WordPress two-factor authentication: Powering over 60 million websites, WordPress is the world’s most popular website building platform. This kind of popularity has its advantages as well as disadvantages. Building your site on WordPress automatically puts a target on your back. In fact, 90,978 hack attempts made on WordPress site every single minute and one of the most popular methods used to break into a WordPress site is called a brute force attack.
There is a number of ways to protect WordPress login pages. It’s better to have a number of security measures in place instead of relying on just one. Security professionals often advocate this kind of layered protection because it makes it harder to hack a site.
Earlier we showed you how to password protect the login page with HTTP authentication. And in this post, we’ll tell you how to add WordPress two-factor authentication.
What is Two-Factor Authentication?
The easiest way to explain two-factor authentication is to use a house analogy. Image your website as a house. To enter the house, you’d need to have a key to the main door. The key here represents the login credentials of the WordPress site. The house is also surrounded by an outer wall for protection against harsh wind and unwanted visitors. The outer wall is what two-factor authentication provides a website, i.e. another layer of protection.
Once you have installed two-factor authentication, here’s how it’ll work:
After you enter your login credentials, instead of going to the WordPress dashboard, you’ll be taken to a different page. In this page, you’ll be asked to enter a code that has been sent to your smartphone. Since the code is sent to only the smartphone of the website owner, there is no way for hackers to break into your site. Even if hackers can guess your username and password (via brute force attack), they won’t be able to crack the code unless they have stolen your smartphone.
Top 3 WordPress Two-Factor Authentication
The easiest way to add WordPress two-factor authentication is by using plugins. The WordPress Two-Factor Authentication (2FA) By miniOrange plugin is popular because of the many authentication methods it offers. Two other plugins you can opt for are Two-Factor Authentication and Rublon Two-Factor Authentication. Let’s see what each one of these plugins offers:
It’s one of the best two-factor authentication plugins for WordPress websites. Presently it has over 10,000 active installs and comes with a 5.4 rating out of 5. It has a free and a paid version. Compared to the next two plugins, WordPress Two-Factor Authentication (2FA) by miniOrange is updated more regularly.
- Offers a number of authentication methods (Google Authenticator, QR Code, Push Notification, Soft Token and Security Questions)
- Multi-Site support (for the premium version)
- Multiple login options (for the premium version)
The Two-Factor Authentication WordPress plugin is developed by the authors of UpdraftPlus, a popular WordPress backup solution. It has a free as well as premium version. It currently has over 8000 installs with 4.4. Rating out of 5 and is available in 9 languages including Chinese, English, French, German, Portuguese, and Russian. It’s key features include:
- Easy mobile scanning using graphical QR codes
- WordPress multisite compatible (plugin should be network activated)
- Supports WooCommerce and Affiliates-WordPress login forms
- Premium users get emergency codes when they lose their device (tablet or phone)
Rubon is simple and easy to use. At the time of writing this, it held a 4.2 rating out of 5 in the WordPress repo with over 3000 active installations. Rublon Two-Factor Authentication is available in English, German, Japanese, Turkish and Polish.
- Free version available for one WordPress website
- Easy, hassle-free configuration
- Authenticate by scanning QR code
How to Add WordPress Two-Factor Authentication?
You can use any of the above plugins but the one we are going to show you how to use is WordPress Two-Factor Authentication (2FA) By miniOrange.
MiniOrange WordPress 2 Factor Authentication
Step 1: Login to your WordPress dashboard and go to the Add Plugin Page. On the left-hand side, there is a menu where you should be able to see an option called Plugin. When you hover the cursor on Plugin, three more options appear. One of them is Add New. Click on that.
Step 2: In the Add Plugins page, there is a search option in the right-hand corner. Go there and write Google Authenticator. The WordPress Two-Factor Authentication (2FA) By miniOrange plugin should appear as shown in the picture below. Click on the Install Now button and then Activate.
Step 3: After activation, you can see the plugin on the Installed Plugins page.
You’ll also notice that the plugin can be accessed from the menu on the left on the WordPress dashboard.
Step 4: Click on it and it’ll take you to the miniOrange plugin dashboard. Here, you need to create an account. Enter your email, organisation name (which is your websites URL) and password.
After registering, you’ll be asked to enter a special code.
You have been sent this special code for one-time usage.
Step 5: Check the email account that you used to register to get the code.
After entering the code you’ll be asked to set up your preferred authentication method.
You can select from any of the following:
i. miniOrange QR Code Authentication
To use this you need to download and configure miniOrange Authenticator app from the Google Play store or Apple App store. Once you have this app configured on your smartphone, You’ll have to open the app and click on the ‘Authenticate’ button. It opens on a scanning screen. Scan the encrypted QR code on the computer screen and you’ll be allowed to access your WordPress dashboard.
ii. miniOrange Soft Token
To use this you need to download and configure miniOrange Authenticator app from the Google Play store or Apple App store. After which, you need to open the app and go to the soft token screen. It’ll show you a six-digit code that is that changes every minute. When trying to login to your site, you’ll be prompted to enter this number.
iii. miniOrange Push Notification
Once you have downloaded and configured the miniOrange Authenticator app from Google Play store or Apple App store, you get a ‘Allow’ or ‘Deny’ message everytime you sometimes to access your site. If you choose Allow, he’ll be able to enter and if your Deny, he’ll be locked out.
iv. Google Authenticator
To use this, you need to download the Google Authenticator App on your phone. You’ll then have to set up an account and scan the barcode that appears on your computer screen. After you have scanned the QR code and created an account, enter the verification code that appears on the app.
v. Security Questions
This authentication method involves answering a pre-configure question about your life. The answer should be unique and no one else should know about it other than you. The next time you try to log in, you’ll see the same question appear and you’ll have to enter the same answer to access your site.
To demonstrate how the service works, let’s try out the miniOrange Push Notification method.
We stopped at the step where we need to decide what method of authentication we’d prefer.
Step 6: Select the option that says mimiOrange Push Notification. And download the miniOrange Authenticator App from Apple App Store (iOS smartphones) and Google Play Store (Android Smartphones).
We are using an Android phone, therefore, we downloaded the Android version from Google Play Store.
Step 7: After downloading the app, you need to come back to the website and click on the button that says Configure your phone (as seen in the picture below).
Step 8: After selecting the ‘Configure your phone button, you’ll land in a page that has an encrypted QR code. Open your miniOrnage app and scan the code.
Following the successful scanning of the code, your set up of WordPress two-factor authentication is complete.
Over to You
Protecting the login page is an essential move to securing your WordPress site. And a two-factor authentication will make sure that only valid users can access your site. If you have any question, please reach out to us.