2 Step Authentication on WordPress

WordPress security is a major element when we set up a new project or as part of our WordPress maintenance packages.
But, like anything else, a chain is only as strong as it’s weakest link.

By default WordPress comes with basic login security built-in, although that’s now getting better with it’s Password Strength Test which can be found in the password reset and WordPress install screens. There you are presented with a long, random, password although you can opt to use your own rubbish password if you choose.
In addition to this, WordPress have also stopped e-mailing passwords, so valid passwords aren’t going to sit in your inbox, waiting for some email hacker to gain access.

That said, regardless, hackers will still try to get in and since a few years ago, 2 step/ 2 factor authentication has been making big inroads.
By definition 2-step authentication requires 2 elements – your password AND access to a special code either texted to your phone or via an app on your phone.

Due to the big eco-system built around WordPress, there are a few plugins specifically developed around 2-step authentication. Below I talk about 3 of them.

From their own description:
Duo’s WordPress plugin enables two-factor authentication for WordPress logins, complete with inline self-service enrolment and authentication prompt.
Not only can you use Duo Security to protect your WordPress login, you can also use it on many other sources including VPNs, Web Apps, Cloud Apps, Microsoft Servers … the list goes on.

Although more a highly rated overall security plugin for WordPress, WordFence now includes 2FA functions as part of its free offering – which works with many TOTP-based apps like Google Authenticator, FreeOTP, and Authy.
Even if you don’t want to implement this feature, the $99 a year they charge for 1 site really is huge value for what you get and I strongly advise stumping up the cash if only to support the development.

Finally, you can add a second level of security with the Google Authenticator plugin which pronounces itself as A highly secure & easy to setup Two Factor Authentication (Google Authenticator) for your WordPress site.
The idea is simple, each time you want to login to your admin, you will still use your password but also add a code provided on your phone by the Authenticator app.

The big question, of course, is does 2 step authentication work? The short answer is yes, but, as mentioned right at the beginning, a chain is only as strong as its weakest link. 2 step authentication is a big brick wall for those trying to break into your WordPress based website but, if you’re on some nasty, cheap shared hosting plan then no matter what processes you put in place, you’re still at a disadvantage.

My advice – If you’re not using 2-step authentication in your general web usage, you’re strongly advised to start right here with this article from Google to see what’s missing from your overall online security.

And, of course, if you’re looking for help or advise securing your WordPress based website with 2 step authentication, get in touch with Point and Stare today.