Two-Factor and Multi-Factor Authentication for WordPress: The Basics
We’re sending you a verification code – please enter it to continue.
Is there a more common phrase used on the Internet today? I’m not sure.
Every online service or app seems to require you to enter a verification code sent to your email or phone in order to verify you are who you say you are to gain access.
This feature – called Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) – is standard pretty much everywhere online to verify that the person entering a correct username and password is the person who should be accessing the account.
Given how common it is for people to use insecure passwords, and how often password leaks tend to happen online, “double-checking” that the right person is logging in to a secure account is just good practice.
2FA / MFA can and should be added to your organization’s WordPress site to ensure only the right people are logging in and making changes. Here’s how to do it.
Add a Security Plugin That Provides 2FA
WordPress, despite its popularity, comes with very few security features out of the box. Obviously, users can create accounts with passwords, reset those passwords, and have different levels of access tied to their role on the site.
But when it comes to hardening access to the backend of the site, WordPress doesn’t do much more.
There are plenty of security plugins available for WordPress, ranging from free plugins that do one thing well to expensive paid plugins that turn your site into a literal Fort Knox. We recommend Solid Security Pro (formerly iThemes Security Pro) for its range of features and reasonable price point.
Solid Security checks off all of our website security best practices, helping to minimize the likelihood that someone can easily cause havoc on your WordPress-powered site.
One of those services is adding Two-Factor Authentication, securing one of the most common ways that hackers get into your site – through your users.
Two-Factor Authentication Enhances User Security
While it’s obviously crucial to ensure that your WordPress site is running the latest version of the core software and plugins, and that known exploits are fixed, most experts will point to the weakest link in your security chain: your users.
The people who have logins to the backend of your site are rarely malicious, but if they have access to everything, then a bad guy who gets ahold of their account can cause a lot of trouble.
Out of the box, WordPress allows you to limit access to certain users based upon their role – a feature you should certainly use – but many organizations make everyone an “Administrator”, meaning they can do pretty much everything in the backend.
So, if a bad guy is able to guess a user’s password, they’ll have the ability to login and do everything from deleting content and users to adding spam links to renaming the site and changing its URL.
This is not something you want to happen. Making it more difficult for the wrong people to login to your website is the best way to ensure your users are secure – and that’s where Two-Factor Authentication comes in.
Authenticator Apps, Emails, and Backup Codes: The Options
In Solid Security Pro, there are three options for authentication:
- Use an Authenticator App to get real-time codes for access
- Send an email to the user with a login code
- Input one of 10 “backup” codes to verify your identity
Each one of these options has its pros and cons, but here’s how we rank each option.
Option #1: Authenticator Apps
The Authenticator App is an app on your phone that delivers you a real-time login code to your website or service, usually expiring after 30 seconds.
These totally free apps are made by Google, Microsoft, and a host of other companies. When you first set up the Two-Factor Authentication, you’re given a QR code to scan, which is then added to your app with your username and password stored.
When it’s time to access to your website, open the Authenticator App on your phone, grab the code before it expires, and submit it to login.
We rank this is as the best option because it’s the least likely to fall into the wrong hands; if you have your phone, you have access.
Option #2: Codes by Email
Solid Security allows you to receive login codes via email, which can be incredibly convenient (especially if your phone isn’t nearby).
You don’t have to worry about the code expiring within 30 seconds, though the emailed code does eventually time out.
The biggest reason we rank this second is because of the possibility that your site stops sending emails; if something is wrong and the codes aren’t being sent, then you have no way to get into the backend of your site.
This happens more than you might think, which is why emails are slightly less reliable than the Authenticator App.
Option #3: Backup Codes
When you first enable Two-Factor Authentication, you’re forced to download 10 backup codes. These are meant to be used if you can’t access your email or your Authenticator app.
It’s a good last resort – if you are organized enough to keep the codes and remember where you stored them.
Once you use all 10 backup codes, they’re no longer usable. You can generate more backup codes if you need, but it’s not an ideal situation.
Enable Two-Factor Authentication Today
As we’ve discussed, security is an arms race – the bad guys keep working to find exploits and ways to hack into sites, and it’s your job to make sure that you’re raising the bar to prevent them from getting in.
Two-factor Authentication is a security best practice that every organization’s WordPress site should use. If you haven’t enabled it for your organization’s site yet, do it today.
If you need any help with website security or any other initiative, reach out and let’s talk.
