You’ve probably encountered a two-step login authentication process in online banking and any sites that require the highest security for their users. Because WordPress supports two-factor authentication (2FA), you can have the same level of security as a bank. Whether it’s your own WordPress site or sites you build for clients, strong security is fundamental.
Two-factor authentication adds an incredibly important layer of protection every WordPress site owner should seriously consider adopting. Because 2FA makes many common hacking attempts impossible, hackers will simply avoid 2FA-protected sites and not bother trying to break in with methods they know will not work. Every WordPress site can benefit from the additional layer of security that two-factor authentication provides.
Why Strong Passwords Aren’t Enough
Cyber threats pose serious risks to you and your customers. If an unauthorized user gains access to your site’s admin dashboard, anything could happen. You could lose all of your data in an instant. You might lose control of your website for some time. Criminals might harvest your users’ personal information. Your users won’t be happy, but you’ll have to inform them what happened. The law requires you to disclose personal identification data breaches.
Many attacks can penetrate your site by guessing passwords or using stolen ones. If you and all your site users have two-factor authentication enabled, none of these brute-force methods to break into your site will work.
Yes, it’s always important to require strong passwords on all user accounts to protect your site and its users. However, a strong password doesn’t provide enough protection all by itself. Attackers can penetrate your site by guessing even strong passwords or by using stolen ones. That’s such a common reality now, traditional password-based logins are inadequate as a single layer of security.
Strong passwords do not offer strong enough protection without additional layers of security. Using two-factor authentication for all your user accounts is a much more effective security measure because it adds the additional layer you need to secure your site and protect your customers. That’s not to say enforcing strong passwords isn’t necessary. You should still do that too — and then add 2FA!
Two-factor authentication is relatively easy to set up. When you do, it will dramatically reduce the risk of malicious unauthorized users gaining admin access to your WordPress site. Win, win!
Two-Factor Authentication Blocks Brute Force Attacks
Stopping brute force login attacks is a great example of the protection two-factor authentication adds to your WordPress site. Brute force attacks are a common threat, but two-factor authentication will eliminate them. In a brute force login attack, hackers rapidly test many common and dictionary-based passwords against your admin and other user accounts. Sometimes hackers test large lists of stolen usernames, email addresses, and password combinations on your login screen.
Automated, scripted testing of thousands of illicit logins can slow your site down or take it offline. For this reason, brute-force login attacks often have the effect of denial of service attacks. But if you and all your site users have two-factor authentication enabled, none of these brute-force methods will work at all. No hacker will want to attempt brute-force logins on your site at scale. There will be no possibility of success for them.
Adding Two-Factor Authentication to Your WordPress Site
In this guide, we’ll discuss the details of 2FA. You’ll learn how user authentication works on the WordPress platform. Then we’ll explain how to implement 2FA with WordPress plugins.
Does WordPress Have Two-Factor Authentication?
WordPress core does not have two-factor authentication built into it. You need to add it.
Two-factor authentication is an additional security layer you add to your site with a WordPress plugin and sometimes an external service. In other words, it builds on the core user account features of a default WordPress installation. 2FA makes your WordPress site require not just a password but also additional information to verify the identity of each of your users every time they try to log in.
The 2FA verification comes from a source that an authorized site user can access, such as:
- A text message, call, or notification pushed to their phone
- An emailed link or code
- QR codes
Two-factor authentication is highly secure. Malicious attackers and hackers won’t have physical access to your users’ external channels and devices. This means that even if they’re able to crack a password, they still won’t be able to gain unauthorized access to your site without a second layer of authentication. To break in with a user’s password, they’d also need to have broken into a user’s email, computer, or phone. This can happen but is extremely rare compared to scripted brute-force attacks that test millions of passwords every day.
Do I Need 2FA For My WordPress Site?
Running two-factor authentication will block many bad actors in the online world from even attempting to gain unauthorized access to your site. While it’s not strictly necessary, who doesn’t need that protection and peace of mind?
Don’t let the bad actors take center stage in your world. 2FA prevents unauthorized access by those bad actors.
If you’ve ever had your WordPress site hacked or heard about someone who has, then you know how quickly it can be littered with spam links, redirects, and malicious code that can do immediate and irreparable harm to your reputation.
Even worse, if you’re running an e-commerce site using WooCommerce, a hacker may be able to access customer data such as names, addresses, phone numbers, email addresses, and even credit card numbers.
If that happens, you will have a difficult time digging out of the mess.
WordPress 2FA is a second line of defense that keeps the bad people out while ensuring that even if a password is compromised, accounts will remain secure and safe as long as the second layer of protection remains an unbreakable lock to a hacker.
As a WordPress site owner, understand that the two-factor authentication feature is 100% opt-in. Since it’s not a core feature, you only need to implement it on your site if you choose to. It is completely free and adds a nearly uncrackable layer of protection that will alleviate many worries about hacks and attacks.
TIP: The easier your security choices the more likely you are to implement them. KEEP IT SIMPLE!
With that said, 2FA is a no-brainer approach to WordPress site security that everyone should use if they aren’t already using it or even stronger, secure login methods that use passkeys instead of passwords.
The Benefits of 2FA for WordPress Sites with Multiple Users
On standard, unmodified WordPress login pages, you and your users simply enter a username and password to gain access to the site. Following submission of the login credentials, if a username and password combination matches what’s in the WordPress database, the user instantly gains access to the WordPress back end and any privileges based on the permission rules you’ve applied.
WordPress has six predefined user roles:
- Super Admin
By default, these roles are allowed to perform specific sets of tasks on your site. The tasks a role can perform are called “Capabilities.”
Most of your standard site users are probably in the Subscriber role, which has the fewest capabilities. However, you may have additional Admins, Editors, and Authors regularly accessing the back end of your site. Some users may be sloppy with their passwords, they may share accounts, and some with special privileges might give privileges to other users without your knowledge. You may forget to remove users or downgrade their privileges when they’re no longer active or needed. All of these situations are common and create opportunities for attackers.
If a hacker figures out just one of the Admin usernames and passwords, they’d instantly have access to your entire site with full privileges. That’s bad, obviously, but you don’t want your Subscribers getting hacked either. Even in that case, you’d have to report the breach, and that damages the trust your users have for you and your brand.
How Two-Factor Authentication Secures User Logins
Two-factor authentication stops hackers from breaking into user accounts by double-verifying a user’s identity using an email message, text message, or an authenticator app. At the time of login, the second verification method is activated. As a result, the user will have to confirm their login through one of these secondary channels.
Simply stated, when you or another site user enters personal login data on your site’s login page (a username and password), an immediate notification is sent to the email address or phone number associated with the user who is trying to log in. Normally, this login notification will include a link, QR code, or a one-time PIN to allow the login attempt to proceed.
For users to enter the site, they’ll need to follow the instructions in the email or text message. They may be asked to click on a specific access link or enter a PIN.
While this extra step slows down the login process, the added security far outweighs the risk of leaving your site open to simple username and password hacks that cyber criminals execute all over the web every day.
Is Two-Factor Authentication Completely Secure?
No security measure is ever 100% foolproof. In the world of hacking, where there is a will, hackers will find a way. If the worst should happen and you find that your site has been hacked, it’s best to be running a WordPress backup plugin that can immediately restore your site to a safe time before an attack.
When you compare 2FA to the standard password protection protocols in WordPress, you’ll find that two-factor authentication is more secure. The process requires your users (and you) to confirm every login attempt from a source unique to each user. Usually, this is a phone or private email account. That means a hacker can only gain access to the internal workings of a 2FA-protected WordPress site if they also have access to a site user’s devices and outside login information. Because this is extremely unlikely to happen, adding 2FA makes your site very much less likely to be hacked through an illicit login.
Are you ready to learn how to add 2FA to WordPress to protect your website and its users? If so, read on to learn how to incorporate the 2FA feature on your site and get it running.
How Do I Enable Two-Factor Authentication in WordPress?
Depending on your site host, you may be able to enable 2FA protection in your host’s cPanel or user portal.
However, if your host doesn’t provide you with 2FA protection, you can easily implement it on your own using WordPress plugins.
WordPress Two-Factor Authentication Plugins
Listed below are some of the best 2FA WordPress plugins that will secure your site from scripted login attacks immediately.
1. iThemes Security Two-Factor Authentication
In our opinion, the best all-inclusive WordPress site security suite available is iThemes Security Pro with Two-Factor Authentication. Not only does it secure your site with 2FA, but it comes with additional site security features:
- Brute Force Attack Protection
- File Change Detection
- 404 Error Detection
- Strong Password Enforcement
- Bad Bot and Spam Blocking
- Away Mode
iThemes Security Pro takes the guesswork out of WordPress security. You shouldn’t have to be a security professional to use a security plugin, so iThemes Security Pro makes it easy to secure and protect your WordPress website even if you don’t have a lot of technical knowledge.
Adding two-factor authentication using the WordPress security plugin iThemes Security Pro is easy for even the most novice user. Once it’s installed and activated, site users will need to enter a password along with a time-sensitive code that gets sent to a secondary device.
Pros, Cons, and Costs
- Pros of iThemes Security Pro: You get a lot more security protection than only two-factor authentication. Even better, the 2FA option is robust and easy to use. You’ll be confident in the knowledge your site is fully protected from malicious logins when you activate the plugin.
- Cons of iThemes Security Pro: The plugin costs more than the other paid 2FA options, but you do get more bang for your buck.
- Cost of iThemes Security Pro: If you only need to secure one site, the plugin’s cost is $80 per year. For up to ten sites, it will cost $127 per year. For unlimited sites, you can employ the plugin for $199 per year. That’s an investment well worth making when you consider the alternative.
2. Rublon Two-Factor Authentication
If you’re looking for an easy-to-use two-factor authentication plugin for WordPress, take a look at the Rublon Two-Factor Authentication plugin. The Rublon 2FA plugin will quickly secure your site against all unauthorized logins without any technical hurdles on your end.
Once you download and install the Rublon plugin, the next time you attempt to log into WordPress, you’ll have to click on a verification link that gets sent to your WordPress user account’s email address. Then, after you click the link to verify your identity, you’ll be asked if you want the site to remember your device for future logins. This means you won’t need to verify your identity every time you sign in, as long as you’re using the same device and browser each time you access the site.
If you’re using a different device or browser after verifying, you’ll simply need to repeat the process and save that one as well — just be careful to never do this on a device other people have access to!
The free version of the Rublon 2FA plugin is one of the best options for WordPress sites that only have one user. By upgrading to the paid version, this plugin can be used to secure multi-user websites as well.
Pros, Cons, and Costs
- Pros for Rublon Two-Factor Authentication: It’s mostly hands-off for site administrators. Once you’ve installed and activated the plugin, it doesn’t require any training or configuration. It works right out of the box.
- Cons for Rublon Two-Factor Authentication: It doesn’t support push notifications or text message verification. For that reason, you’ll only have email verification for 2FA.
- Cost of Rublon Two-Factor Authentication: The personal, one-website version of this plugin is completely free. Consequently, if you’re running a multiuser site or have multiple sites, you’ll need to get the paid version of the plugin. To do this, get in touch with their sales team for a quote.
3. Duo Two-Factor Authentication
Duo Two-Factor Authentication is one of the most advanced 2FA WordPress plugins you can find. With it, you can set up two-factor authentication based on user roles within the WordPress dashboard.
As an example, you’ll be able to require that Editors and Authors use the 2FA login process, but Subscribers (who can’t access the Admin dashboard in any way) only need to enter their usernames and passwords to enter the site. This handy feature can keep basic users from becoming frustrated with the drawn-out process of two-factor authentication.
This plugin will also provide you with several different user verification options, including:
- An automated phone call
- An SMS message with a pin code
- A mobile app
It’s a more flexible 2FA tool than the Rublon Two-Factor Authentication plugin, which only offers WordPress two-factor authentication email.
Pros, Cons, and Costs
- Pros of Duo Two-Factor Authentication: This WordPress two-factor authentication plugin supports the configuration of user roles and includes a wide variety of methods for user verification. Because of this, it’s extremely versatile for WordPress sites.
- Cons of Duo Two-Factor Authentication: Unfortunately, this plugin doesn’t support WordPress Multisite. For that reason, it may be out of the question for some users.
- Cost of Duo Two-Factor Authentication: This plugin is the perfect free solution if you have ten or fewer users that regularly log in to your site. However, if you have more than ten, you can increase the limit by paying $3 per month for each additional user.
4. Google Authenticator – Google’s Two-Factor Authentication for WordPress
Google two-factor authentication for WordPress is also an option to consider for implementing 2FA on your WordPress site.
The Google Authenticator gives you a nice variety of verification methods that will protect your site from malicious unauthorized login, including email messages, QR codes, and push notifications.
Much like the Duo Two-Factor Authenticator, you’ll be able to use this plugin to set up specific 2FA rules for particular WordPress user roles. This feature makes Google’s two-factor authentication a powerful weapon for WordPress in the fight against hacking attacks.
You can set up Google Authenticator to require a username, password, and additional verification factor. Or you can configure the plugin to require only a username and an additional factor, with no password needed.
Pros, Cons, and Costs
- Pros of the Google Authenticator: This plugin will support specific user roles as it relates to 2FA and comes with a wide variety of methods to verify your site users, including SMS, QR codes, push notifications, and automated phone calls.
- Cons of the Google Authenticator: The version that Google offers for free is relatively limited in the features you’ll be allowed to use.
- Cost of Google Authenticator: The free version offers single-user two-factor authentication. You’ll be able to upgrade for multiple users beginning at $15 per year.
Is It Time To Deploy Two-Factor Authentication on Your WordPress Site?
Remember that your WordPress site is only as secure as your login page allows it to be. Most often, restricting access to a username and password alone just isn’t enough.
By implementing 2FA, you’ll be able to keep your site, your visitors, your users, and your customers safe from malicious brute-force attacks.
TIP: Always better to be safe than to be sorry.
When you complement a good backup system with two-factor authentication, you’re taking foundational steps to secure your site.
Dan Knauss is StellarWP’s Technical Content Generalist. He’s been a writer, teacher, and freelancer working in open source since the late 1990s and with WordPress since 2004.