Implementing Two-factor Authentication on WordPress
We have discussed it before but it bears restating, website security is not a single thing, it’s a series of layers. Just as castles of old were built up as layers around the Keep, so should your website have layers built around your most precious possession, access to the admin section of your site.
In previous articles and podcasts, we’ve discussed the outer rings of your defense:
- Services like Cloudflare
- Secure certificates
- Changing the default admin name
- Securing passwords and usernames
- The principle of least privilege
All of these are important layers, but there are additional, more in-depth steps you can take that will make it much more difficult for bad actors to access your site. Steps that I highly recommend, especially if you have been trusted with your user’s personal information.
One of these steps is “Two Factor Authentication”, or 2FA.
2FA is not a new security concept. For decades, financial institutions have relied on “Fobs” (small devices you can attach to your keyring that have a display and give an ever-changing number) as an additional factor in logging in.
The overarching security concept is “Something you know, something you have, something you are.” In 2FA, we pick two of these. When you log into a website without 2FA, you only use the “something you know” – the login and password. Regardless of how strong you think those are, there is a chance that they can be compromised. 2FA adds a layer on top of that, the “something you have”.
These days, instead of having to issue each admin user a fob, we have smartphones and software that can take the place of fobs. If you have a modern smartphone (one made in the last 5 years) it can run an app that functions as the “something you have”.
The most commonly used – although by no means the only – app for 2FA is “Google Authenticator”. It’s the most common because it is free. Before you go down the road of 2FA, make sure that Google Authenticator is available for your phone.
Now that you know that your phone can do its job, we need to look at WordPress. As with authentication apps, there are several WordPress plugins available that can do the job. If you already use a plugin like WordFence, you’ve got everything you need to set up 2FA. If not, you will need to select one of the plugins to use. While I am not in the habit of recommending plugins if you do not already have a plugin installed that offers 2FA, I’ve used WP 2FA in the past and it does the job.
Comments ( 6 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Sherwin
Why only in wordpress is there any discussion about html or css codes? Its quite unfair for those people whi are not using wordpress but also your clients
Hristo Pandjarov Siteground Team
Cal is a well known WordPress and PHP expert thus the focus is on WordPress. If you have a custom login process on your pages it would be really difficult for anyone that's ot familiar with your code to give you suggestions regarding securing it further. However, the principles are the same, just the implementation differs greatly.
Charlie Sasser
2FA is great but the SG implementation does not "remember" devices, so every time I log into SiteGround I have to pull my phone out, log into my phone, and then log in to the app, get a passcode and then enter into SiteGround. I don't object to doing this on each new device but it is painful to go through the process every time I log in. Can this be fixed in your implementation? I really don't want to turn 2FA off, but since it doesn't remember devices I may have no choice.
Hristo Pandjarov Siteground Team
Actually, it does, please check how long your device stores cookies and / or if there isn't any privacy plugin that clears such cookies. This said, we keep you logged in for a period of time and if you don't log in regularly, you may need to re-authenticate.
Drew
Will any other authenticator apps be added?
Hristo Pandjarov Siteground Team
At this point we don't plan adding other applications, Google Authenticator is reliable and works great.
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through