We regularly get asked for recommendations on two-factor (or Multifactor) authentication plugins and products for WordPress Hosting. It’s a topic we have covered a few times in the past, but in 2019 we now really only recommend a single plugin.
If you are looking to enable two-factor authentication (and if you are not, you really should be!) then we recommend the plugin two-factor.
This plugin is a “feature” plugin and is developed by members and former members of the WordPress core security team. The goal of a feature plugin is that it will ultimately become part of the standard WordPress core, so using it today will mean continuity when the features are eventually incorporated into WordPress core.
In addition to being a feature plugin (which is a massive plus), it supports a range of two-factor methods including Google Authenticator and U2F hardware keys. It also supports having multiple factors setup per person.
For users of our WordPress Hosting, the plugin works fully with our WordPress login button, allowing you to skip the login but still be challenged. Many other solutions either break the button or mean we skip two-factor authentication altogether.
The reason the button still works is the UI decision that was taken, meaning the two-factor authentication field is presented after a successful login rather than on the login page itself. This makes it harder for potential attackers to identify which users might have two
To install the two-factor plugin, log into the WordPress admin area, select Plugins and click the add new button.
Within the search box on the right type two-factor.
Two-Factor by George Stephanis is the plugin we wish to install, so click Install for that one.
Two-Factor is now installed and activated.
Setting up Two-Factor
If you want to
Scroll Down the profile to Two-Factor Options under Account Management and select the
For Google Authenticator
Make sure you have the Google Authenticator app on your phone or device installed and ready.
With the Google Authenticator app open and press the + circle selecting scan barcode.
Hold the phone to your screen to scan the QR code on the screen.
Enter the code you are presented with into your WordPress Admin area in the box Authentication Code and hit submit.
For U2F keys
You will need a hardware key like UbiKey or Feitian
Insert the key into a USB port.
Click Register Security Key.
The key should now be registered, remember good practice is to install at least two security keys with the backup stored somewhere very safe.
We do not recommend using security codes via email, but if you have users who don’t have Google Authenticator and cannot install it, or aren’t in a position to purchase hardware tokens then this is an option, though it is not as secure as the previous two.
Once you have
That’s it! From now on you will be asked to authenticate with your second factor (or choice of the second factor) after a successful login. With Two-Factor enabled and configured even if a brute force attack was successful in working out your password, they will still be unable to access the account without the second factor.
We highly recommend installing and setting up t