Back

Two Factor Authentication in 2019 for WordPress

24 January 2019

Tim Nash

We regularly get asked for recommendations on two-factor (or Multifactor) authentication plugins and products for WordPress Hosting. It’s a topic we have covered a few times in the past, but in 2019 we now really only recommend a single plugin.

Two-Factor

If you are looking to enable two-factor authentication (and if you are not, you really should be!) then we recommend the plugin two-factor.

This plugin is a “feature” plugin and is developed by members and former members of the WordPress core security team. The goal of a feature plugin is that it will ultimately become part of the standard WordPress core, so using it today will mean continuity when the features are eventually incorporated into WordPress core.

In addition to being a feature plugin (which is a massive plus), it supports a range of two-factor methods including Google Authenticator and U2F hardware keys. It also supports having multiple factors setup per person.

For users of our WordPress Hosting, the plugin works fully with our WordPress login button, allowing you to skip the login but still be challenged. Many other solutions either break the button or mean we skip two-factor authentication altogether.

The reason the button still works is the UI decision that was taken, meaning the two-factor authentication field is presented after a successful login rather than on the login page itself. This makes it harder for potential attackers to identify which users might have two factor authenticaiton available and presents a simplified login experience for end users.

Installing Two-Factor

To install the two-factor plugin, log into the WordPress admin area, select Plugins and click the add new button.

Within the search box on the right type two-factor.

Two-Factor by George Stephanis is the plugin we wish to install, so click Install for that one.

Click Activate.

Two-Factor is now installed and activated.

Setting up Two-Factor

If you want to setup two-factor for your user, then within the WordPress Admin area select Users -> Your Profile. Alternatively, administrators may edit any user by accessing their user page.

Scroll Down the profile to Two-Factor Options under Account Management and select the second factor option you wish to configure. We recommend Google Authenticator or U2F Hardware keys.

For Google Authenticator

Make sure you have the Google Authenticator app on your phone or device installed and ready.

With the Google Authenticator app open and press the + circle selecting scan barcode.

Hold the phone to your screen to scan the QR code on the screen.

Enter the code you are presented with into your WordPress Admin area in the box Authentication Code and hit submit.

For U2F keys

You will need a hardware key like UbiKey or Feitian ePass, and will need to have the device with you, using a machine which it can be plugged into. If the device uses NFC you should probably use USB rather then NFC for setting up.

Insert the key into a USB port.

Click Register Security Key.

The key should now be registered, remember good practice is to install at least two security keys with the backup stored somewhere very safe.

We do not recommend using security codes via email, but if you have users who don’t have Google Authenticator and cannot install it, or aren’t in a position to purchase hardware tokens then this is an option, though it is not as secure as the previous two.

Once you have setup one or more authentication methods you can enable them and select one as default. When you log in you will be asked to authenticate with your default option, with an option to change methods.

That’s it! From now on you will be asked to authenticate with your second factor (or choice of the second factor) after a successful login. With Two-Factor enabled and configured even if a brute force attack was successful in working out your password, they will still be unable to access the account without the second factor.

We highly recommend installing and setting up two-factor on all sites; it’s quick and easy and with the Google Authenticator app on your phone, free.