Elegant Themes Blog

Stay up to date with our most recent news and updates

How To Set Up WordPress Two Factor Authentication

Posted on September 25, 2014 by in Tips & Tricks | 23 comments

How To Set Up WordPress Two Factor Authentication

More and more sites are using two-factor or multi-factor authentication to ramp up security. I mean, Google wants my cell phone number to confirm my identity before I can log into Gmail. And it’s a good idea. I mean, do you see how often hacking stories hit the mainstream news? Security (or the lack thereof) is a real problem and while you may not be able to prevent a big security breach like the one that happened at The Home Depot recently, you can do your part as an individual to protect your information and your site.

What is Two Factor Authentication?

Image by Anikei / shutterstock.com

Image by Anikei / shutterstock.com

As its name suggests, two factor authentication is a process that requires two sets of authentication before you’re logged into a site. Many big name sites currently make use of it in one way or another. I already mentioned Google, but sites like Twitter, Facebook, and Amazon use it, too.

The most common example of two factor authentication currently being used requires that you input your username and password as normal but before you’re logged in you have to complete a second step of confirming your identity on your cell phone or tablet, usually via a secondary app.

However, there are several other kinds of two factor authentication on the market. For instance, you might be required to input a specific personal identification number (PIN) along with the username and password. Or you might need to confirm a specific visual pattern before being granted access. Many banks use this form of authentication.

A fob is another popular choice for confirming identity before sign-ons. The fob (that you can easily attach to your keychain) displays a random series of numbers that you are then required to input into a text field on the site before you’re allowed to login.

While two factor authentication might feel like a new thing, rest assured it’s not. When you pay with a credit card, you often have to show your ID to the person behind the checkout counter. Or you have to input your zip code. Or if shopping online, you need to input the security code from the back of your card. So you see, it’s nothing new. But the application to website logins is sort of a new thing and that’s why more and more people have started asking about it.

Why Do I Need It?

As I mentioned in my opening paragraphs, two factor authentication adds another layer of security in a world where hacking has become commonplace. In short, you need it because you need to protect your personal information and your site from malicious people out there. And they are out there.

Brute force attacks occur constantly and unless you have your site secured properly, odds are good that a hacker will one day break through your defenses and steal your info, upload malware, or perform a whole host of other malicious acts.

Two factor authentication makes hacking your site harder. And unless you’re running a high-profile site, most hackers and bots are going to give up after a time when they can’t break in right away.

You want an even shorter answer?

Anything you can do to make hacking your site harder is worth doing. 

A lot of people are reluctant to jump on the two factor bandwagon, however. Because in the process of improving site security, it makes the login process more complicated and more time-consuming. Arguably, it doesn’t take that much longer but there is a definite time factor involved here. You can always opt for the “stay logged in” option to reduce the number of times you have to go through the double authentication process in a given week, too, if it’s a major concern for you.

Know Your Options

You have several options for plugins that make setting up two factor authentication a snap. Let’s dive in, shall we?

Duo Two-Factor Authentication

Duo Two Factor Authentication

The Duo Two-Factor Authentication plugin from Duo Security makes it simple to add two factor authentication to your WordPress site with minimal setup and minimal fuss. It works like this: install and activate the plugin on your WordPress site then download an app for your smartphone. From there, you can establish which users (or user roles) on your site require the use of two factor authentication.

On the user’s end, interaction with Duo is pretty seamless. After typing in your username and password you’re taken to a secondary screen that presents you with several options for verifying your identity. For instance, you can opt to confirm the mobile app. Once you select this option, a notice pops up on your phone and all you have to do is tap “Confirm.”

Another option is to use a one-time passcode that’s generated on the mobile app or sent to your phone via SMS. Other options include a phone callback and using a passcode generated by a hardware token. You’re not exactly starving for options with Duo Security and that’s one of the reasons I like it so much. And even though it does provide all of these options, it manages to do so without overwhelming you with them.

Clef

clef

Clef is a personal favorite of mine as far as two factor authenticators go. This plugin takes a truly unique approach that seems like it would be intimidating on the surface but is really pretty darn easy to use. Once you install the plugin and the accompanying Clef app on your phone, you just need to go to the wp-admin screen on your site and select the “Log in with your phone” button.

From there, you’ll be asked to sync the “Clef Wave” with the app. The Wave is a moving bar code that appears on both your computer screen and within the app. Your phone will use the built-in camera to sync the wave. This verifies your identity without ever having to type in your password. Pretty neat, huh?

There is a little setup involved here, which requires choosing a PIN number within the app and connecting it with your WordPress accounts. From there, however, the process is simple. Just use the log in with phone option and you’ll be automatically logged into your site. You can use this plugin to log into all of your WordPress sites. And when you’re done, you can log out of them all at once, too.

Google Authenticator

Another option for adding two factor authentication to your site is Google Authenticator. This plugin adds the power of the Google Authenticator app to your WordPress site. Many people already use this app on their smartphones to enable two factor authentication on other applications and websites like Gmail and Amazon, so it would make sense to leverage this plugin for sheer convenience’s sake.

With this plugin, you can add two factor authentication for individual users, administrators, or as defined by specific user roles. There’s an app password feature built-in, too but that makes the app itself less secure, meaning your WordPress site would become less secure as well. It’s likely a much better idea to stick with the default authentication protocol here to maintain the highest level of security.

Two Factor Auth

Two Factor Auth

If you’re just looking for a simple solution, Two Factor Auth might work out well for you. It works by creating a one-time password that you can input within a given period of time before it becomes invalid. These passwords are typically sent to your email address.

It also works with third party apps like Google Authenticator for an added layer of security. It relies on TOTP or HOTP for creating these one-time passwords, by the way. This lets you login using a code presented in the app (as described in the previous section). Generally, this is a simple way to add greater security to your site without having to do a ton of setup.

Authy Two Factor Authentication

authy

Authy provides two factor authentication solutions across numerous platforms but it also has a free WordPress plugin you can use. Once installed on your site, you just just need to sign up for a free API key on the Authy site. Enter the API key into the plugin settings and you’re good to go. Your identity is verified via a text message to your cell phone.

It actually offers quite a few features. For instance, you can give users the freedom to opt-in to two factor authentication or as the administrator, you can force it on all users. Or, you might just want it to be required by those with specific user roles.

Two-Factor Authentication – Clockwork SMS

Clockwork SMS

The last dedicated plugin I’m going to talk about here is called Two-Factor Authentication – Clockwork SMS. As you might’ve guessed by its name, this plugin works by sending a code to your phone via SMS when you try to login to your WordPress site.

You can set it up to work with specific user roles or individual users, if you’d like. You will need a Clockwork SMS account to use this plugin, however, along with some credit in said account. Yes, that means there’s a fee but you might find it worth it to add the convenience of text message login verification without the need of an external app.

A Part of a Broader Security Solution

Two factor authentication is often a feature included in security plugins. Because of that, you might opt for such a plugin since it’ll cover greater security territory than just an authenticator would alone. The thinking here is “why use two plugins when you can use one?” Actually, there are very good reasons to use a dedicated authenticator plugin by itself if you so choose, but if site speed is an issue for you or you simply want to keep maintenance to a minimum, an all-in-one solution might work better.

A few security and site management plugins that include two factor authentication are:

iThemes Security Pro

ithemes-security-pro

iThemes Security Pro covers numerous security features but it notably includes two factor authentication. Interestingly enough, it works in conjunction with Google Authenticator, too. You need to have this app installed on your phone then you can configure it with the iThemes plugin. So, you’ll login using your usual username and password then be asked to input a verification code that Google Authenticator automatically generates. This code will only work for one login and changes after 30 seconds.

ManageWP

managewp

Another option is ManageWP. Now, this isn’t exactly a security plugin but it is a WordPress management dashboard that lets you control multiple sites from one interface. You can install updates, schedule backups, and more across all of your sites at once.

For security purposes, you can use the built-in two factor authentication feature. This works by sending a verification code to your phone via SMS or by sending you an email. Either way, it’s a method of verifying your identity before being granted site access.

Wordfence

wordfence

Wordfence is a robust security plugin that includes a variety of features to keep your site and its content safe. For instance, it conducts regular site checks to make sure your site isn’t infected. It also promises to make your site up to 50 times faster.

Two factor authentication is included as well. It’s referred to as cell phone sign-in, according to the plugin description, which is apt since the verification via SMS is what upgrades this from a standard login process.

Wrapping Up

Two factor authentication is becoming increasingly important for WordPress site owners. It provides an added layer of security that is more necessary by the day. Because I mean, let’s face it: hackers aren’t going anywhere. There’s always going to be someone out there trying to break into your site for one reason or another. Better to acknowledge that fact and prepare than to sit idly by and hope it doesn’t happen, right?

Hopefully, you now have a pretty good sense of how to set up two factor authentication on your WordPress site. If you have any questions, please feel free to ask them in the comments. Or if you’ve come across a different/better solution, I’m all ears!

Article image thumbnail by venimo / shutterstock.com

download divi

23 Comments

  1. Good article Brenda. I use Duo Security and iThemes Security on my website (www.gregorymarandola.com) as well as the websites for all my clients. They are both great plugins and work well together and with Elegant Themes templates.

    • You might want to rethink using iThemes. They just admitted they were hacked and your passwords were all stored in clear text. They also admitted they knew this was a problem from the day they committed to using software that did something so fundamentally wrong.

      • I agree Dan, I have just started using Ithemes Security around 2 weeks ago only to receive the message recently that they were hacked and a stack of information was stolen. Not very happy about that ithemes. I do use Wordfence in conjunction but still they stole my info from ithemes so not much I can do about that now.

  2. Hi, Brenda, you might also want to check out Rublon. I’ve been using Rublon for a while now and it’s the most convenient two-factor authentication I’ve found. It’s free and available for WordPress and several other CMS.

  3. Thank you for an excellent round up and personally speaking a timely prompt to beef up my own and my clients security, something that has been on my to-do list for a while but I felt I needed to research. And you have provided that info in a coherent and useful manner.

  4. All of these are great solutions, however our favorite (as chosen by our clients) is Clef. We asked our customers for feedback on the various options, and Clef was the favorite for its elegant implementation and ease of use (no need to enter a username and password, single sign-on for multiple sites, etc.). So we preinstall it with WordPress now.

  5. Thanks Brenda, really informative.

  6. Two factor authentication protects the site from hacker logging in, but it doesn’t protect your personal information, rather puts more at risk. While it reinforces the validation of a users authentication, it does not make the site or backend any safer (though other components of some of these solutions do).

    The user is sacrificing a highly personal piece of information. If the site/database is hacked, the hacker now has your phone #.

    • Servemark, to clarify your statement, that’s actually only true with SMS-based two-factor. With solutions like Google Authenticator or Clef, there’s no additional personally-identifiable information stored on the server.

      Thanks for the shoutout on Clef — we think it’s the best, easiest, most secure, way to log in to WordPress.

      [disclaimer: I’m one of the founders of Clef]

      • Good to add the disclaimer! But you and a couple other people here have peaked my interest about Clef. Going to go do a little testing.

        Thanks. ernie.

  7. thanks .. now my site goes more security ,,

  8. First off, may I say that I couldn’t agree more in respect to the fact that ALL WordPress sites NEED heightened security! We have been the victim of hackers and the last time we were hacked was the worst! Our email account was literally taken over and our domain was blacklisted on every spam site around. Something that will literally end your email marketing strategies. So, as a warning from someone who knows…regardless of how small or insignificant you think your site is…as Brenda put. hackers aren’t going anywhere. You NEED the extra security.

    We have found Clef to be a good answer to our security issues, but after reading this article. I think we are also going to look into a couple of other plugins available to see what else we can do to heighten our security.

    Thank you to all the great authors here on the ET blog. The information you offer is by far, the best WordPress authority on the net and the information is invaluable!

  9. Such valuable information share by Brenda. Mostly we using iThemes security plugin but never try other plugins. Great article for me and others. Thanks for share.

  10. see Rublon – free plugin on wordpress.org too

  11. While I’ve been musing about two-factor auth, I’d rather go with Wordfence security premium option but give clef and other some test.Thanks Brandon for this useful piece.

  12. Hello:

    Interesting topic an one I’ve been considering implementing on my sites, since I got my first hack a couple of months ago.

    Apparently the hackers entered through the Slider Revolution plugin. Which is a very popular slider used in a lot of websites…. My theme had it included. And indeed it looks great.

    There was a vulnerability through the plugin that got a lot of attention. I even got an e-mail from Themeforest addressing the issue and urging clients to use the most recent version ( which was quietly patched to address this).

    Now a question to the people that know more about the subject:
    Will 2 factor authentication prevent this kind of vulnerabilities (plugin related), or is this just to have a more secure username and password…. login?

  13. These are some great plugins and we’ve tried a few of them. But one of the huge downfalls of most of these is that you’re dependent on the middle mans uptime. If clef server goes down.. so does your login 🙁 Etc..

    Your best bet is still a 12+ digit strong password which you change every few months and is not repeated on other sites, and making sure your site/computer isn’t infected with malware etc.. Don’t forget to use a 3 time lock out feature.

    What we use here is keypass to hold our 20+ digit passwords for each login, which in turn is locked by a yubikey 40+ digit password with an added memorized 7 digit passcode in case our keypass usb and yubikey were ever stolen.. This would prevent someone from plugin both in and having access to everything :/

    Lastly..

    Use ssl on all your sites and keep everything free and clean of bad stuff.

  14. Yaaawwwwwn…

    I appreciate all the good topics on here (this post included), but it’s about time for an ElegantThemes update. I know you’re all working hard, but give us a little something. Sometimes you go a little too long without progress reports.

    Not trying to complain.

    • Nah. You’re just being a child. 🙂 flame off.

      • Nah. you’re just a goon. 😀

        Get some skill stop spending money on someone else’s talent and get some of your own. Bet you can’t 🙁

  15. As you said wordfence will keep your site and content safe. What you really mean by content safe? I am quite confused in that part.

  16. Clef doesn’t have the option for 2 factor. It is either use the user name+pwd or use Clef. I wish it would have the login page first and then, have clef waves to authenticate. Would love to know if Clef can give me that option.

Join 341,592 Happy Customers And Get Access To Our Entire Collection Of 87 Beautiful Themes For The Price Of One

We offer a 30 Day Money Back Guarantee, so joining is risk-free!

Sign Up Today

Pin It on Pinterest

Share This