WordPress two-factor authentication (2FA) is an important security measure that helps protect your WordPress website from unauthorized access. It adds an extra layer of security to your login process by requiring users to enter a one-time code in addition to their username and password. This code is usually sent to the user’s mobile device or email address. By requiring two pieces of information to log in, it makes it much harder for hackers to gain access to your website. 2FA also helps protect against brute force attacks, which are attempts to guess a user’s password by trying different combinations. With two-factor authentication, even if a hacker is able to guess a user’s password, they still won’t be able to access the website without the one-time code.
We take security very seriously here at Kinsta and that’s why we offer two-factor authentication for all of our WordPress hosting clients. Nothing could be worse than someone hijacking access to all of your sites! This feature is available in our MyKinsta dashboard and we highly recommend everyone take advantage of it. Today we will dive into why WordPress two-factor authentication is important, how our 2FA feature works, and a great free way to set up two-factor for your WordPress site itself.
Why Two-Factor Authentication Is Important
If you take a look at the top CMS platforms such as Joomla!, Drupal, and Magento; WordPress is leading with over 65.1% of the market share. Due to its popularity, this also means it is attacked more than the others. You can’t really say that one platform is more secure than the other. Mainly more attacks occur because of the mere volume of sites out there.
Another reason is due to unskilled website owners. WordPress has always been awesome due to the fact that almost anyone can pick it up and start using it, but that also means there are a lot of beginners most likely leaving back doors wide open by not patching, not locking things down with correct permissions, etc.
WordFence surveyed a large number of WordPress site owners in 2016 and asked them to answer the following question: “If you know how your site was compromised please describe how the attackers gained access.” 61.5% responded saying they didn’t know how the attacker compromised their website.
They also ran another survey to see what attackers do with compromised WordPress sites. As you can see, 25% are typically taken offline or defaced. This is probably one of the worst things that could happen if you run a WordPress business. That is why you should implement security measures first, not after.
There are many ways you can lock down a WordPress site, one simple tweak is to change your WordPress login URL. This will instantly knock down the number of failed login attempts you have to your WordPress site from bots and scripts constantly scanning the web looking for a way in. But one of the most important things is to simply choose a complex password.
Sounds pretty easy right? Well, check out SplashData’s 2018 annual list of the most popular passwords stolen throughout the year (sorted in order of popularity).
That is right! The most popular password is “123456”, followed by an astonishing “password”. That is one reason why here at Kinsta on new WordPress installs we actually force a complex password to be used for your wp-admin login (as seen below on our one-click install process).
Security starts with the basics. Google has some good recommendations on how to choose a strong password. And one of their recommendations is to enable two-factor authentication.
Two-factor authentication involves a 2 step process in which you need not only your password to login but a second method. It is generally a text (SMS), phone call, or time-based one-time password (TOTP). In most cases, this is 100% effective in preventing brute force attacks to your WordPress site. Why? Because it is almost impossible that the attacker will have both your password and your cell phone.
Check out more below on how to enable WordPress two-factor authentication.
Kinsta Two-Factor Authentication
Here at Kinsta, we take user security very seriously. To help our customers protect their MyKinsta accounts and WordPress sites, we offer Authenticator-based 2FA support.
Compared to the traditional SMS-based 2FA method which sends login codes via text message, our Authenticator-based method uses dynamically-generated codes in Google Authenticator, 1Password, and other 2FA apps. This means your 2FA configuration is protected against basic security attacks like SIM swapping.
We recommend enabling 2FA for all of your Internet services that support it. To enable two-factor authentication in MyKinsta, check out our knowledgebase article.
Enable WordPress Two-Factor Authentication
Now that you have your Kinsta dashboard secured, you can also enable WordPress two-factor authentication on your website. We recommend one of the following two plugins.
Two Factor Authentication
The Two Factor Authentication WordPress plugin is developed by the same authors of UpdraftPlus, the popular backup plugin. It supports standard TOTP + HOTP protocols (Google Authenticator, Authy, and many others). There is both a free and premium version.
It currently has over 10,000 active installs with a 4.5 out of 5-star rating and features the following:
- Graphical QR codes for easy mobile scanning
- Includes support for the WooCommerce and Affiliates-WP login forms
- WordPress Multisite compatible (plugin should be network activated)
- Emergency codes and premium design layouts (premium version)
If you’re looking for a completely free solution, the Google Authenticator WordPress plugin works great. Note: That does mean however that you will be bouncing around two different apps. You can determine which is the most time effective for your environment. If you want to stick with one app, upgrading to their starter plan might be the way to go. We will be using the free Google Authenticator in this example.
The Google Authenticator plugin has 30,000+ active installs with a 4.5 out of 5-star rating. It’s completely free and you can set it up for an unlimited amount of users. Most of the other auth plugins out there you will notice they have limitations in place unless you upgrade to a paid plan. You can download Google Authenticator plugin from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins.
Once installed you can click on your user profile, mark it active and create a new secret key or scan the QR code.
You can then use one of the free Authenticator Apps on your phone:
After enabling this it will now require your normal password to login plus the code from the Google Authenticator app on your phone. You will notice an additional field that now appears on your WordPress login page. Also, this plugin is fully compatible with the plugin that we recommended earlier to change your WordPress login URL.
And that’s it! You now have two-factor authentication on your Kinsta account and on your WordPress website.
We are excited to offer two-factor authentication to Kinsta clients, as this has been one of our most requested features. Securing your WordPress websites just got a little easier! Make sure to check out our more advanced guide on WordPress security to see how to really lock down your site.
Have any questions about how WordPress two-factor authentication works? Feel free to leave us a comment below or open a support ticket from within your MyKinsta dashboard.
QR Code is a registered trademark of DENSO WAVE INCORPORATED in the United States and other countries.