From my experience working at Fixmysite.com, most WordPress users put security on the back burner. And I can understand why. Website security is a tedious and often difficult topic to understand.
However, hoping that your website does not get hacked is probably not the best course of action.
Just like you wouldn’t leave your apartment door unlocked to prevent unwelcome intruders from breaking in, you can implement a few pre-emptive security measures to harden your WordPress installation. One of those measures is to install a two-factor authentication plugin, also referred to as two-step verification and by the initials 2FA.
A two-factor authentication (2FA) plugin can strengthen your site’s security by requiring two methods (also known as factors) to verify your identity and login into the admin dashboard. These factors can include something you know – like a username and password, and something you have – like a smartphone or a browser add-on to approve authentication requests.
In simple terms, the concept is to protect your WordPress installation by adding an extra layer of security to block admin access in the event that your account details are compromised or stolen.
In this article, we compiled a list of 2FA plugins for WordPress. When writing the article, we installed, briefly tested each plugin, and provided a short overview of the application.
Please note that two-factor authentication is not a catch-all WordPress security solution. 2FA is simply one of many security measures available to webmasters. Consider studying the official WordPress documentation for more specs on hardening your installation.
Here are the contenders:
The 8 Best Plugins for WordPress
We all have heard of Wordfence. It’s one of the most popular plugins in the WordPress repository, and it’s also ranked as the best malware removal plugin by us since 2017.
One of the many features of the plugin is that it supports 2FA. Wordfence 2FA works with several TOTP-based apps like Google Authenticator, FreeOTP, and Authy.
All you need to do is scan the QR code with your authenticator app, and then enter the code from the authenticator app in Wordfence to activate 2FA.
If you already have Wordfence installed, it’s a great way to get started without having to install another plugin.
The first plugin on our list is Duo. Duo is one of the easiest plugins to setup. The plugin requires no extra software or hardware to run. All you need to do is sign up for their service on their website.
To integrate DUO into your website you will need an integration key, Secret key, and API hostname. Once you have verified your keys, you can select the roles you want to enable two-factor authentication for. You can select between administrators, editors, authors, contributors, and subscribers – by default 2FA is enabled for all user levels.
When Duo is enabled, you have several authentication methods to choose from including:
- One-tap authentication using Duo’s mobile app for Android and Apple phones.
- One-time passcodes generated by Duo’s mobile app – works even with no cell coverage.
- One-time passcodes delivered to any SMS-enabled phone – works even with no cell coverage.
- Phone call back to any phone – mobile or landline.
- One-time passcodes generated by an OATH-compliant hardware.
Authy is a super simple 2FA service offered by Twilio, a well-established communications company.
To use the Authy on your WordPress website, you must register an account at authy.com and create an application to access the Authy API.
Once you’ve created your application, all you need to do is enter your API key on the plugin’s settings page. Just like Duo, you can select the roles you want to enable two-step verification for. You can choose between administrators, editors, authors, contributors, and subscribers – depending on your user policy.
Once Authy is activated, authentication requests can be made by:
- Receiving a security token via SMS or a phone call.
- Generating a token using the Authy Android/iPhone app.
- Getting a push notification via Authy’s desktop app or browser add-on.
Rublon is another one of our recommended two-factor authentication plugins. The company focusses on two extensions, a WordPress plugin, and an Atlassian plugin. Their WordPress plugin works out-of-the-box, no need for complicated configuration settings.
By installing the Rublon plugin, you will be offered one free authentication account – additional users/accounts are charged at $29 per year.
Traditional two-factor authentication solutions demand users enter a one-time password each time they want to log in to the WordPress dashboard. With Rublon it’s a little different, all you need to is confirm your identity by clicking a link on a verified email address or scanning a Rublon code.
For further security, you can install the Rublon mobile app for Android and iOS. Once the app is activated, authentication requests can be verified by scanning a QR code on a verified phone.
Another approach to implementing two-factor authentication on your WordPress website is to install a plugin like Keyy. The Keyy 2FA plugin does away with:
- One-time-passwords or other 2FA tokens
It replaces passwords with sophisticated RSA public-key (the same tried-and-tested technology underlying secure websites – SSL). It uses a 2048-bit RSA digital key, which is created and stored on the user’s mobile phone. Keyy doesn’t maintain a central database of user profiles and login details. The digital key is secured in the Android Keystore or Apple Keychain, only accessible via each user’s mobile phone protected by a fingerprint scan or a 6-digit PIN, so data remains safe even if the phone becomes lost or stolen.
All that a user needs to log in to the site is a mobile phone! To configure Keyy, install the WordPress plugin and install the Android or iOS app on your mobile phone.
To log in to your WordPress site, simply open the app and point it at the code displayed on your site’s sign-in page. Once Keyy verifies the login code, you will be logged into the dashboard!
6. Google Authenticator
One of the most popular two-factor authentication plugins, by downloads, is Google Authenticator by Henrik Schack.
The plugin adds 2FA to your installation by integrating the Google Authenticator app for Android, iOS, and Blackberry into your WordPress site.
The Google Authenticator app is already a popular service with 10 – 50 million active installations on the Google Play store as of early 2018. So there is a good chance that you are already using it for one of your online accounts.
Navigate to your user profile to adjust the plugin settings. 2FA can be enabled on a per-user basis. One option would be to enable the plugin for administrator accounts, but log in as usual with less privileged accounts. You can also set a login password, in the case that you are using a third-party service to manage your website.
2FAS, as the name suggests, is a two-authentication service offering an easy to use WordPress plugin.
The UI is very intuitive, and getting it to work takes a few short minutes. After activating the plugin, you have two options. The first is to authenticate each login request with a TOPT code. Alternatively, if you install the app on your phone and confirm each login with the click button (push notification) without entering the security token in the browser.
Installing 2FAS, will offer you instant protection against:
- Brute-force attacks
- WordPress takeovers
- Phishing and keylogger attacks
When it comes to integration with WordPress, this plugin is simply the best! miniOrange implements 2FA, ensuring no unauthorized access to your website.
There several ways to validate login requests. You can configure it to send you an email, SMS, or a TOPT password. The plugin works with popular providers like Google Authenticator, Microsoft Authenticator, Duo, Authy, and FreeOTP.
But what makes this plugin stand out from the rest is its support for WordPress applications. Listed below are all the application you can integrate miniOrange 2FA with:
- Paid Memberships Pro
- Memberpress Pro
It also integrates with popular login page and user registration plugins like Restrict Content Pro and Theme My Login Form.
Hats off to the serious work that went into integration!
Listed above are 8 great two-factor authentication plugins that can help you protect your WordPress installation in case your password details get compromised.
It’s true, adding a verification layer can be a little tedious. One thing you will want to consider before installing a 2FA plugin is how reliable is your second verification method. For instance, how likely are you to lose your phone and how easy is it to disable 2FA?
Setting up 2FA is a great pre-emptive measure that webmasters can take to enhance the security of their websites. If your passwords fall into the wrong hands and your site is compromised, you will be left scrambling to hire a malware removal service. Best to keep your website safe, and two-factor authentication enabled!.
Let us know in the comment section below which plugin you use to secure your website!