Hosting Tutorial & Guide

A Beginners' Guide to WordPress Two-Factor Authentication

updated on Jul 29, 2016
A Beginners' Guide to WordPress Two-Factor Authentication Brute force attacks are commonly seen nowadays because getting your username and password is always the easiest way to break into your site. Fortunately, there are some things you can do to secure WordPress login and prevent hackers from accessing the admin area, such as making a custom login URL, enhancing the passwords, and removing the error message.

Among those security methods that have already been proved to work, two-factor authentication is getting some popularity. As many large websites like Google are using it, you may also want to apply it to your WordPress site to add an extra security layer.

In this tutorial, we will introduce what two-factor authentication is, explain the pros and cons of using this security method, and show how to set it up on WordPress sites.

What Is Two-Factor Authentication?

Passwords are the necessity for logging into almost any website or online service. However, they are relatively weak in security because they are usually stored on the server that the website is hosted. Even if you use very strong passwords and update them on a regular basis, they can be leaked from a small server breach.

Requiring password only when logging into your website is called single-factor authentication. Two-factor authentication, then, is a security system in which you have to use two security factors to confirm your identity. Most of the current implementations of this security method still rely on passwords, while another factor is also required for authentication.

There are some common examples of applying two-factor authentication. One of these examples is that you need to enter the normal login credentials (username and password), but before you can log in successfully, you also have to take a second step to confirm your identity via a specific app on your tablet or phone. Sometimes the second step could also be entering a random time-dependent code sent to your phone, inputting a PIN, or completing another action required by the website.

What Is Two-Factor Authentication

Pros and Cons of Using Two-Factor Authentication

Security is always a serious thing. WordPress is secure, while its popularity has attracted a large number of attackers. There are certainly many effective methods for securing your WordPress site. However, as password is the weakest part of WordPress security, it makes sense that you should put more energy to strengthen the logins. In this case, two-factor authentication is specifically developed to increase the difficulty for attackers to get access to your admin area.

After enabling two-factor authentication on your WordPress site, you will get a more secure login procedure. Besides the username and password, you also have to enter a one-time password generated by a mobile app, sent via a phone call, or delivered via SMS.

With such a procedure, even if your login credentials have been compromised, attackers are not able to access your WordPress admin area without having the one-time password on your phone.

While the security benefits of using two-factor authentication are obvious, there are still several drawbacks you need to pay attention. Below are some of the concerns.
  • As two-factor authentication adds one more step to the login procedure, it makes login more time-consuming and complicated. Users may not like to sign up or log into a website on which login is made difficult.
  • If you require one-time passwords sent via SMS, people may feel that they are risking their phone numbers.
  • You, as a legitimate user, cannot log into your website when forgetting to carry your phone with you.
Pros and Cons of Two-Factor Authentication

How to Set up Two-Factor Authentication on a WordPress Site

Setting up two-factor authentication in WordPress is simple since this can be done by using some helpful plugins. In below, we will introduce the most popular and easy-to-use plugins that help you finish all tasks easily. No coding is needed at all.

Option 1: Set up two-factor authentication with the Clef plugin

Clef is currently the most popular two-factor authentication plugin with over 800,000 active installs. It offers a really unique approach that seems creative and simple. After installing the plugin and configuring it properly, you will no longer need to enter your username and password when logging into your site. Instead, you can log in quickly by scanning the moving barcode displayed by Clef which is called a wave. The password-free authentication provides a good user experience.

The Clef plugin comes with a free version which supports ten WordPress users, which is good enough for non-membership sites with several administrators and authors. If you want to enable Clef for more users, you have to contact the sales team for a quote.

WordPress Two-Factor Authentication Plugin - Clef

Setting up Clef is easy. After installing the plugin through WordPress dashboard, you will see a menu named "Clef". Clicking on it will lead you to the setup page. Altogether there are two steps required, and the first step is to download the Clef mobile app on your phone.

Download Clef Mobile App

For the second step, the plugin will show you a Clef wave. Now, you need to open the Clef mobile app, which will show a wave too. To connect your WordPress account with the mobile app, you have to sync the wave by scanning the one on the computer screen with your mobile app by using your phone's camera. When the sync succeeds, you need to choose a PIN (Personal Identification Number) in the mobile app to complete the connection.

Sync Clef Wave

After Clef is set up properly, you can log out the WordPress admin area and try to log in again. On the login page, there should be an option for logging in with your phone. Having a click on the button, you will be able to log in automatically by syncing the wave.

Log in with Clef

To offer even better flexibility, the Clef plugin comes with a shortcode which you can use to add the Clef login button to any post, page or sidebar widget.

Option 2: Use the Google Authenticator plugin

The Google Authenticator plugin is less popular than Clef. However, it is still easy-to-use, and it offers much convenience to those who have already installed the Google Authenticator app on their smartphones for two-factor authentication on some sites like Amazon and Gmail. Besides, it supports unlimited users for free.

When the Google Authenticator plugin is installed and activated on your WordPress site, it will add a section of "Google Authenticator Settings" to your profile. To take Google Authenticator into use, you first have to make sure the mobile app is installed properly, and then go to Users > Your Profile in WordPress dashboard. Scroll your profile down, and you will see the settings.

Google Authenticator Settings

To activate two-factor authentication, make sure to get "Active" checked. If you need more time for entering the one-time password when logging in, enable the "Relaxed mode", too. For the "Description", you can simply use your blog name.

At last, show the QR code by clicking on the corresponding button and scan it with you Google Authenticator mobile app.

Show QR Code

After the two-factor authentication is enabled, you can log out your site to test it. On the WordPress login page, you will still need to enter you username and password, while a "Google Authenticator code" is also required.

Google Authenticator Code

With the Google Authenticator plugin, you can enable two-factor authentication for any individual users or specific user roles, so that you can only require authentication for administrators and authors while ignoring the normal users without privileges.

To enable authentication for a single user, you only need to edit his/her profile, find "Google Authenticator Settings", and then check "Active". Also, make sure to update the user profile after doing so.

Activate Google Authenticator for Other Users