Pinterest Stumbleupon Whatsapp

WordPress is a pretty useful platform for blogging and content management. This flexibility has resulted in WordPress sites becoming pretty enticing targets for hackers, and digital ne’er-do-wells. In the past, we’ve talked about how to protect WordPress from intrusion How To Protect WordPress from Intrusion: Your Must-Read Checklist How To Protect WordPress from Intrusion: Your Must-Read Checklist Botnets around the world have turned their attention from sending out spam emails to systematically hacking into Wordpress installs; it's a lucrative business given that Wordpress powers 40% of all blogs. Especially considering that even... Read More , as well as how to keep a watchful eye on it with IDS plugins Want To Keep A Watchful Eye On Your Wordpress Install? Here's How Want To Keep A Watchful Eye On Your Wordpress Install? Here's How Regardless of how you choose to manage your Wordpress installation, I’d place money on you being concerned about security. Read More .

But that can all be for naught if someone knows your login credentials. Thankfully, you can bring the added security of two-factor authentication to WordPress. Here’s how.

What Is Two-Factor Authentication?

Great question. In a nutshell, two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More requires that the user verifies with the service two times before allowing the user to log in. Whilst it can differ in implementation, it generally works like this:

  • Bob logs into his WordPress blog using his username and password.
  • His WordPress site then sends a text message to his cell phone containing a unique, one-time key.
  • WordPress prompts Bob for this key.
  • If the key matches the one sent to Bob’s cell phone, it allows Bob to log in to the site.
  • If it doesn’t match, it could mean that someone has obtained Bob’s credentials. The site refuses to allow the login to take place.

But how can we integrate two-factor authentication with our WordPress sites? Easy.

Sign up for a Bluehost plan from just from $3.95 a month.

Roll Your Own Two-Factor Authentication

There are many ways to skin a cat. This is doubly true when it comes to it comes to two-factor authentication. You might want to authenticate with your cell-phone. You might want an e-mail sent, containing a unique link or code. Or, you might just have your own unique system that you concocted yourself using an Arduino and an Ethernet shield.

Whilst rolling your own two-factor authentication isn’t easy, it’s certainly doable. WordPress allows you to override pretty much everything, including the log-in function. All you need is a rudimentary understanding of how PHP works, in addition to a bit of WordPress development know-how.

wp2f-ext

If this is something you find appealing, you might want to check out this blog post by Ben Lobaugh, who discusses in depth how you can replace WordPress’s built-in user authentication.

Duo Two-Factor authentication

Duo Security’s plugin for WordPress two-factor authentication has been downloaded 15,000 times since it was initially released, and has over four stars on WordPress.org. But what makes it so good?

Well, simply put, it’s amazingly versatile. You can authenticate with a simple press of a button on their family of mobile applications. If you’re out of cell coverage and you need to authenticate, you can even generate a one-time passcode.

wp2f-duo

They can even phone your landline or mobile phone, and authenticate you that way. Sounds expensive, right? Wrong. Duo is free for up to 10 users, and if you need more than that, you will only need to pay a monthly fee of $3 per user.

Authy Two Factor Authentication

Does Duo sound a bit complicated? Want something a bit simpler? You might be interested in checking out Authy Two Factor Authentication.

wp2f-screen

Installing Authy into your website is a matter of grabbing an API key, installing the plugin and registering with your cell phone number. Whenever you try to log in to your WordPress installation, it will send a one-time token via SMS.

Whilst lacking the bells-and-whistles of Duo, it’s a vastly simpler product and has been used by a number of well-known technology companies, including Bitcoin trading site Coinbase, and CloudFlare.

YubiKey Two Factor Authentication

Need a hardware solution? YubiKey has you covered.

These robust little key-fobs cost around $30, including shipping. As hardware based two-factor authentication goes, it’s pretty hard to beat. It consists of a single button and when plugged into your computer, the device is registered as a USB keyboard.

wp2f-yubikey

When you press the button, it then generates a one-time key, with the key being generated on the device rather than on the server, making the key significantly harder to be intercepted mid-transit.

Starting your own WordPress site? Get hosted by Bluehost at an affordable from $3.95 a month.

A number of premium web hosts already bundle YubiKeys with hosting packages. Although, you don’t need to sign up to an expensive contract to get your hands on one of these devices and integrate it with your WordPress installation. All you need to do is to grab a YubiKey and install the YubiKey plugin.

What Did I Miss?

There are many, many ways to add two-factor authentication to your WordPress installation beyond these four. What do you use?

I’d love to hear all about it. Drop me a comment below, will you?

Photo Credit: YubiKey (Jonathan Molina)

  1. Michal Wendrowski
    July 17, 2014 at 2:11 pm

    Hey Matthew

    This is a nice selection of 2FA solutions for WordPress. Please also check out Rublon (5-star rating): https://wordpress.org/plugins/rublon/

    • Matthew H
      July 29, 2014 at 2:20 pm

      Never heard of Rublon. Thanks though! Will check it out.

  2. Mike Schwartz
    July 8, 2014 at 6:10 am

    Duo Security provides two-factor authentication as a service to protect against account takeover and data theft. Using the Duo plugin you can easily add Duo two-factor authentication to your WordPress website in just a few minutes.Mike regardes

    • Matthew H
      July 29, 2014 at 2:19 pm

      Yep. Duo is very cool. :)

  3. Hyder Khalil
    July 2, 2014 at 11:15 pm

    Nice article and a few solutions I hadn't heard of.

    I've been using Google Authenticator and it works pretty well too.

    • Matthew H
      July 29, 2014 at 2:19 pm

      Thanks man. Much appreciated!

Leave a Reply

Your email address will not be published. Required fields are marked *