In the world of content management systems, WordPress is known for many things, such as flexibility, versatility, user-friendliness, and its awesome community. It single-handedly transformed the blogosphere by enabling the quick and easy creation of professional-looking sites.
However, WordPress’s popularity is not without a few drawbacks. For one, the vast pool of third-party integrations and plugins made compatibility issues a commonplace.
When it comes to security, WordPress also holds the record for the most infections in 2016. According to Sucuri, the top reasons for those infections include poor system administration, outdated software, and poor credential management.
In this post, I will show you how to reinforce your WordPress installation’s security by leveraging two-factor authentication.
Why Two-Factor Authentication?
The term “two-factor authentication” describes the process of requiring two digital transactions to verify a user’s identity. Plenty of brick and mortar companies implement this by requiring biometric data or a specialized ID device.
In the online world, however, two-factor authentication is usually carried out through digital communication channels – be it an email service or SMS.
Simply put, two-factor authentication is like adding a second layer of defense to your WordPress security. Rather than depending solely on your password, you can further protect the safety of your WordPress account by requiring an extra authentication method that is, hopefully, out of reach to hackers.
Without further ado, here are the steps on how to quickly implement two-factor authentication in your WordPress installation.
Using Google Authenticator by miniOrange
The easiest way to implement two-factor authentication in WordPress is to use a plugin. Google Authenticator by miniOrange is one of the best tools for this job.
Here, you can view all your options when verifying your WordPress login session. By default, the active method is authentication via email verification. It works the same way as the email verification process you did when activating the plugin.
But instead of receiving an OTP, you will be provided with “accept” and “deny” links, which you can click to approve a login.
You will then be prompted that a verification email has been sent. Go ahead and check your email inbox for the approval link. Look for the header: “Your Requested One Time Passcode.”
The email should look like:
Other Authentication Options
Aside from email verification, miniOrange also supports authentication via QR Code, SMS, Security Questions, Push Notification, and through apps like Authy and Google Authenticator.
Here’s a brief overview of these additional methods.
Enabling SMS Authentication
To opt for SMS authentication, head back to the Setup Two-Factor page and select ‘OTP Over SMS.’ This will lead you to the phone number verification page.
Just remember that SMS authentication is only available to free users for up to 10 logins. If you want to keep on using their service, then you should consider upgrading to the paid version.
On the plus side, premium users will also be able to use verification via phone call. This is, by a clear mile, one of the most secure options you can have for two-factor authentication.
Enabling Soft Token Authentication
The next option is the authentication via “Soft Token,” which is a 6-digit code generated by the miniOrange Authenticator App.
To start, you must first download the app to your device through the appropriate app store.
Next, scan the QR code on screen to view register your mobile device. When successful, you should now see a green ‘Authenticate’ button in the main app’s interface. Use this button whenever you log in to your WordPress account.
It’s worth noting that the ‘QR Code Authentication’ method has a similar setup process to the ‘Soft Token’ method. Both can be done through the miniOrange app, but instead of generating a 6-digit code, you will be required to scan a QR code whenever you log in to WordPress.
The main disadvantage of these methods is that you may get locked out of your WordPress account in case you lose your phone, leave it at home, or run out of battery. As a failsafe, you can configure security questions as an alternative authentication method.
Setting Up Security Questions (Knowledge-Based Authentication)
To set up the security questions for knowledge-based authentication, head to the Setup Two-Factor page and select ‘Security Questions (KBA).’
If you’re satisfied with your security questions, click the ‘Save’ button and you’re good to go.
Using Other Mobile Authentication Methods
Two-factor authentication using your mobile device is indeed a handy way to secure your WordPress account. If for some reason, you dislike the authentication process via the miniOrange app, you can use the Google Authenticator or the Authy 2-Factor Authentication methods instead.
Both apps work the same way as the Soft Token method, wherein you are required to input a unique 6-digit code whenever you log in.
Do you agree that security is one of the pillars of online success? Then you shouldn’t stop at the front-end of your operations. If you currently use shared hosting, learn how to effectively protect yourself from hackers.