How to Add Two-Factor Authentication in WordPress
Many online services, including Google, now allow you to use two-factor authentication providing a better way to safeguard your login data. With WordPress powering the majority of websites, it should come as no surprise that the same functionality is available to WordPress users as well. In this article we will discuss several ways of two-factor authentication in WordPress.
What is Two-Factor Authentication
Two-factor authentication is a type of authentication in which a user is given access to content only after passing two tests. One of these is usually a password, a PIN, or a similar test, while another can be a physical object such as a bank card number, or an inherent characteristic of the user, such as a fingerprint.
You can also use email for it, meaning that whoever is trying to log in not only has to know your login data (username and password), but also have access to your email. It is easy to see why combining two or more identification factors makes for better security. We will show you how to add two-factor authentication in WordPress using WordPress 2-Step Verification, which is a completely free plugin, in three free and easy ways:
Before we proceed, the first thing you need to do is install and activate the WordPress 2-Step Verification plugin. If you don‘t know how to install and activate a plugin, you can check out our handy tutorial.
Once you have installed the plugin, you need to navigate to Users/2-Step Verification using your dashboard menu to the left.
Once there, click on Get Started to set up your 2-step verification.
You will next be prompted to set up an email address. Input your email address in the field and click on Next.
You will then receive a code in your email inbox. Copy the six-digit code, paste it into the designated field and click on Next.
This way you are confirming that the 2-step verification works, and that’s also how it will work for your users. You just need to activate it by clicking the Turn On button.
You will then receive another verification code to your mailbox. You need to enter it in the designated field to complete the activation.
You now have fully functioning two-factor authentication. Once you log in using your password, you will be sent a six-digit code to your email address. You need to further authenticate your login using the randomly generated six-digit code which will be sent to your email. This means that whoever wants to log in must not only use a password, but also a code which they will receive in their email.
You can also add other email addresses for easier access, while still retaining the extra security step.
Like we said earlier, you can use the same plugin to set up alternative second steps. You can use the Google Authenticator app to generate codes in case your device is offline, or printable one-time backup codes for when your email is not accessible. Any of these login factors can be removed as necessary using the dustbin icon.
You can also set up App passwords if you sign on to WordPress using apps which do not support 2-Step Verification or skip the second step on Devices you trust.
To set up Google Authenticator, click on Set Up under Authenticator app and select the type of device you will be using. We will show you how this works for Android devices, but it works much the same for iOS.
You will be presented with a set of instructions. First, you need to download Google Authenticator from Google Playstore, set up an account, and scan the QR code.
You will get a randomly generated, frequently-changing six-digit code. You need to input this code in the appropriate field.
With that done, you will use the Google Authenticator for each login. It is tied to your device, but the application works regardless of whether your phone is connected to the internet, so your device does not need to be online for authentication to function, making it a little easier than e-mail. This also means that whoever wants to log in must not only know the password, but have access to your mobile device, too.
To generate a batch of single-use codes, click on Set Up under Backup Codes, and you will be shown a set of codes which you can download, print, or note down. You can also generate another set.
You can use these single-use codes to log in in cases you cannot access your phone or e-mail.
As you have seen, setting up two-factor authentication in WordPress is both easy and free, and it makes your website safer from hackers. Even if the database holding your passwords is compromised, even if you lose a device, even if your password is stolen by somebody wishing to do harm to your website or content, they will still have an extra hoop to jump through. With a well-chosen plugin, your WordPress website can be safer than ever, and at no extra cost.