Two factor authentication – the two simplest and best ways to enable it for WordPress
At UpdraftPlus we believe backups are essential. But having backups without security is like having insurance without locking your doors at night. You need both.
If you own or manage a WordPress website it’s vital that you keep it as secure as possible.
Although WordPress is a relatively secure platform, the fact that its so popular means there are lots of people with the ability to break into a poorly secured site.
UpdraftPlus strongly recommend the gold-standard way to secure the login to your website, which is to use two factor authentication. In this guide, we’ll quickly explain what this is and why you might want to use it, before covering two free plugins that can help you enable two factor authentication on a WordPress website.
Let’s get started…
What is two factor authentication and why use it?
By default, users gain access to the back end, or dashboard, of a WordPress website by entering their username and password. However, this approach has its downsides.
For starters, users might choose weak passwords or reuse the same username and password combinations on multiple sites. Some users even write down and store their usernames and passwords in easy to find places.
Then there’s the act of entering the username and password. Even if you’ve chosen a strong password, all it takes is one shoulder surfer to watch you enter your details and there’s a good chance they’ll also be able to access your account. That’s without even thinking about keyloggers, packet sniffers, and other more sophisticated forms of hacking.
However, there is something you can implement that will significantly increase the security of your WordPress website, and that is two factor authentication or 2FA.
Instead of requiring users to just enter a username and password to log in, two factor authentication adds an extra step to the login process. Typically, this second step involves a one-time code being generated on, or sent to, a device the user will have access to, such as their smartphone or laptop. The user then enters this code, often along with their username and password, to login securely.
Modern two factor authentication solutions, like the ones featured in this guide, use purpose-built apps as part of the login process, requiring the user to know their password and have their device to hand.
In other words, hackers can’t get in without both your phone and your password.
The fact that services like Gmail and online banks use two factor authentication to secure user accounts gives you a good idea of how effective this method is. Now, thanks to the plugins in this guide, you too can easily implement two factor authentication on your WordPress website.
So now all you have to do is choose the right plugin…
Which is the best two factor authentication WordPress plugin?
There are actually two highly effective two factor authentication plugins for WordPress that have been created by the UpdraftPlus team. Both are popular options among WordPress users, with over 11 thousand active installations between them.
However, of these two plugins, one is a more innovate tool that aims to make enabling two factor authentication for WordPress more appealing, while the other plugin takes a more traditional approach and simply gets the job done.
In this guide to adding two factor authentication to WordPress websites, we’ll cover both options to help you not only decide which plugin is right for your project but also provide you with the information needed to quickly secure your site.
First up we have the tried and tested, solid and traditional Two Factor Authentication plugin, a freemium tool with over 10 thousand active installations.
Two Factor Authentication WordPress plugin
The appropriately named Two Factor Authentication plugin is the ideal solution for anyone who wants to quickly secure their WordPress website with the least fuss and effort. As the Two Factor Authentication plugin is free to use and available from the official WordPress Plugin directory, it can be installed on your website via your WordPress Dashboard.
So to get started, simply log into your WordPress Dashboard, navigate to the Add Plugins screen, and then enter Two Factor Authentication in the search field.
After clicking on the Install Now and Activate buttons, you can configure how the plugin works on your website. The link to the settings page for Two Factor Authentication can be found under the Settings menu on the WordPress Dashboard. From this page, you’ll be able to choose which user roles will have access to this feature. For even greater security, you can enable two factor authentication for all of the users on your WordPress website on their behalf by upgrading to the premium version of the plugin to gain access to this functionality.
If you stick with the free version of the plugin, without the ability to enable two factor authentication on behalf of other users, your users can instead simply enable it for themselves once they’ve logged into WordPress.
However, if you do decide to upgrade to the paid version of the Two Factor Authentication plugin, you’ll also get access to other features, including the ability to generate emergency codes in case your users lose their device and settings that allow you to manage two factor authentication for your users.
So now that we know what this plugin can do, let’s take a quick look at how it works from the perspective of your users.
How it works for your Website users
When you create an account for a new user on your WordPress website, they will be able to log into the site as usual, using the username and password generated at the time of the account creation. Then, once that user has logged into the WordPress Dashboard, they can access the Two Factor Auth pages in the dashboard area. This also applies to users that existed on your site before you installed the plugin.
From the Two Factor Authentication settings pages, the user can enable this feature for their account (if you’ve already enabled if for their user role). Part of this process involves entering the one-time password, scanning the QR code in the Google Authenticator app on their smartphone, or using one of the other methods available, such as a Chrome browser extension.
Now the next time that user tries to log into your site, after entering their username and password on the WordPress login page, another screen will be displayed, asking them for their one-time password (i.e. 2FA) which they can get from the Google Authenticator app or another tool that they are using.
If they entered their details correctly, they’ll be logged in securely to the WordPress website.
As mentioned, upgrading to the premium version of the Two Factor Authentication plugin allows you to view the login codes and other details of your users so you can help them if they get stuck. You’ll also be able to issue them with emergency codes in case they lose their smartphone or another device they’ve been using to generate the codes.
However, without upgrading, you’ll still be able to give your users the ability to enable fully functioning two factor authentication on your WordPress website.
Although the Two Factor Authentication plugin is a tried and tested tool for enhancing the security of a WordPress, it’s not the only option available.
So let’s take a look a plugin that those who’d prefer a more interesting and innovative solution for adding two factor authentication to a WordPress website should find appealing.
Keyy WordPress plugin
Keyy is another tool for enabling two factor authentication on your WordPress website. One of the benefits of Keyy over a more basic plugin — like Two Factor Authentication covered above — is that it does away with usernames, passwords, and other credentials altogether.
How does this work? Well, once the Keyy plugin has been set up on your site, you and your users can scan the Keyy wave or QR code with the app on a smartphone, or another supported device, and be taken straight to the WordPress Dashboard. With no usernames and other details to enter, you can reduce the risk of anyone looking over your shoulder or logging your keystrokes to steal your account credentials.
As well as installing the Keyy plugin on your WordPress website, you’ll also have to install the Android or iOS app on your smartphone or tablet. However, as all of these tools are free and available from the official repositories, the whole process is very straightforward.
Then, when you next try to log into the site, the Keyy wave or QR code will be displayed on the login page. Simply scan the code with the Keyy app on your phone or another registered device and you’ll be logged straight into the WordPress Dashboard.
If you lose your Keyy enabled device, it’s not the end of the world. Users with the administrator role also get access to a secret URL that allows them to disable the Keyy login and gain access to the site using the username and password.
Once someone has used the secret URL to login, the site administrator is notified via email and a new secret URL is generated. Thanks to this, despite having the ability to login without Keyy, there are still measures in place to reduce the chances of your site’s security being compromised.
How Keyy works for your website users
Unless you upgrade to the premium version of Keyy, like the Two Factor Authentication plugin, your website users will have to opt-in themselves to start using Keyy to log into the WordPress Dashboard. However, doing so is very straightforward, so hopefully, they’ll secure their account without any resistance.
To enable Keyy, all users have to do is log into the site using their username and password as usual, and then navigate to the plugin page in the WordPress Dashboard.
From there they can find links to the Keyy mobile app in the Android Google Play store and iOS Apple App store. Once the app is installed, they can set up a passcode to secure the app on their phone, before using the app to scan the Keyy wave or QR code in their WordPress Dashboard.
Once they’ve performed the scan, Keyy will be enabled for their account and they can only login using two factor authentication with the Keyy app.
Hopefully, this guide has answered your questions about two factor authentication for WordPress and introduced you to two tools for securing your website in this way.
Although there are many ways to improve the security of your WordPress website, enabling two factor authentication is straightforward and incredibility effective. If you have any other problems, you can also check out WordPress emergency services from WP Buffs.
So which plugin will you use to secure your WordPress website with two factor authentication? Please let us know in the comments below.