Have you ever tried to use an ATM with just your ATM card and not your PIN? How about no ATM card and just your PIN? As I’m sure you know, you wouldn’t be able to get your money. That’s because your ATM requires you to use something you have (ATM card) and something you know (the PIN). If the ATM only required one or the other, it would be much easier for someone to get your money.
In the same way, if your WordPress site only requires the username and password (things you know) to log in, then if someone captures that info, they’ll be able to log in. But if your site also requires something you have, such as a code from your phone, that makes it much harder for someone to log into your account. This is known as two-factor authentication (sometimes written 2FA). Let’s look at how to add another layer of security to your WordPress site.
Add Two-Factor Authentication to WordPress, Using Google Authenticator
So, you’ve decided to add two-factor authentication to your WordPress site, right? Good! First, you need an authentication plugin. I recommend the Google Authenticator plugin, which works with the Google Authenticator app on your phone. If you don’t have Google Authenticator on your phone, I’ll tell you how to get it later.
If for some reason you don’t like the Google Authenticator plugin, there are several other two-factor authentication plugins in the WordPress Plugin Directory. Here are the next most popular:
- Google Authenticator – WordPress Two Factor Authentication (2FA)
- Two Factor Authentication
- Duo Two-Factor Authentication
Install and activate the plugin you choose.
Next, you need to add your website to Google Authenticator. Here’s how to do that with the Google Authenticator plugin. The process is similar for other two-factor authentication plugins.
- In WordPress, in the top right corner, click Howdy [your name] to go to your profile.
- Scroll down to Google Authenticator Settings.
- Check the box for Active.
- Enter a Description. I suggest the name of your website, or WordPress (if this is your only WordPress account).
- Click Show/Hide QR code.
- In Google Authenticator, click the plus icon to add an account, and choose Scan a barcode. If your phone can’t scan a QR code, then choose Enter a provided key and type in the Secret shown on your profile page.
- Save the Secret somewhere secure, in case you need it to add the account to Google Authenticator again in the future, and you can’t get into your WordPress site. I suggest storing it in a password manager such as LastPass.
- Scroll to the bottom of your profile and click Update.
Log into WordPress Using Two-Factor Authentication
Now that you’ve enabled two-factor authentication for your website, here’s how to use it when you log into WordPress.
- Open your WordPress login page (usually yourdomain.com/login).
- Enter your WordPress username and password.
- Open Google Authenticator on your app, and find your website in the list of accounts.
- Type the code shown in Google Authenticator into your WordPress login page, in the Google Authenticator code field.
- Log in!
Additional Tips for Two-Factor Authentication
I recommend that every Administrator account on your WordPress site use two-factor authentication. It wouldn’t hurt to use it for other accounts too, but because the Administrator role has the most power, accounts with that role are the most critical to protect.
Don’t activate two-factor authentication for other users; ask them to do it themselves, so they can use their own phones.
If you get a new phone, install Google Authenticator and add your WordPress account to it before discarding your old phone, if possible.
While you’re at it, you can learn more ways of protecting your WordPress login in our post How to Secure WordPress Login & Admin Area.
How to Add Google Authenticator to Your Phone
Google provides instructions for installing the Google Authenticator app on your phone, whether it’s running Android or iOS (Apple products).
How to Use Two-Factor Authentication on Other Websites
I highly recommend enabling two-factor authentication for other accounts that are related to your website or online marketing. A few examples:
- Web host
- Domain registrar
- Email marketing (MailChimp, Constant Contact, etc.)
- Social media (Facebook, Twitter, etc.)
- Ecosystems (Google, Apple, Microsoft, etc.)
- Password manager (LastPass, 1Password, etc.)
- E-commerce (Stripe, PayPal, etc.)
- Content Delivery Network (CDN) (Cloudflare, MaxCDN, etc.)
Really, you should seriously consider using two-factor authentication for any accounts that offer it.
Look in the Security and Privacy sections of your Settings, or under Account or Profile. You see it called two-factor authentication, two-step verification, security codes, 2FA, or multi-factor authentication (MFA). You may see the words code or token.
If you can’t find the option within a few seconds, look up the site on turnon2fa.com and twofactorauth.org. Those sites have instructions for enabling two-factor authentication on many websites. If one of your accounts doesn’t offer it as an option, contact the company and ask them to enable it, for the sake of the security of its users.
Interested in Internet Security?
If you’re interested in Internet security, check out the educational resource Defending Digital!
Concerned About the Security of Your WordPress Site?
It’s an unfortunate reality that WordPress websites are frequently targeted by hackers. You’re wise to enable two-factor authentication to increase your site’s security. If you’d like the peace of mind of knowing that WordPress experts are taking care of your site’s security, contact us!