Two-factor Authentication on WordPress

Implementing Two-factor Authentication on WordPress

We are always supportive of any effort to further bolster security and make it harder for a hacker to gain access to your website.

Website security is not a single thing, it’s a series of layers. Just as castles of old were built up as layers around the Keep, so should your website have layers built around your most precious possession, access to the admin section of your site.

In a previous articles we discussed:

  • Your weakest link is your password, learn about password security
  • Make sure your website is hosted with SSL.

All of these are important layers, but there are additional, more in-depth steps you can take that will make it much more difficult for bad actors to access your site. Steps that I highly recommend, especially if you have been trusted with your user’s personal information.

One of these steps is “Two Factor Authentication”, or 2FA.

2FA is not a new security concept. For decades, financial institutions have relied on “Fobs” (small devices you can attach to your keyring that have a display and give an ever-changing number) as an additional factor in logging in.

The overarching security concept is “Something you know, something you have, something you are.” In 2FA, we pick two of these. When you log into a website without 2FA, you only use the “something you know” – the login and password. Regardless of how strong you think those are, there is a chance that they can be compromised. 2FA adds a layer on top of that, the “something you have”.

These days, instead of having to issue each admin user a fob, we have smartphones and software that can take the place of fobs. If you have a modern smartphone (one made in the last 5 years) it can run an app that functions as the “something you have”.

The most commonly used – although by no means the only – app for 2FA is “Google Authenticator”. It’s the most common because it is free. Before you go down the road of 2FA, make sure that Google Authenticator is available for your phone.

Just be careful as 2FA is a barrier and should only be added to an editors account and not a customers account.

We have all the software available to implement this for you at no extra cost whatsoever. Just drop us a line or call to discuss.

That’s it. It should take about 10 minutes to get the plugin set up and operational and get your administrator account hooked up. That’s all it takes to secure your account so strongly that unless someone steals your phone from you, they can’t log in, even if they have your login and password.

One final word, some 2FA systems are not based on apps but on text messages sent to your phone with the tokens. These are not secure. Avoid these systems and use ones that have an app.

We are fanatical about making things as secure as possible. DoodleIT have been working with websites since 2003 and provide web design North Wales.