Websites running WordPress get attacked – a lot. Why, just the amount of brute force login attempts alone can be massive. If you want to see just how much, install a security plugin that blocks these login attempts. You may be shocked at the sheer number of bots out there trying to break into your site.
What’s really surprising is that even sites with relatively low traffic are not immune to this phenomenon. Bots care nothing about the size of your website, rather the software it’s running.
This isn’t the fault of WordPress, per se. Its popularity simply makes it the biggest target out there for nefarious actors. Much the same way Windows wears the bullseye for viruses and malware when it comes to personal computers. When you’re the most popular option, you’re likely to face the most aggression.
For those of us responsible for maintaining these websites, being proactive when it comes to security is mandatory. And one of the simplest steps we can take is adding two-factor authentication.
Let’s explore what two-factor authentication is and take a look at a few plugins that will help you add this feature with minimal effort.
Two Layers Is Better Than One
Two-factor authentication (2FA) is becoming a standard across a number of industries. Everything from online banking to social media companies are recommending it for increased security.
In a nutshell, this is a measure that goes beyond a standard username and password – thus, the name “two-factor”. It forces users to take an additional action in order to verify their identity.
The additional action can vary by system. This might be entering a randomly-generated alphanumeric security code, solving a simple math equation, requiring a user to scan a QR code with their mobile device or verify a previously chosen image. Biometrics such as fingerprint or retina scans are also possibilities, although they aren’t widely used on the web just yet.
While this does make the user’s login process more laborious, it also adds a crucial layer of security. It’s a tradeoff well worth making. And the technology is getting better. Some systems will remember your device, so that two-factor is only required when a login attempt comes from an unrecognized gadget.
The bottom line is that two-factor makes it more difficult for a bot or other unauthorized user from forcing their way into your website and doing damage.
Two-Factor Authentication Plugins for WordPress
Now that we know a bit more about what two-factor authentication is and why we’d want to use it, it’s time to integrate it into our WordPress website. Fortunately, the process is simple, thanks to a number of available plugins.
Here are a few of the best options out there:
While officially still a beta plugin, Two-Factor does one thing and does it pretty well. It allows you to choose from a variety of authentication methods right from your WordPress user profile. The plugin will email you a security code, use time-based passwords, FIDO Universal 2nd Factor and more. It’s still in development, so look for more handy features to come.
Two Factor Authentication is a more polished and flexible option. It includes support for the popular Google Authenticator app, QR code scanning and the ability to require specific roles to use the extra verification procedure. The premium version even offers integration for front-end logins, which is useful if you are running a membership site.
Yes, Jetpack is the plugin suite that tries to do a bit of everything. So, if you’re only looking for two-factor functionality, it’s probably not worth installing for that alone. But if you’re one of the millions who already have it installed, their Protect feature is activated by default. It helps to block brute-force attempts, but also includes a math-based CAPTCHA which is included on your site’s login form. It is one of the more user-friendly methods out there, provided you know a little math!
This plugin adds 2FA to any login field, including the front end. But don’t let the name fool you – it works with more than just Google Authenticator. You can also use LastPass Authenticator, push notifications and security questions, among others. In addition to the free version, there are premium versions and add-ons that offer more features. It also integrates with a number of popular plugins.
Keyy looks to pick up where the innovative Clef service left off. Clef (which is no longer with us) allowed users to login by scanning a pattern on their screen with their mobile device. Keyy does much the same thing and requires you to download an app in order to use the service. This eliminates the need for users to enter their password altogether, which could be a good thing. Just note that this plugin is in its early stages, so there may be a few “rough edges”.
Wordfence is one of the most-used security plugins out there and offers a full suite of different protections. But for our purposes, let’s talk about its two-factor feature. It’s now available in the free version of the plugin and has been completely revamped. Like others on this list, it supports TOPT-based authenticator apps, like Google Authenticator. There’s also an option to add RECAPTCHA to your login form as well. Also of note is the ability to require 2FA for specific user roles and allowing the system to remember devices for up to 30 days.
A Simple Way to Boost Security
When it comes to securing your WordPress website, every little enhancement can make a positive difference. Implementing two-factor authentication is going to make it that much more difficult for an attacker to access the back end of your site.
Even better is the ease with which this feature can be added. Any one of the plugins above can increase your protection for free and with minimal effort on your part. Choose your favorite and to keep bad actors at bay.
- 5 Things to Tell Your Clients About WordPress Security
- Without User Consent: An Ethical Dilemma for WordPress Plugin Developers
- The Challenge of Switching from a Page Builder to the WordPress Gutenberg Block Editor
- 5 Bad Habits That Can Hurt Your WordPress Website
- 10 Best Free Security Plugins for WordPress
- How to Update WordPress Themes and Plugins with a ZIP File
- Signs Your WordPress Website Has Outgrown Its Hosting
- 8 Essential Free Plugins for WordPress Multisite