With the ever increasing number of criminals and hackers, simple usernames and passwords are becoming ineffective against various types of cyber attacks. The most common types of attacks are brute force attacks in which hackers attempt to guess your username and password. Adding Two Factor authentication or 2-FA can help you easily add an extra layer of security to your WordPress website.
Other than attackers stealing your usernames and passwords, it is also possible that users are not careful with their passwords and leak them online or store them insecurely. This can also mean easy unauthorized access to their accounts.
In WordPress you can easily add two factor authentication using a plugin such as Google Authenticator – WordPress Two Factor Authentication (2FA).
Why You Need to Add Two Factor Authentication in Your Site?
When you add two factor authentication, any user logging in to your website will need their username, password and a special code generated for that login session only. The code can either be sent to their email or mobile phone via an app, sms or notification.
Google authenticator is popular 2FA authentication app that can receive one time passwords or codes and is easy to use. It works with most mobile platforms including android and ios.
Step by Step: How to Add Two Factor Authentication in a WordPress Site?
Installing the Plugin
In your WordPress dashboard navigate to plugins and click on Add new. Search for Google Authenticator – WordPress. Install and activate the plugin.
General Overview of the Plugin
Once installed and activated you will find a new menu item in your WordPress dashboard. The mini-Orange 2 Factor.
In the dashboard of the plugin you can see various 2 factor authentication methods that you can use. In the free version of the plugin the following methods are available.
- Google Authenticator – Setup logins with the google authenticator app
- Security questions – You will need to answer 3 security questions that you had set
- miniOrange Soft Token – Setup logins with the miniorange authenticator app using a soft token
- miniOrange QR Code Authentication – Setup logins with the miniorange authenticator app using a QR Code
- miniOrange Push notification – Setup logins with the miniorange authenticator app using push notifications
In the Standard version of the plugin there are additional authentication methods such as one time password via sms or email. The authentication methods in the premium plan are also the same. However there are additional features offered in both plans.
P.S.: You can also view the additional features offered by the plugin, in the dashboard click on upgrade to standard / premium plans.
Setting up Google Authenticator
In the plugin dashboard click on Configure.
In the pop up that appears you need to register for an account. Enter your email and choose a password. Enter the password again to confirm and click on continue.
On the next page you need to select the authenticator app that you would like to use. You can download these from the Android Play or iOS App store. Choose an Account Name for the app. Scan the QR Code with your app.
Once you scan the QR code with your app, you will get a 6 digit code that you need to enter. Click on verify and save.
To test the 2 factor authentication try and log in to your WordPress dashboard. Enter your username and password and click on Log In.
You will now be asked to enter a one time password. This will be generated in the google authenticator app on your phone. Enter the code and click on validate.
The free version of the plugin allows you to enable 2 factor authentication for one user only. The pro version of the plugin has a dynamic pricing based on the number of users. There are additional features such as additional authentication methods, multiple login options such as username and password or username and one time password, multi-site support and user role based redirections.
As you can see the plugin adds another layer of security to your WordPress website. The only way you can log in is by using the right username and password along with a onetime password generated on your mobile device.
It is good practice to try and keep the number of plugins you have in WordPress to as few as possible. Some plugins tend to slow down your website and others have incompatibility issues. If you have another plugin installed such as Wordfence, you might not need this at all. Wordfence comes with a two factor authentication option and also helps you secure your WordPress website against brute force attacks.