Implementing Two-factor Authentication on WordPress

We have discussed it before but it bears restating, website security is not a single thing, it’s a series of layers. Just as castles of old were built up as layers around the Keep, so should your website have layers built around your most precious possession, access to the admin section of your site.

In previous articles and podcasts, we’ve discussed the outer rings of your defense:

• Services like Cloudflare
• Secure certificates
• Changing the default admin name
• Securing passwords and usernames
• The principle of least privilege

All of these are important layers, but there are additional, more in-depth steps you can take that will make it much more difficult for bad actors to access your site. Steps that I highly recommend, especially if you have been trusted with your user’s personal information.

One of these steps is “Two Factor Authentication”, or 2FA.

2FA is not a new security concept. For decades, financial institutions have relied on “Fobs” (small devices you can attach to your keyring that have a display and give an ever-changing number) as an additional factor in logging in.

The overarching security concept is “Something you know, something you have, something you are.” In 2FA, we pick two of these. When you log into a website without 2FA, you only use the “something you know” – the login and password. Regardless of how strong you think those are, there is a chance that they can be compromised. 2FA adds a layer on top of that, the “something you have”.

These days, instead of having to issue each admin user a fob, we have smartphones and software that can take the place of fobs. If you have a modern smartphone (one made in the last 5 years) it can run an app that functions as the “something you have”.

The most commonly used – although by no means the only – app for 2FA is “Google Authenticator”. It’s the most common because it is free. Before you go down the road of 2FA, make sure that Google Authenticator is available for your phone.

Now that you know that your phone can do its job, we need to look at WordPress. As with authentication apps, there are several WordPress plugins available that can do the job. If you already use a plugin like WordFence, you’ve got everything you need to set up 2FA. If not, you will need to select one of the plugins to use. While I am not in the habit of recommending plugins if you do not already have a plugin installed that offers 2FA, I’ve used WP 2FA in the past and it does the job.

Install and configure your plugin. At some point, you have to decide what user roles have to implement 2FA to log in. Be careful with this. 2FA adds friction to your site. Friction is a bad thing. For the most part, unless you have good reason to do otherwise, I recommend limiting 2FA to Administrators. If you have a lot of them, you may want to add Editors as well. I do not recommend you require your average customer to use it unless you are storing sensitive data about them.

2FA does not replace the normal login and password you have to enter into WordPress. That’s the “Something you know” and it is still important. It does however augment the login process by adding a third field.

After your user clicks the login button, they will be taken to a second login screen that will ask them for their “token”. If they have set up their app properly, they will open the app, find your website in it, and type in the number on the screen. This number changes every 30 seconds. The number is called a “Time-based One Time Password” (TOTP). Your phone and the plugin you use both know how to calculate it, but no one else does. When they type in the token and press the button, the plugin will calculate the appropriate TOTP and then verify that it matches what the user typed in. Based on that it will either allow or deny the login.

That’s it. It should take about 10 minutes to get the plugin set up and operational and get your administrator account hooked up. That’s all it takes to secure your account so strongly that unless someone steals your phone from you, they can’t log in, even if they have your login and password.

One final word, some 2FA systems are not based on apps but on text messages sent to your phone with the tokens. These are not secure. Avoid these systems and use ones that have an app.