Two Factor Authentication for WordPress

If you’re using a strong password, brute-forcing is a very inefficient way of breaking into your WordPress account, and if it is really strong, dictionary attacks won’t help much either. However, there are are other, easier, ways for a mischievous person to get their hands on your login credentials e.g. with phishing, keyloggers or a MITM attack. By using a two-factor solution, you will increase your login security by an order of magnitude.

Enabling two-factor authentication means that to get authenticated you need to provide something you know (your password) and something you have (like your smartphone or a hardware key generator).

Implementations

There is a group of people working to get two factor authentication built right into WordPress. It looks very promising, but until they are release-ready, I suggest you look into one of the following implementations. They will continue to work even if WordPress core gets two factor authentication built-in.

Duo

A two factor solution used in many enterprise environments, but it is free for up to 10 users. If you lose your phone, you can have backup codes sent to you by SMS.

This is by far the easiest to use mobile based two factor authentication solution I’ve ever tried. After you have entered correct user credentials, you are presented with two options: Duo Push or codes from a SMS text message. The first one will send a push request to your phone and you can approve the login with a single tap directly from the push notification. Brilliant!

The mobile app also works with all other services that use TOTP (same as Google Authenticator).

Their web site: https://www.duosecurity.com/
The WordPress plugin: https://wordpress.org/plugins/duo-wordpress/

With Duo, you can apporove the login with a single tap directly from the push notification on your mobile phone.
With Duo, you can approve the login with a single tap directly from the push notification on your mobile phone.

YubiKey

A popular hardware solution in many enterprise environments, the YubiKey is a hardware USB dongle that generates a one time use code on request. Actually, it is recognised by your computer as a keyboard. When you tap the dongle it will input the keycode wherever your cursor is focused.

The physical YubiKey comes in two flavours, one in the same size as normal USB thumbdrives and the YubiKey Nano which can stay in a USB port at all times, just standing a few millimeters out of the port.

There is no official WordPress plugin from YubiKey, but on their web site they are referring to the plugin by Henrik Schack.

Their web site: https://www.yubico.com/
The WordPress plugin: https://wordpress.org/plugins/yubikey-plugin/

My YubiKey Nano – with a pen for size comparison.
My YubiKey Nano – with a pen for size comparison.
YubiKey Nano in my Mac
YubiKey Nano in my Mac

Rublon

I hear very good things about Rublon. It is pretty much just as easy to use as Duo. To log in, you simply click a link in your email or scan a code on the web page. This means you don’t even  need your phone (but please use 2FA for your email account as well).

Rublon is free for 1 account per website.

The WordPress plugin: https://wordpress.org/plugins/rublon/

Clef

I haven’t tested Clef yet, but a while ago I noticed that several people seemed enthusiastic about it.

Their web site: https://getclef.com/
The WordPress plugin: https://wordpress.org/plugins/wpclef/

Authy

Authy is another solution that people seem to like a lot, but I haven’t got around to test yet.

Their web site: https://www.authy.com/
The WordPress plugin: https://wordpress.org/plugins/authy-two-factor-authentication/

Google Authenticator

There are actually two plugins who have implemented two factor authentication with Google Authenticator (neither is official). It’s been a long time since I’ve tried either, but I don’t recommend them: If you reinstall your phone, you have no backup means of logging in and will have to disable the plugin – by having another admin do so for you, or using SSH/SFTP to rename the plugin folder.

https://wordpress.org/plugins/google-authenticator/
https://wordpress.org/plugins/wp-google-authenticator/

Remember: Use HTTPS

Please remember that if you don’t use HTTPS to encrypt the connection between you and WordPress, it is still possible for an attacker to hijack your session.

What’s your experience?

If you’re using two factor authentication for WordPress, please share your experience in the comments – especially if you’re using a method I don’t have any experience with yet :-)

There are 12 comments

I love comments that bring new insights, shares ideas and experiences, and most of all: corrects my mistakes. For support questions, there are other fora, like Stack Overflow, Server Fault and the WordPress support forum.

Your email address will not be published. Required fields are marked *