According to the most recent data, WordPress now powers 27.1% of websites. This success is great for the development of WordPress. But unfortunately, WordPress’s success also makes it an attractive target for hackers looking to steal data and inject spammy links.
In Sucuri’s most recent analysis of over 9,000 hacked websites, they found that 74% of the hacked sites were using WordPress. I’ve talked before about how to scan your WordPress site for malware, but now I want to talk about one way to prevent malicious actors from even getting onto your site:
- Two-factor authentication.
Two-factor authentication makes it so that in order to log onto your site, a user needs to both enter their password AND an authentication code. Because it’s almost impossible for hackers to get both pieces of information, this makes it very difficult for them to steal your login credentials.
In this post, I’ll show you how to set up two-factor authentication.
Note: It won’t solve all of your potential security risks (most hacked sites were running out-of-date software/plugins), but it will make your login process a lot more secure.
Two-Factor Authentication For WordPress
There are a few different kinds of two-factor authorization options for WordPress.
But in the simplest sense, it works like this:
You go to your sign in page like normal. After you enter your username and password, you then need to enter one more “authentication code” to access your account. You can receive this code in multiple ways.
For WordPress, the most common methods are:
- Smartphone app
- SMS message
- Saved one-time use code
The plugin I’ll show you can use any of these methods, plus some additional backup methods like security questions and email.
How To Add Two-Factor Authentication To WordPress With miniOrange
To add two-factor authentication to WordPress, you need the miniOrange Two Factor Authentication plugin (also known as Google Authenticator). This plugin is free for one user account. If you’d like to use two-factor authentication for multiple accounts, you’ll need to upgrade to the premium version.
Install the plugin like you would any other plugin from the wordpress.org repository.
Once you activate the plugin, the first thing you need to do is register with miniOrange:
The plugin will send you an email with something called an OTP code. OTP stands for “one-time password”.
You’ll need to enter this code in the plugin’s dashboard to continue configuring the plugin:
After you enter the code, the plugin will show you a pricing page.
If you just need two-factor authentication for one account, you can click the “OK, Got It” button to continue with the free plan:
Then, you’ll see a list of all the authentication methods and the devices supported for each method. I’ll show you how to set up the Google Authenticator app, but you can choose any of these options.
With this integration method, the plugin will use the official Google Authenticator app to provide the authentication code.
To get started, click on the Google Authenticator link:
First, select your phone type.
You will need a smartphone for this method. If you don’t have a smartphone, you should use the email or security questions options.
Next, you need to download the Google Authenticator app onto your smartphone.
Once you’ve downloaded it and logged into your Google account, choose the “Scan barcode” option in the app:
Then scan the barcode on your screen:
The app should show you a 6-digit code. This code will expire after ~20 seconds, so you need to make sure you’re entering the most recent code:
Type this code into the box in your WordPress dashboard.
Once you submit the code, you should see a confirmation message from the plugin:
Make sure to test it by following the link. You just need to go back to the Authenticator app to get the latest 6-digit code. This 6-digit code will constantly change, so you always need to get it directly from the app.
If the test works, you’re finished!
But, it’s important that you do one more thing…
You need to also configure the security questions. If you only configure Google Authenticator without a backup method, you could potentially get locked out of your account if you ever lose your smartphone.
That’s not good! So, go back to the “Setup Two-Factor” tab and click to configure the security questions:
All you need to do is select questions and enter answers. Then, click “Save”.
Logging In WordPress With Two-Factor Authentication
Now, whenever you log in to your WordPress account, you’ll see this screen after your enter your username and password:
Remember, you can also configure any of the other methods. I just think the Google Authenticator is the easiest to use. And because it comes from Google, you can trust its security. It’s the exact same app Google uses as a method to provide two-factor authentication for Google accounts.
Just remember – it’s essential that you always configure one of the backup methods so that if you lose your smartphone, you don’t get locked out of your WordPress account.
Do you use two-factor authentication for your WordPress accounts? I’d like to hear about your experience in the comments.
Don’t forget to share this post!