Two-factor authentication in WordPress is becoming increasingly popular as website owners look for more ways to secure their sites against unwanted infiltration. There are several really good ways that you can get WordPress 2FA in place.
Today, I am going to show you how to do it using a smooth plugin.
There are several other really great ways to keep your website secure, but 2-factor authentication for WordPress is definitely one that is gaining steam. Seems like every site should have this set up at some point, so let’s look at how you can easily get it into place on your website.
What is Two-Factor Authentication in WordPress?
Simply put, 2FA is an extra layer of security that is used to make sure that anyone trying to gain access to online accounts is actually who they claim. It works in conjunction with smartphones, and a user has to verify at least one trusted phone number to enroll in 2FA.
Apple iOS, Google Android, and Windows 10 all have apps that support 2FA. This means that it enables the phone itself to serve as the physical device to satisfy the authentication portion. It works by asking users to enter a six-digit number.
Right after a user enters a name and a password, they will immediately be asked for another piece of information to verify that they are who they say they are. The second factor could be any of the following:
- PIN Number
- Secret Questions
- Something You Have (credit card, smartphone, hardware token)
- Finger Print
- Iris Scan
- Voice Print
The last three are more advanced but can be set up when needed if you have a device that supports them.
I am going to show you how you can easily add two-factor authentication to WordPress and help keep your site safe from potential hackers.
Let’s take a look at the plugin we are going to use today and see all that it has to offer.
2FAS Light – Google Authenticator
2FAS Light – Google Authenticator is a smooth, simple to use, easy to set up plugin that allows you to add WordPress two-factor authentication to your site. It works by having users employ the Google Authenticator mobile app to confirm their identity.
This is actually a free 2FA for WordPress and also works with other mobile apps that generate tokens including Microsoft Authenticator, Authy, Free OTP, 2STP, OTP Auth. All-in-all, you will be hard-pressed to find a better two-factor solution for WordPress that is as powerful as this one and also free to use.
Another great thing about this plugin is that you will not need to register or create any third-party accounts. The only thing we need to do is install the plugin, activate it, and set up for use. From that point, you are good to go.
The 2FAS Light plugin does not communicate with any external sites. All data needed to make the plugin work properly are stored in the WordPress database.
As stated above, the 2FAS Light plugin is free for all WordPress users. The moment you get the plugin activated and set up, you immediately protect your site from:
- Brute-Force Attacks
- WordPress Takeovers
- Phishing and Keylogger Attacks
Let’s get the plugin set up and running together so that you can start to protect your site.
Set Up Two-Factor Authentication in WordPress
Step 1: Install and Activate the Plugin
Before you can use WordPress two-factor authentication, you first need to install and activate the 2FAS Light plugin. You can do this by heading over to the Plugins page in the WordPress admin dashboard.
Note: You will need a smartphone to enable this feature. If you do not have one, setting up 2FA in WordPress, or on any other site, is not possible. If you lose access to this device, it can lock you out of your website.
Just use the available search field on the page and search the plugin by name. Once you see it pop up, install and activate it right from there.
Now that the plugin has been installed and activated, you need to head over to the main setup page. To do this, click on the “2FAS Light” link tab that is located on the left side menu area of the dashboard.
You can see that this option has appeared because you activated the plugin. This will take you directly to the main configuration page. From here, you can configure the plugin and get it running properly on your site.
But first, you are going to need to download an app on your smartphone.
Step 2: Download Appropriate App to Your Smartphone
Download the appropriate app for your smartphone. You are free to pick which one you want, but the Google Authenticator app or the 2FAS Authenticator app is the most recommended. They are both easy to use and easy to scan with.
Step 3: Scan QR Code
Now that you have downloaded the app of choice, go ahead a scan the QR Code that is given. Just click on the “Show QR Code” button and scan the box that displays. You will use the app to scan the code.
Note: You can also enter your private key manually if you chose to do so.
Step 4: Enter the 6-Digit Token
Once you scan the QR Code box from the previous step, a 6-digit token will display on your smartphone. Go ahead and copy and paste that token into the provided box and then click on the “Add Device” button.
That’s it! You will now get a confirmation showing you that 2FA has been configured and enabled for your device and you are all set.
You can add more trusted devices if you need them. At this point, two-factor authentication in WordPress is set up and running. From here, when someone tries to log in to the site, the extra 2FA authentication step will be necessary.
Note: If you choose to uninstall or disable 2FA, then that extra step will just disappear upon login. You will need to go through the setup process again to enable it.
You Can Set Up Two-Factor Authenication For Much More Than Just WordPress
Google Authenticator is not just for 2FA in WordPress. You can also use it for all of your 2FA needs.
For instance, you can secure your Nintendo account by adding an authenticator token to it, and wouldn’t you know, Google Authenticator is an option. In fact, it is the most popular authenticator app on the market.
This is also a necessary step on some financial websites. For instance, if you buy or sell cryptocurrency on Coinbase, you must use an authenticator once your account reaches a certain value.
It dramatically improves security, so it makes perfect sense.
So remember, if you need to need an authentication app, most sites support this one.
Are Strong Password Alone Still Good Enough?
That is a good question, and it will depend on who you ask. In my opinion, it is never a bad idea to use WordPress two-factor authentication. It adds an extra layer of security and is not difficult to configure.
Keep in mind that there are many other ways to secure a site. This is great for people that may not be a fan of 2FA. It can also be hard for some people to use, as not everyone may understand the concept behind it.
This leads to site lockouts when they are not necessary.
So, are passwords enough? Maybe, it really depends on multiple factors. Did you create a strong password? Does the website have security in place? The latter matters far more because even with a strong password, weak security can make it accessible.
The extra 30 seconds it may take to log in is well worth it for some extra security.
What Happens If I Lose My Phone?
One of the biggest fears when settings up 2FA in WordPress, or anywhere else, is that you may lose the device with your authenticator app.
There are safeguards in place that allow you to get access to the Authenticator app on a new device through Google. However, this could take several days and will require you to prove your identity.
This can leave you locked out of any account until the process is complete.
The good news is that if someone actually stole your phone, those codes are useless without the sign-in information.
One strategy that you should consider is to set up Google Authenticator on an old phone. Let’s face it, if you regularly get new phones, you might have a box full of them at this point.
Take one of them and set the phone up as a backup on Google Authenticator.
This would allow you to get immediate access to your account info and take the appropriate steps. It’s also a great use for old phones.
Improve WordPress Security with Two-Factor Authentication Today
Setting up two-factor authentication in WordPress is actually not a difficult task at all. You simply need to know the tool to use and how to use it.
The 2FAS Light plugin makes the task easy and fast, so if you are looking for an extra layer of security, then this is a great way to go.
I hope this tutorial was able to show you how easy it really is to add an extra layer of security to your site with 2FA. Simply use the plugin above, follow the steps, and you will be good to go.
What other tools have you used to get two-factor authentication working on your site? Have you found that using this is more of a hassle?