Implementing Two-factor Authentication on WordPress

We have discussed it before but it bears restating, website security is not a single thing, it’s a series of layers. Just as castles of old were built up as layers around the Keep, so should your website have layers built around your most precious possession, access to the admin section of your site.

In previous articles and podcasts, we’ve discussed the outer rings of your defense:

All of these are important layers, but there are additional, more in-depth steps you can take that will make it much more difficult for bad actors to access your site. Steps that I highly recommend, especially if you have been trusted with your user’s personal information.

One of these steps is “Two Factor Authentication”, or 2FA.

2FA is not a new security concept. For decades, financial institutions have relied on “Fobs” (small devices you can attach to your keyring that have a display and give an ever-changing number) as an additional factor in logging in.

The overarching security concept is “Something you know, something you have, something you are.” In 2FA, we pick two of these. When you log into a website without 2FA, you only use the “something you know” – the login and password. Regardless of how strong you think those are, there is a chance that they can be compromised. 2FA adds a layer on top of that, the “something you have”.

These days, instead of having to issue each admin user a fob, we have smartphones and software that can take the place of fobs. If you have a modern smartphone (one made in the last 5 years) it can run an app that functions as the “something you have”.

The most commonly used – although by no means the only – app for 2FA is “Google Authenticator”. It’s the most common because it is free. Before you go down the road of 2FA, make sure that Google Authenticator is available for your phone.

Now that you know that your phone can do its job, we need to look at WordPress. As with authentication apps, there are several WordPress plugins available that can do the job. If you already use a plugin like WordFence, you’ve got everything you need to set up 2FA. If not, you will need to select one of the plugins to use. While I am not in the habit of recommending plugins if you do not already have a plugin installed that offers 2FA, I’ve used WP 2FA in the past and it does the job.

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.

Thanks!

Please check your email to confirm your subscription.

Install and configure your plugin. At some point, you have to decide what user roles have to implement 2FA to log in. Be careful with this. 2FA adds friction to your site. Friction is a bad thing. For the most part, unless you have good reason to do otherwise, I recommend limiting 2FA to Administrators. If you have a lot of them, you may want to add Editors as well. I do not recommend you require your average customer to use it unless you are storing sensitive data about them.

2FA does not replace the normal login and password you have to enter into WordPress. That’s the “Something you know” and it is still important. It does however augment the login process by adding a third field.

After your user clicks the login button, they will be taken to a second login screen that will ask them for their “token”. If they have set up their app properly, they will open the app, find your website in it, and type in the number on the screen. This number changes every 30 seconds. The number is called a “Time-based One Time Password” (TOTP). Your phone and the plugin you use both know how to calculate it, but no one else does. When they type in the token and press the button, the plugin will calculate the appropriate TOTP and then verify that it matches what the user typed in. Based on that it will either allow or deny the login.

That’s it. It should take about 10 minutes to get the plugin set up and operational and get your administrator account hooked up. That’s all it takes to secure your account so strongly that unless someone steals your phone from you, they can’t log in, even if they have your login and password.

One final word, some 2FA systems are not based on apps but on text messages sent to your phone with the tokens. These are not secure. Avoid these systems and use ones that have an app.

Cal Evans

PHP Evangelist

One of the most admired people in the PHP community, who has dedicated more than 16 years to building the amazing PHP community and mentoring the next generation of developers. We are extremely honored that he is a very special friend of SiteGround too.

WordPress

Comments ( 4 )

Sherwin

Nov 07, 2020

Why only in wordpress is there any discussion about html or css codes? Its quite unfair for those people whi are not using wordpress but also your clients

Reply

Hristo Pandjarov Siteground Team

Nov 12, 2020

Cal is a well known WordPress and PHP expert thus the focus is on WordPress. If you have a custom login process on your pages it would be really difficult for anyone that's ot familiar with your code to give you suggestions regarding securing it further. However, the principles are the same, just the implementation differs greatly.

Reply

Charlie Sasser

Dec 27, 2020

2FA is great but the SG implementation does not "remember" devices, so every time I log into SiteGround I have to pull my phone out, log into my phone, and then log in to the app, get a passcode and then enter into SiteGround. I don't object to doing this on each new device but it is painful to go through the process every time I log in. Can this be fixed in your implementation? I really don't want to turn 2FA off, but since it doesn't remember devices I may have no choice.

Reply

Hristo Pandjarov Siteground Team

Jan 04, 2021

Actually, it does, please check how long your device stores cookies and / or if there isn't any privacy plugin that clears such cookies. This said, we keep you logged in for a period of time and if you don't log in regularly, you may need to re-authenticate.

Reply

Start discussion

Ready to get your website started?

Choose a hosting plan, start or migrate your site in a few clicks, and grow your online presence!

Get Started Chat with an expert