How to secure your WordPress login with 2FA
Jack Wallen shows you how to add two-factor authentication to your WordPress sites to avoid unwanted intrusions.
Nothing is perfect. No matter what you do to lock down every account you have, you’re still at risk. However, doing nothing is akin to opening the metaphorical door and inviting trouble in. You don’t want that. Even though it might seem futile, you still want to enable every possible hurdle to make the hacker’s job as difficult as possible.
This is true for every account you have—even your company’s WordPress website. If you’re not doing everything you can to protect that site, there’s no telling what could be at stake. Company information, client and customer details, bank accounts, third-party logins…you name it, and it could be laid out for nefarious takers.
To that end, you should secure WordPress logins with two-factor authentication (2FA). Fortunately, this is just an add-on away. I’m going to show you how it’s done.
SEE: Security incident response policy (TechRepublic Premium)
What you’ll need
- A working instance of the platform
- An admin user account
How to install the add-on
Log in to your WordPress instance as an admin user and go to the Plugins section. Click Add New and then, in the resulting window, type WP 2FA in the search field (Figure A).
The WP 2FA plugin should appear below the search, where you can click Install Now to add the feature. Once the plugin is installed, click Activate to activate WP 2FA (Figure B).
How to configure WP 2FA
After you activate the plugin, you’ll be presented with a very easy-to-use wizard that will walk you through the setup (Figure C).
You have two choices on how to use the 2FA code:
I’ve tried both options and they work fine, so choose whichever method best suits your needs. After you’ve successfully set up the 2FA authentication, you can then configure which method regular site users are required to work with. To be safe, I’d go with the email option—otherwise, you’re going to have to also instruct your users how to install and use a third-party application. Make this as simple as possible and go with email (Figure D).
You next need to select if you want to use 2FA all the time for all users (Figure E).
Finally, you can exclude certain users and roles from having to use 2FA on your site. If you want to go for the most secure option, I wouldn’t recommend excluding anyone from this list. The only reason you might is to ensure you have one admin user who can always gain access to the wp-admin section of the site. I’ve had one instance where an update to the MiniOrange authentication plugin broke my ability to log in to a site. I had to SSH into the site and manually disable the plugin, to log in. Do what’s best for you, and go with the configuration that best fits your security needs.
And that’s all there is to securing your WordPress sites with 2FA.
Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.