WordPress is a pretty useful platform for blogging and content management. This flexibility has resulted in WordPress sites becoming pretty enticing targets for hackers, and digital ne’er-do-wells. In the past, we’ve talked about how to protect WordPress from intrusion, as well as how to keep a watchful eye on it with IDS plugins.
But that can all be for naught if someone knows your login credentials. Thankfully, you can bring the added security of two-factor authentication to WordPress. Here’s how.
What Is Two-Factor Authentication?
Great question. In a nutshell, two-factor authentication requires that the user verifies with the service two times before allowing the user to log in. Whilst it can differ in implementation, it generally works like this:
- Bob logs into his WordPress blog using his username and password.
- His WordPress site then sends a text message to his cell phone containing a unique, one-time key.
- WordPress prompts Bob for this key.
- If the key matches the one sent to Bob’s cell phone, it allows Bob to log in to the site.
- If it doesn’t match, it could mean that someone has obtained Bob’s credentials. The site refuses to allow the login to take place.
But how can we integrate two-factor authentication with our WordPress sites? Easy.
Roll Your Own Two-Factor Authentication
There are many ways to skin a cat. This is doubly true when it comes to it comes to two-factor authentication. You might want to authenticate with your cell-phone. You might want an e-mail sent, containing a unique link or code. Or, you might just have your own unique system that you concocted yourself using an Arduino and an Ethernet shield.
Whilst rolling your own two-factor authentication isn’t easy, it’s certainly doable. WordPress allows you to override pretty much everything, including the log-in function. All you need is a rudimentary understanding of how PHP works, in addition to a bit of WordPress development know-how.
Duo Two-Factor authentication
Duo Security’s plugin for WordPress two-factor authentication has been downloaded 15,000 times since it was initially released, and has over four stars on WordPress.org. But what makes it so good?
Well, simply put, it’s amazingly versatile. You can authenticate with a simple press of a button on their family of mobile applications. If you’re out of cell coverage and you need to authenticate, you can even generate a one-time passcode.
They can even phone your landline or mobile phone, and authenticate you that way. Sounds expensive, right? Wrong. Duo is free for up to 10 users, and if you need more than that, you will only need to pay a monthly fee of $3 per user.
Authy Two Factor Authentication
Does Duo sound a bit complicated? Want something a bit simpler? You might be interested in checking out Authy Two Factor Authentication.
Installing Authy into your website is a matter of grabbing an API key, installing the plugin and registering with your cell phone number. Whenever you try to log in to your WordPress installation, it will send a one-time token via SMS.
Whilst lacking the bells-and-whistles of Duo, it’s a vastly simpler product and has been used by a number of well-known technology companies, including Bitcoin trading site Coinbase, and CloudFlare.
YubiKey Two Factor Authentication
Need a hardware solution? YubiKey has you covered.
These robust little key-fobs cost around $30, including shipping. As hardware based two-factor authentication goes, it’s pretty hard to beat. It consists of a single button and when plugged into your computer, the device is registered as a USB keyboard.
When you press the button, it then generates a one-time key, with the key being generated on the device rather than on the server, making the key significantly harder to be intercepted mid-transit.
A number of premium web hosts already bundle YubiKeys with hosting packages. Although, you don’t need to sign up to an expensive contract to get your hands on one of these devices and integrate it with your WordPress installation. All you need to do is to grab a YubiKey and install the YubiKey plugin.
What Did I Miss?
There are many, many ways to add two-factor authentication to your WordPress installation beyond these four. What do you use?
I’d love to hear all about it. Drop me a comment below, will you?
Photo Credit: YubiKey (Jonathan Molina)