How to Use Two-Factor Authentication with WordPress

Article written by:
  • WordPress
  • Sep 28, 2017

In the world of content management systems, WordPress is known for many things, such as flexibility, versatility, user-friendliness, and its awesome community. It single-handedly transformed the blogosphere by enabling the quick and easy creation of professional-looking sites.

However, WordPress’s popularity is not without a few drawbacks. For one, the vast pool of third-party integrations and plugins made compatibility issues a commonplace.

When it comes to security, WordPress also holds the record for the most infections in 2016. According to Sucuri, the top reasons for those infections include poor system administration, outdated software, and poor credential management.

In this post, I will show you how to reinforce your WordPress installation’s security by leveraging two-factor authentication.

Why Two-Factor Authentication?

The term “two-factor authentication” describes the process of requiring two digital transactions to verify a user’s identity. Plenty of brick and mortar companies implement this by requiring biometric data or a specialized ID device.

In the online world, however, two-factor authentication is usually carried out through digital communication channels – be it an email service or SMS.

Simply put, two-factor authentication is like adding a second layer of defense to your WordPress security. Rather than depending solely on your password, you can further protect the safety of your WordPress account by requiring an extra authentication method that is, hopefully, out of reach to hackers.

Without further ado, here are the steps on how to quickly implement two-factor authentication in your WordPress installation.

Using Google Authenticator by miniOrange

The easiest way to implement two-factor authentication in WordPress is to use a plugin. Google Authenticator by miniOrange is one of the best tools for this job.

For verification purposes, Google Authenticator will require a valid email address. You can complete this process by going to your WordPress dashboard and clicking ‘miniOrange 2-Factor’.
After supplying your email, you should receive a one-time passcode (OTP) from miniOrange.
Once you have your OTP, go back to the miniOrange and paste it into the “Enter OTP” field. Click ‘Validate OTP’ to continue.
When you’re all set, you can now proceed to setup two-factor authentication. Begin by clicking ‘Setup Two-Factor’ from the plugin’s page.

Here, you can view all your options when verifying your WordPress login session. By default, the active method is authentication via email verification. It works the same way as the email verification process you did when activating the plugin.

But instead of receiving an OTP, you will be provided with “accept” and “deny” links, which you can click to approve a login.

To test if a method works, click the ‘Test’ button.

You will then be prompted that a verification email has been sent. Go ahead and check your email inbox for the approval link. Look for the header: “Your Requested One Time Passcode.”

The email should look like:

Click the ‘Accept Transaction’ link to complete the test.

Other Authentication Options

Aside from email verification, miniOrange also supports authentication via QR Code, SMS, Security Questions, Push Notification, and through apps like Authy and Google Authenticator.

Here’s a brief overview of these additional methods.

Enabling SMS Authentication

To opt for SMS authentication, head back to the Setup Two-Factor page and select ‘OTP Over SMS.’ This will lead you to the phone number verification page.

After clicking the ‘Verify’ button, wait a few minutes for the OTP code to be sent to your mobile device.
Once verified, you will now receive an OTP via SMS whenever you try to log in your WordPress account.

Just remember that SMS authentication is only available to free users for up to 10 logins. If you want to keep on using their service, then you should consider upgrading to the paid version.

On the plus side, premium users will also be able to use verification via phone call. This is, by a clear mile, one of the most secure options you can have for two-factor authentication.

Enabling Soft Token Authentication

The next option is the authentication via “Soft Token,” which is a 6-digit code generated by the miniOrange Authenticator App.

To start, you must first download the app to your device through the appropriate app store.

Once you have the app ready, click the ‘Configure your phone’ button to view the QR code. Take note that you also have to tap the ‘Configure your phone button’ in the mobile app when setting up Soft Token authentication for the very first time.

Next, scan the QR code on screen to view register your mobile device. When successful, you should now see a green ‘Authenticate’ button in the main app’s interface. Use this button whenever you log in to your WordPress account.

It’s worth noting that the ‘QR Code Authentication’ method has a similar setup process to the ‘Soft Token’ method. Both can be done through the miniOrange app, but instead of generating a 6-digit code, you will be required to scan a QR code whenever you log in to WordPress.

The main disadvantage of these methods is that you may get locked out of your WordPress account in case you lose your phone, leave it at home, or run out of battery. As a failsafe, you can configure security questions as an alternative authentication method.

Setting Up Security Questions (Knowledge-Based Authentication)

To set up the security questions for knowledge-based authentication, head to the Setup Two-Factor page and select ‘Security Questions (KBA).’

This will bring up the “Configure Second Factor” section where you can specify three security questions. Choose from the dropdown list and supply the answer in the corresponding fields.

If you’re satisfied with your security questions, click the ‘Save’ button and you’re good to go.

Using Other Mobile Authentication Methods

Two-factor authentication using your mobile device is indeed a handy way to secure your WordPress account. If for some reason, you dislike the authentication process via the miniOrange app, you can use the Google Authenticator or the Authy 2-Factor Authentication methods instead.

Both apps work the same way as the Soft Token method, wherein you are required to input a unique 6-digit code whenever you log in.

Do you agree that security is one of the pillars of online success? Then you shouldn’t stop at the front-end of your operations. If you currently use shared hosting, learn how to effectively protect yourself from hackers.

Article by Christopher Jan Benitez

Christopher Jan Benitez is a professional freelance writer who provides small businesses with content that engages their audience and increases conversion. If you are looking for high-quality articles about anything related to digital marketing, then he's your guy! Feel free to say "hi" to him on Facebook, Google+, and Twitter.

Get connected: