From my experience working at Fixmysite.com, most WordPress users put security on the back burner. And I can understand why. Website security is a tedious and often difficult topic to understand.
However, hoping that your website does not get hacked is probably not the best course of action.
Just like you wouldn’t leave your apartment door unlocked to prevent unwelcome intruders from breaking in, you can implement a few pre-emptive security measures to harden your WordPress installation. One of those measures is to install a two-factor authentication plugin, also referred to as two-step verification and by the initials 2FA.
A two-factor authentication (2FA) plugin can strengthen your site’s security by requiring two methods (also known as factors) to verify your identity and log in into the admin dashboard. These factors can include something you know – like a username and password, and something you have – like a smartphone or a browser add-on to approve authentication requests.
In simple terms, the concept is to protect your WordPress installation by adding an extra layer of security to block admin access in the event that your account details are compromised or stolen.
In this article, we compiled a list of 2FA plugins for WordPress. When writing the article, we installed, briefly tested each plugin and provided a short overview of the application.
Please note that two-factor authentication is not a catch-all WordPress security solution. 2FA is simply one of many security measures available to webmasters. Consider studying the official WordPress documentation for more specs on hardening your installation.
The 7 Best Plugins for WordPress
The first plugin on our list is Duo. Duo is one of the easiest plugins to setup. The plugin requires no extra software or hardware to run. All you need to do is sign up for their service on their website.
To integrate DUO into your website you will need an integration key, Secret key, and API hostname. Once you have verified your keys, you can select the roles you want to enable two-factor authentication for. You can select between administrators, editors, authors, contributors, and subscribers – by default 2FA is enabled for all user levels.
When Duo is enabled, you have several authentication methods to choose from including:
- One-tap authentication using Duo’s mobile app for Android and Apple phones.
- One-time passcodes generated by Duo’s mobile app – works even with no cell coverage.
- One-time passcodes delivered to any SMS-enabled phone – works even with no cell coverage.
- Phone call back to any phone – mobile or landline.
- One-time passcodes generated by an OATH-compliant hardware.
Authy is a super simple 2FA service offered by Twilio, a well-established communications company.
To use the Authy on your WordPress website, you must register an account at authy.com and create an application to access the Authy API.
Once you’ve created your application, all you need to do is enter your API key on the plugin’s settings page. Just like Duo, you can select the roles you want to enable two-step verification for. You can choose between administrators, editors, authors, contributors, and subscribers – depending on your user policy.
Once Authy is activated, authentication requests can be made by:
- Receiving a security token via SMS or a phone call.
- Generating a token using the Authy Android/iPhone app.
- Getting a push notification via Authy’s desktop app or browser add-on.
Rublon is another one of our recommended two-factor authentication plugins. The company focusses on two extensions, a WordPress plugin, and an Atlassian plugin. Their WordPress plugin works out-of-the-box, no need for complicated configuration settings.
By installing the Rublon plugin, you will be offered one free authentication account – additional users/accounts are charged at $29 per year.
Traditional two-factor authentication solutions demand users enter a one-time password each time they want to log in to the WordPress dashboard. With Rublon it’s a little different, all you need to is confirm your identity by clicking a link on a verified email address or scanning a Rublon code.
For further security, you can install the Rublon mobile app for Android and iOS. Once the app is activated, authentication requests can be verified by scanning a QR code on a verified phone.
Another approach to implementing two-factor authentication on your WordPress website is to install a plugin like Keyy. The Keyy 2FA plugin does away with:
- One-time-passwords or other 2FA tokens
It replaces passwords with sophisticated RSA public-key (the same tried-and-tested technology underlying secure websites – SSL). It uses a 2048-bit RSA digital key, which is created and stored on the user’s mobile phone. Keyy doesn’t maintain a central database of user profiles and login details. The digital key is secured in the Android Keystore or Apple Keychain, only accessible via each user’s mobile phone protected by a fingerprint scan or a 6-digit PIN, so data remains safe even if the phone becomes lost or stolen.
All that a user needs to log in to the site is a mobile phone! To configure Keyy, install the WordPress plugin and install the Android or iOS app on your mobile phone.
To log in to your WordPress site, simply open the app and point it at the code displayed on your site’s sign-in page. Once Keyy verifies the login code, you will be logged into the dashboard!
One of the most popular two-factor authentication plugins, by downloads, is Google Authenticator by Henrik Schack.
The plugin adds 2FA to your installation by integrating the Google Authenticator app for Android, iOS, and Blackberry into your WordPress site.
The Google Authenticator app is already a popular service with 10 – 50 million active installations on the Google Play store as of early 2018. So there is a good chance that you are already using it for one of your online accounts.
Navigate to your user profile to adjust the plugin settings. 2FA can be enabled on a per-user basis. One option would be to enable the plugin for administrator accounts, but log in as usual with less privileged accounts. You can also set a login password, in the case that you are using a third-party service to manage your website.
In an effort to make two-factor authorization a little less daunting, UnloqSystems developed UNLOQ. A 2FA plugin for WordPress designed with ease of use in mind. The plugin supports the following features:
- 60 seconds setup
- Multiple login options
- Fully customisable
- Replaces the WP login and registration
- Custom login URL
- Shortcodes feature
When configuring the plugin, you can choose your preferred authentication method, between:
- Password only authentication
- UNLOQ only
- Password and Unloq as a second factor
Requests can be verified by:
- Push notification
- Time-based one-time password (TOTP)
For the first 100 users, UNLOQ is free for unlimited authentication and authorization requests. You can download UNLOQ from the Google Play store and App Store. To link your site, simply scan the QR code with your phone. And in the event that your phone gets stolen, you can deactivate your device at any moment, to protect your data.
Finally, the last plugin on our list is Clockwork SMS. Clockwork SMS is one of the easier plugins to set up. Just like most two-factor authentication services, the extension requires an API key and a phone number.
Once the plugin is enabled, you have the option to require administrators, editors, authors, contributors, and subscribers to authenticate their login requests. Each time a user logs in, Clockwork will send a code via SMS to validate the request.
One point worth mentioning is that the service is not free. While writing the article, the cost per SMS was advertised at 5¢.
Listed above are 7 wonderful two-factor authentication plugins that can help you protect your WordPress installation in case your password details get compromised.
It’s true, adding a verification layer can be a little tedious. One thing you will want to consider before installing a 2FA plugin is how reliable is your second verification method. For instance, how likely are you to lose your phone and how easy is it to disable 2FA?
Setting up 2FA is a great pre-emptive measure that webmasters can take to enhance the security of their websites. If your passwords fall into the wrong hands and your site is compromised, you will be left be left picking up the pieces or hiring a malware removal service. Best keep your website safe, and two-factor authentication enabled!