Cyber security is more important than ever. With so much of our sensitive personal information contained in the digital realm these days, we need extra measures to keep it all locked down. The same is true for the apps and websites that you access, including your WordPress website. Two-factor authentication is one way you secure your site and protect your data from nefarious hackers and digital vulnerabilities.
In this article, we’ll be walking you through how to add two-factor authentication to your WordPress website.
Let’s dive in!
What is Two-Factor Authentication and Why is it Important?
Two-factor authentication, or 2FA, adds an additional layer of security to the login process on websites and apps. For most platforms, a basic login involves using an email address and password to gain access. Unfortunately, an email address and password pairing isn’t enough by itself these days. A hacker, cyber security vulnerability, or data breach can expose your login credentials through a one-time event, compromising your account security and personal information.
When you activate two-factor authentication for your logins, you have to verify your identity through an additional authentication step once you’ve entered your correct username and password. Usually, that looks like entering a code you’ve received via email, authenticator app, or SMS text message in order to complete your login attempt. Many apps include a 2FA you can turn on and off. In some cases, such as when managing a WordPress website, you might want to install one yourself.
Adding 2FA to your WordPress website can help to secure it from unauthorized logins. Let’s take a look at a few ways you can use it to protect your site.
How to Enable Two-Factor Authentication on Your WordPress Website
If you’re looking for a third-party plugin to set up your two-factor authentication, there are quite a few options available. Users might choose a plugin for additional features beyond simple authentication, such as broader website security or malware protection. In some cases, you might even want a full-service software that monitors everything from site performance to security.
We’ve written an extensive article covering the best WordPress security plugins for you to get an idea of what’s out there. Ultimately, your choice will depend on the features you need, and how many people on your team will be using the software to access your WordPress site securely.
Ready to enable two-factor authentication on your WordPress website? Let’s get started.
How to Install the Duo WordPress Two-Factor Authentication Plugin
For the purposes of this article, I opted to install the free Duo plugin on a WordPress website. Duo is great for individual WordPress users or teams, as an administrator can configure 2FA for certain team members to verify who they are before they access a site.
Be very careful to follow your selected plugin’s instructions when you’re setting everything up. Duo’s installation walkthrough is here.
Let’s see what that process looks like!
1. Login to your WordPress dashboard, then click Plugins in the left-hand navigation menu.
2. At the top of the Plugins page, click Add New.
3. Type your query into the search bar, then select your plugin of choice.
4. Once your plugin has installed, click Activate.
5. Now, you’ll see that Duo shows up on the Plugins page. You can click Settings to get everything set up and synced with the app.
Setting Up a Duo Account
6. Open a new browser tab and visit the Duo website. In order to get everything set up, you will need both an account on Duo (there is a basic, free option) and the Duo mobile app. Download the app to your smartphone and follow the instructions to sign up for an account. You will be shown a QR code to scan in order to sync the Duo website with the mobile app.
7. Once you’ve signed up for your account, it’s time to protect your WordPress site. On the Duo website, navigate to your Applications tab on the left-hand menu. You’ll see a page with the heading Protect an Application.
8. You can scroll down the page or type WordPress into the search bar. When you see it, click the Protect button on the right-hand side of the row.
9. Next, you’ll see a WordPress page with account details displayed, including your Integration Key, Secret Key, and API Hostname.
If you click back over to your open WordPress tab (you should still be on Duo’s plugin settings page), you will see places to enter each of those credentials.
Activating Duo in WordPress
10. One by one, copy and paste each credential (Integration Key, Secret Key, API Hostname) into the plugin page on WordPress. From there, you can enable the plugin for specific roles within your WordPress site.
Duo recommends that you leave XML-RPC disabled (bottom check box), as enabling it can be detrimental to your site’s security.
When you’re done, click Save Changes.
11. Assuming you enable Duo for the administrator, you’ll see a page that starts the process of connecting your account to your Duo mobile app. Click Start Setup to continue.
You’ll be prompted to select the type of device you want to add to your account. For example, you might select Mobile Phone or Tablet. I chose to add my phone, so the next prompt asked for my number and what type of phone I was using. The prompts then gave me another QR code, which I scanned with the Duo mobile app to connect my phone.
There are several ways you can integrate Duo with multiple devices for ease of access to your WordPress site. It’s possible to set the service up so that you can receive SMS text messages, push notifications, one-time login codes, or a phone call to authenticate your login. I set up the website to push SMS to my phone.
WordPress Two-Factor Authentication Frequently Asked Questions
How do I decide whether to use the WordPress 2FA tool or a plugin?
The built-in tool for WordPress’s two-factor authentication is great for individual logins. If you have a team you’re working with, though, you might want to look into broader-reaching plugins. These give the administrator more control over who can access the site.
Which third-party plugin should I choose for two-factor authentication?
It’s good to do a bit of research before jumping into any particular plugin. First, take a look at your site’s needs and the size of your team. You will also need to consider whether you need additional security beyond 2FA. A more comprehensive app with multiple built-in cyber security solutions might be what you need, for example, rather than a simple authentication tool.
What if I run into problems installing my plugin and get locked out of my WordPress site?
Before you set up your two-step authentication plugin, make sure you’ve opened a tab with the plugin’s installation instructions. Note whether the service has an available customer service team that can assist you if you run into problems. Follow the installation instructions carefully, taking your time throughout each step. If something goes wrong, ensuring your plugin of choice has help available can help take the pressure off.
Two-factor authentication is a necessity if you’re serious about keeping bad actors out of your WordPress account. Take time to learn which 2FA plugin is best for you–it will be well worth the time and research. Good luck!
Do you use a 2FA plugin for your WordPress site? What about the built-in tool? Which do you prefer? Leave us a comment and let us know what you think.
Featured image via Ka4an / Shutterstock