they don’t end up locked out of their accounts.
  2. You will need to make sure you send passcodes securely; we recommend Google’s Authenticator app for this (see below).
  3. Some of your users may find using a second device or account cumbersome, which reinforces why user training is so important.

Once you have determined whether to use two-factor authentication, it’s time to add it to your site. We recommend Google Authenticator because it is easy to implement and integrates seamlessly with WordPress.

How to Add Your WordPress Website to Google Authenticator

Google Authenticator app interface
Google Authenticator generates six digit security codes.

Google Authenticator is a mobile app provided by Google to generate security codes for two-step authentication. These are regenerated regularly on a timer, and even work when your phone is offline.

Registering your website with Google Authenticator will create the link between your site and the codes it generates. So when you attempt to log in, Google Authenticator knows to look for the codes generated in the app for the second step of authentication.

Here’s how to install the app on Android and iOS:

  1. Visit Google Play (Android) or the App Store (iOS).
  2. Search for Google Authenticator.
  3. Download and install the application.

Now that you have Google Authenticator on your device, you can register your site within the app.

  1. The WordPress plugin you choose (see below) will provide you with a unique QR code. Use the documentation for your chosen plugin to find this QR code in your WordPress account.
  2. In the Google Authenticator app, click the plus sign (+) to add a website.
  3. Scan the QR code provided by the WordPress plugin.

This should successfully add your website to the application. When you open the app, you should see the title of your website, along with a six digit code that changes regularly. When you log in to your site, it will request your regular login information and this code.

The Best WordPress Plugin for Enabling Two-Factor Authentication

There are a few plugins available, both free and premium, that offer Google Authenticator login functionality. Our featured plugin natively supports Google Authenticator for multiple users at the free level. However, which plugin you choose will depend on your budget and website needs.

Two Factor Authentication

Two Factor Authentication

Two Factor Authentication is a plugin that enables Google Authenticator integration and is developed by the authors of UpdraftPlus (which has over one million active installs). It comes packed with a number of powerful features, such as:

  1. The ability to manage which users can employ two-factor authorization.
  2. Integration with Theme My Login.
  3. Support for WooCommerce.
  4. Multisite compatibility.
  5. Easy-to-find QR codes.

Most importantly, the free version doesn’t limit authentication to just one user. Once you’ve installed the plugin, you can manage your user settings under Settings > Two Factor Authentication.

From here, you can select which roles you’d like to enable two factor authentication for, as well as access QR codes. You’ll also want to set up a page where your users can manage the new two-factor authentication settings. Simply drop in the shortcode [twofactor_user_settings] on a new page and make sure it is easily accessible somewhere for logged in users.

Honorable Mentions

Other options for enabling two-factor authentication include:

  1. Google Authenticator – Two Factor Authentication (2FA)
  2. Rublon Two-Factor Authentication
  3. Duo Two-Factor Authentication

Before using any of these alternatives, be sure to check their reviews and whether they have been recently updated. You should also check to see how many active installations they have. Monitoring these factors will give you an idea of how reliable they will be over time.

Conclusion

Since security continues to be the most prevalent issue for websites of all shapes and sizes, it is important to reduce unnecessary risks by keeping your authentication method updated. Two-factor authentication is an easy way to add an extra layer of security, by adding an off-site check to ensure the rightful user is logging in.

In this article, we reviewed:

  1. How two-factor authentication works and the benefits of implementing it.
  2. How to register your website with Google’s Authenticator app.
  3. How to activate two-factor authentication on your WordPress website with plugins.

Do you have questions about implementing two-factor authentication? Ask away in the comments section below!

Image credit: Tyler Mullins.

How do you stay on top of your WordPress game?

A good way to start is to sign up for our weekly newsletter. We keep you up to date by bringing you the freshest WordPress content from the brightest minds in the industry.