It is no secret that WordPress is one of the favorite targets of cybercriminals. Since more than 30% of the Internet runs on WordPress, there is always a chance that your WordPress website could be on the radar of a cybercriminal.
Two Factor Authentication (2FA) is a popular method used to confirm the identity of the user accessing the website. When active, the user is verified twice using two separate methods. This way even if a hacker guesses your username and password, they cannot log into your account because they would fail the next check required to complete the 2FA authentication.
How to Integrate Two Factor Authentication in WordPress?
In keeping with the WordPress’s reputation of convenience, 2FA could be integrated in several ways. In this article, I will demonstrate the following methods:
- 2-Step SMS Verification through a plugin.
- Google Authenticator for 2FA.
- Two Factor Authentication using Email.
SMS Verification Through Plugin
In this WordPress two factor authentication setup, once a user enters the credentials, an SMS is sent to a registered phone number. The SMS contains a verification code which the user must enter on the login screen (or the next screen) to complete the login process.
To demonstrate this method, I will use FraudLabs Pro SMS Verification WordPress plugin.
Open your WordPress dashboard and install this plugin. Go to Settings and click FraudLab Pro SMS Verification. The following window will open up:
In order to get the API key, you need to create an account on FraudLabsPro website. The API key will be sent to the registered email address. Enter the API key in the plugin’s settings page.
Scroll down and select the form(s) where you would like to verify the user through SMS verification.
Currently, I only require the verification of the WP login form. Click Save Changes to save all settings.
To see SMS verification in action, I will log out and try to log in back.
As you can see, the login screen asks not only the credentials but also the fields for a phone number where a one-time password (OTP) could be sent to complete the verification process.
I can only log in if I enter the code sent via SMS even though my username and password are correct.
WordPress 2 Factor Authentication Through Google Authenticator
Another method of setting up 2FA is through the Two Factor plugin.
Go to Plugins and install and activate the above-mentioned plugin. Now navigate to Users and click on Your Profile. Two Factor options are available at the bottom of the screen. Choose the second option and click the View options link.
Install the Google Authenticator app on your phone and scan the QR code to get the six digits code. Next, enter the code in the plugin’s settings page and click the Update profile button to complete the process.
Now log out from the WordPress dashboard to see the WordPress 2 factor authentication in action:
I cannot log in unless I provide the Google Authentication code.
2FA Through Email
This method is similar to SMS verification method. However, instead of an SMS, users receive a verification code in the email. The good news is that you could use the same Two Factor plugin we used previously.
Go to Users from the WordPress dashboard and click Your profile. Scroll all the way to the bottom and choose the Email option.
Now click the Update Profile to save the changes.
A verification code will be sent to the registered email address every time you try to log into the WordPress dashboard.
Two Factor Authentication is a highly recommended best practice for WordPress security. Since WordPress 2 factor authentication could be easily setup through plugins, there is no reason why you should not have it set up on your website. If you need help in setting up these plugins, do leave a comment below.