WordPress two factor authentication

WordPress two factor authentication

WordPress two factor authentication

If you aim to secure your site, you would benefit greatly from implementing WordPress two factor authentication. But what is it, and how can you implement 2FA in WordPress?

The login page of a WordPress website is the gateway to all your valuable content. Usernames and passwords are the standard of website security for all computer users. However, passwords can be guessed or discovered by malicious users. Which makes it necessary to protect your site from hack attempts and brute force attacks.

Brute force activity tests out several usernames and passwords until one is successful. Thus, relying on usernames and passwords only for your site’s security is no longer safe. Enabling two factor authentication  in WordPress is a great solution to the problem. It ensures better security for the site.

There are various WordPress plugins for implementing twofactor authentication(2FA) on your site. In this guide, we will show you a step by step process to setup 2step verification on your site.

In this article

    1. Using Google Authenticator App
    2. Using Push Notification on a Mobile Device

What is WordPress Two factor Authentication?

Two-factor authentication uses a 2 step process in granting access to your site on the WordPress login screen. You not only need your username and password to log in. Besides those, you need another verification method to confirm your access.

WordPress twofactor authentication, offers a second layer of security for the site’s admin users. Thereby ensuring better security for the site.

Passwords are weak because they could be deduced or hacked. They are also susceptible to brute force attacks. This makes use of passwords alone unreliable.

Whereas two factor authentication for WordPress offers a second step authentication. And this makes up for the weaknesses of passwords.

The  process of 2FA requires two out of three things that concern you to prove your identity.

  1. What you know
  2. Something you have
  3. Who you are

Currently, two-factor authentication uses what you know, such as your passwords. And also what you have, such as a mobile phone or an email account. It confirms a user’s identity when the verification code it sends to the user’s mobile phone or email account is entered at the point of logging in. The verification code completes the login process.

Two Factor verification option has been highly effective in user authentication. The reason for this success is because a hacker most likely will not have access to your password and mobile phone at the same time.

Ways to Setup WordPress two factor authentication

Side note: You may consider signing up for our WordPress maintenance service which covers site security. We will take care of 2FA, hardening, and all other aspects.

To set up two factor authentication, you have to use suitable 2step verification plugins for WordPress. 2step verification works when the user receives a verification via SMS or phone call. Other methods include push notification and QR code authentication on a mobile phone.

Verification via QR code is when the user receives a verification code on the Google authenticator app. Another similar app for this purpose is Authy authenticator.

You can get Google authenticator app from google play store for android devices, or the app store for ios devices. Also, you can install it on any smartphone.

Using Google Authenticator App

The Google Authenticator App method requires the installation of the App on the mobile phone of the user who wants to login. The app works by generating codes every sixty seconds. The six digit code that’s generated by the app serves as a onetime password(OTP). This OTP authenticates a user at the point of login after username and password verification.

To use second factor verification, you first need to have the google authenticator app ready on your phone.

Next, it requires the installation and activation of a compatible 2FA plugin on your WordPress site. For this guide, we’ll use the Two Factor Authentication Plugin .

Two factor authentication plugin logo

Install and activate  the plugin on your site. Two factor Auth icon will appear on your WordPress dashboard.

two factor Auth icon on wordpress dashboard

Setting up two factor authentication: Scan a barcode option

On the admin area of your dashboard, click Two Factor Auth > Two Factor Authentication settings page. 

Next, open the google authenticator app and on the Add an account page, choose the Scan a barcode option.

Google authenticator app as installed in a phone

First, scan the QR code by placing your phone’s camera over the code.

QR code for two factor authentication plugin

After scanning the QR code, a six digit code appears on the screen of your app. This code will correspond with the code on the plugin’s settings page. Next, click Save Changes on the plugin’s settings page.

google authenticator code

two factor authentication saved setting

To find out if your 2step verification settings have worked, log out of your site and log back in.

log out page Two factor authentication

Enter the code that the google authenticator app displays on your phone into the login page of your site. And click Log in.

google authenticator code

 

wordpress login page with one time password - 2FA

After clicking the login button on the login screen, the code grants access back into the site.

wordpress dashboard after 2FA verification

As seen, 2factor authentication is now implemented on your site. More so, you can only gain access into the site by entering the codes generated by the google app into the login screen when required.

Setting up two factor authentication: Enter a provided key option

Although the scan the barcode option is much easier, you may choose to use the provided key option.

First thing you need to do is select the Enter a provided key option on the google authenticator app on your phone. Still on the app, set an account name.

Next, type the Private key(base 32) that displays on the plugin’s settings page into the app accordingly. Press Add thereafter.

two factor auth private key code

Auth ley for Two factor authenticator

A new account is added to your app with the name you created for the account. Also added to the account is a new code, which is the same as the code on the plugin’s set-up page. Click Save changes on the plugin’s page.

google authenticator code to verify auth key for 2FA plugin

 

two factor authentication onetime password

Two factor authentication is now active on your site. Let’s log out and log back in to verify 2FA on the site.

Enter the six-digit code that google authentication app displays on the phone’s screen into the login page of your WordPress site. Click Log in.

google authenticator auth key code

 

login to test implementation of 2FA plugin on wordpress site

The 2F verification grants access to the wordpress site.

wordpress dashboard after 2FA verification

Using Push Notification on a Mobile Device

This method lets you receive a notification of a login attempt on your phone after entering your username and password at your site’s login page.

For this guide, we will use the  Google Authenticator – Two Factor Authentication (2FA) Plugin.

google authenticator two factor authentication plugin logo

First, install and activate the Google Authenticator- Two Factor Authentication (2FA) Plugin. The plugin offers multiple choices for securing the login page of your WordPress site. We’ll show you how to use the Push notification option.

 

After activating the plugin, on your WordPress admin area,  click on its icon on the dashboard.

2FA icon on wordpress admin dashboard

There will be a brief tour of the miniorange Google Authenticator 2FA plugin. The tour will show you how to navigate the plugin settings screen on your site. You may choose to click Next to complete the tour. Otherwise, click End tour to skip and continue setting up push notification 2FA on your site.

miniOrange Google authenticator setup tour

When the tour ends, your screen becomes clear, and all the 2FA options will be visible. Click Configure  for ‘miniOrange Push Notifications’ option.

configure push notification on miniOrange google authenticator 2FA plugin

A window to register your account with miniOrange opens, and the email address associated with your site will display. You may keep it or change it to another email.

Next, enter the password that you want to use for the plugin account in the field provided. Re-enter the password to confirm it.

Finally, click Continue.

registration page for miniOrange google authenticator plugin

Enabling Push Notifications on Your Phone

Step 1: You have to download miniOrange Authenticator App for your smartphone or any other mobile device. You can get it from App Store for Iphone users, or from Google play store for Android users.

We are using an Android device and Google play store for this article. On your smartphone or mobile device, search for mini orange on Google Play Store. Thereafter, select Authenticator from the result list as shown below, download and install on your device.

google play store search for authenticator

When that is done, click on Configure your phone  button on miniOrange settings page on your computer screen.

miniOrange google authenticator options for phone reset

 

Step 2: A QR code will display on the screen, and a message to prompt you to scan the code will display as well.

Place your phone’s camera over the QR code to scan.

QR code for miniOrange google authenticator plugin

 

When Scan QR code process completes, the code will have a large green check sign on top of it. This shows that the scan is successful.

The Push Notification option Configure bar is now the color green. This means that Push notification option was successful. To test run it, click on Test miniOrange Push Notification.

test miniOrange two factor authenticator

The plugin sends a push notification to your phone notifying you of a login request to your account.

miniOrange push notification test on wordpress dashboard

Click ACCEPT to accept, otherwise you may click DECLINE.

push notification on mobile device for miniOrange Google authenticator 2FA

After you accept the request, the plugin page on your site will show that you have successfully completed the test.

completed miniOrange google authenticator push notification setting

As usual, we have to test if the plugin actually works to implement a second layer verification on the site.

Log out of your site and try to login again.

log in to test miniOrange google authenticator 2FA setup

After your username and password verification, a push notification is sent to your phone.

miniOrange push notification at point of login awaiting approval

Accept the login request.

push notification on mobile device for miniOrange Google authenticator 2FA

And here we are, back in the dashboard area of the site.

miniOrange google authenticator icon on wordpress admin dashboard

And that’s it! We have implemented two factor authentication using Push notification.

WordPress two factor authenticationConclusion

In this guide, you have learned how to enable Two-Factor Authentication for your WordPress site. The steps listed are easy to follow. You should be able to enable twofactor authentication for wordpress without hassle.

So, if you solely manage a site with WordPress, it is important to enable 2FA on your site. It is even more important to have this when you have several people working on a site. Two factor authentication will provide the much needed extra WordPress security.

To learn more about securing your site, please read our WordPress Security guide .