WordPress Security: How to Enable Two-Factor Authentication For WordPress

With all the current news about hackers gaining access to websites and computers, it’s a good time to re-evaluate the security of your website. There are a couple of ways that your website can be vulnerable to hackers.

Aside from hacker executing malicious from a PHP or Apache exploit (which in most cases can be prevented by using a CDN), a hacker can use a brute-force attack to gain login access to your website by a valid username and password.

One of the commonest ways that most modern companies use to protect their websites these days is the use of Two-Factor Authentication. High-traffic websites like Facebook and Google have added this option and it has protected their users from several attacks. By using Two-Factor Authentication (2FA) even if someone stole your password, they will need to enter a security code from your phone to gain access so it will render the hack useless.

What is Two Factor Authentication, also known as 2FA,

Two Factor Authentication, which is also referred to as 2FA or two-step verification or TFA (as an acronym) or multi-factor authentication, is an added layer of security that requires a physical token or code that only the user has access to in addition to the username or password. By using the username and password together with this piece of information that only the user knows, it becomes substantially more difficult for potential intruders to gain access and steal that person’s personal data or identity.

For most current users, the physical token used in Two Factor Authentication is either a phone call where the user gets a code, a text message or an app that returns a one-time valid code.

How to enable 2FA in WordPress,

There are two plugins that allow you to enable Two-Factor Authentication in WordPress:

You need to download and install these 2 WordPress Plugins, once you have successfully installed the plugins, visit the plugins WordPress plugin dashboard and activate them.

Due to the fact that the plugins require a user to be sent a text message, you need to enable the SMS API platform called Twilio to allow you to use them. Once you activate the plugin, you will need to provide your Twilio account information.

Twilio is an API platform that offers phone, voice messaging, and SMS services to use with your own applications. They also have a limited free plan which would be sufficient for our purpose of setting up 2FA. At this point, if you don’t have a Twilio account visit the Twilio website and create your free account.

Once you visit Twilio, create a free account and enable the Programmatic SMS option. This will allow your WordPress instance send API calls to the SMS API and allow you to send verification codes to your phone.

Once you have finished the setup at Twilio, you can then copy your account number, API keys and SID codes to WordPress. When all this is accomplished, you can now log out from your WordPress site to see the plugin in action. If you log out before setting up Twilio you might not be able to log back in.

On the login screen, first, you will provide your WordPress username and password. After that, you will receive an SMS notification on your phone, and you will be asked to enter the code you received like in the diagram below:

After you enter the SMS code, you will be able to access your WordPress dashboard. Whilst this method good, there are many cases that it might not work out as well. Especially when you are unable to receive text messages for some reason. We will be going into alternatives to text message based 2-factor authentication.

We hope this article will help you when thinking about securing your website. Also, feel free to reach out to one of our experts to talk about the best ways we can help you secure your website. If you enjoyed reading this article or it was a helpful resource, then please share it or leave a comment below and let us know what you think. You can also find us on Twitter and Facebook.