WordPress Two-Factor Authentication: Setting up and Best Plugins (Explained and Compared 2017 Edition)
Security issues using WordPress!! Headache?? Don’t agitate, here’s easy two-factor authentication to make your WordPress log-in safe.
More often than not, all our passwords across various websites are one and the same – easy to remember, easy to hack! WordPress is namely, one of those sites! So why consider using WordPress Two-Factor Authentication Plugins, when WordPress already has one-factor authentication?
Well, read on.
What is Two-Factor Authentication?
Two-Factor Authentication (2FA) is a method that confirms whether or not a user is legit, by combining two different, unrelated components. Usually, the two components are:
- Knowledge – something that a user must know, i.e. PIN number or a password
- Possession – something that a user must have, i.e. an OTP sent to another device, a security key or token
Previously, users could log in with the help of their knowledge, however, weak or repetitive passwords made it easier for hackers to attain sensitive information. Therefore, combining the two components (knowledge and possession) was thought of, because it was highly unlikely that the hacker could attain the password of a user along with the users’ possession.
WordPress Two-Factor Authentication
WordPress allows users to log in through one-factor authentication i.e. via passwords. A user can increase their website’s security by installing a plugin, which gives them the two-factor authentication feature. There are several plugins widely available and can be found in the plugin tab on the WordPress Dashboard. On installing a plugin, a user needs to activate it and follow the instructions that are prompted. It’s an easy procedure offering a better chance at security.
Why move from One-Factor to Two-Factor Authentication?
Although one-factor authentication is easy to use and saves time, it isn’t as secure anymore. 2FA’s basis lies in the fact that it is unlikely for a hacker to have two factors required for accessing an account. Passwords with varying strengths, symbols and characters along with generic security questions, have become pointless since they can easily be accessed. However, in 2FA, if an authentication attempt fails in even one instance, the account remains locked as access to the user isn’t granted. 2FA provides additional security and therefore many government and banking services have made the move from 1FA to 2FA.
Top 10 WordPress Two-Factor Authentication Plugins Comparison Chart
|Plugin/Features||Active Installs||Rating||WordPress Compatibility up to||Mobile App||OTP/Callback||Push Notifications|
|Google Authenticator – Two Factor Authentication
Note: This plugin is not functional and has been discontinued as per the official announcement. We suggest you to pick any other plugin from the list below.
Clef is a secure plugin, which stores WordPress login details on the users Clef device in an encrypted form and recognises websites using RSA-Public Key encryption system.
- Login details for the user’s account are saved on the Clef device rather than on the cloud, so that if Clef’s servers are breached the user’s login credentials will remain safe.
- Extra security measures include a four digit PIN number protecting the Clef app and an activity stream listing the Clef activity of all the users.
- The Clef server has to be running correctly for you to complete the login procedure and you must have your smartphone in a working order, with you.
Shield WordPress Security offers 2 methods of two-factor authentication and uses email as the basis of verification to ensure that a user attempting to log in to WordPress is legitimate.
- 2 methods of two-factor authentication, i.e., Email and Yubikey give users the chance to explore multi-factor authentication.
- Two methods of email verification that are offered are IP Address and Cookie based authentication which can be configured as per the type of WordPress login.
- After a free trial, the user must buy Shield WordPress Security to continue usage.
Google authenticator plugin for WordPress gives the user two-factor authentication, i.e. the user must enter their password along with a code sent to the google authenticator app installed on their smartphone.
- Provides extra security, because the probability of a hacker knowing the user’s password and having their personal device is not so likely.
- It is easy to use and a majority of the people already are aware of this two-factor authentication.
- The user must have a smartphone in working condition on them when they try to login or it can be a troublesome procedure.
Duo two-factor authentication plugin for WordPress, allows users to legitimate their identity using their mobile phones or hardware tokens.
- Multiple ways to generate or receive authentication passcode, which means, users can use Push Notifications, Security Tokens, SMS Passcodes, Phone Callbacks, TOTP or a U2F Device to log in.
- Easy to set-up, and use. Duo does not require the user to have a mandatory smartphone because it offers multiple authenticating options.
- A bit difficult for users who only wish to use Duo Push without going through the process that installing a Duo Security for a business would require.
miniOrange Authenticator WordPress plugin, allows the user to identify themselves using push notifications on their miniOrange app, or via OTP sent on email or by answering Security Questions.
- miniOrange has a built in PIN-Protection and the app encrypts all the data it has stored unlike Google Authenticator, which stores data in plain text.
- It also supports device identification, such that the user does not need to log in through two-factor authentication over and over from the same device.
- Device identification may lead to a breach in security, at the off chance of a user losing their device.
OpenID allows users to log in to their WordPress account or leave comments using their OpenID. Being an open standard, OpenID lets users authenticate to websites without having to create a new password.
- OpenID makes is easy to use and saves time when trying new features.
- Users can make their sites into an OpenID provider, which makes it easy and appealing to vast audiences.
- Security concerns are still present when it comes to OpenID and the login procedure is very confusing, as it takes the user to another site.
Rublon is a two-factor authentication, which sends the user a link via email, the first time they log in to their WordPress account from a new device, after which the users can log in to their accounts with their WordPress passwords.
- Very easy to use, Rublon saves time and confirms a user’s identity with just a single click.
- Rublon mobile app also provides additional security by letting the user scan a Rublon code to confirm their identity.
- Rublon for WordPress plugin uses the free Personal API which provides protection to only 1 account for a website. To protect more accounts, the admin would have to buy the Rublon Business API.
The Two-Factor Authentication (TFA) plugin for WordPress, uses the industry standard algorithm TOTP or HOTP to create One Time Passwords which are sent to the user’s email or mobile phones.
- TFA is available to admins and can be turned off or on as per the necessity, and is shown only to users that have TFA enabled.
- Emergency codes can easily be procured on the off chance that a user loses his/her phone.
- It requires the user to have access to their mobile phones or emails every time they wish to login to their WordPress account.
Authy plugin when added to WordPress, prompts the user to use an additional step when trying to login to their account. This additional step could be an OTP or a Push Notification.
- Authy is easy to install, use and requires little or no security knowledge. Users can make use of the Authy app or get the security token via SMS or phone call.
- It is an open source plugin and very similar to TFA and Google Authenticator.
- Authy is an external security system. Each time a user wishes to log in, an HTTP request is sent to authy.com which decides to give access or deny access to the users, unlike other systems which let the admin control the authentication decision.
Wordfence two-factor authentication plugin is available to WordPress admins or publishers, such that they can log in to their accounts with their passwords along with an authentication code sent to their mobile phones.
- Safe, secure and easy to use, Wordfence two-factor authentication helps not just in the login procedure but locks out attacks against brute forces and checks the strength of all user and admin passwords.
- Scans all posts and comments along with providing a real-time view of all traffic included automated bots.
- In order to access all the features, along with the two-factor authentication, a user needs to purchase premium Wordfence key.
Setting Up WordPress Two-Factor Authentication
For the purposes of this demonstration, we’re using the Clef two-factor authentication plugin. It is a fun way to login to your account. All you have to do is hold up your phone to your computer screen and you’re in! What makes it such a great plugin is that it is very easy to enable for your WordPress account.
Step 1: Login to your WordPress dashboard.
Step 2: From the left side menu, select the Plugin option.
Step 3: Select the Add New option on the Plugin page and search for Clef.
Step 4: Install the Clef Plugin and when the plugin completely installs, click on the activate plugin option.
Step 5: When Clef activates, click on the Get Started option.
Step 6: Download the Clef app on your smartphone.
Step 7: Hold up your smartphone and sync the Wave on your phone with the Wave on the screen.
Step 8: Once you sync your phone with your account, follow the prompts on the screen to add users, or allow users to register with their smartphones.
Bonus: WordPress Multi-Factor Authentication Plugin – COVR
Covr is a plugin for WordPress that can easily be configured and enabled to provide multi-factor security. It identifies users with two pieces of information and is designed to give users the knowledge that their site is protected from imminent cyber-attacks.
- The smartphones of users are used by Covr as verification tools. Anytime a user wishes to log in, a push notification is sent to the Covr app on the admin’s phone to notify him/her of the login request which can be denied if an imposter tries to access the website.
- Covr lets the user take control of their website without relying on third party systems.
- The user must have his or her smartphone on him all the time so as to deny or accept access requests.
With the world entering into a new digital stage it is inevitable that the cyber-crime rate will reach its zenith. One false sense of security that users tend to have is that in this insecure world, they wouldn’t be under attack. However, our work, identity, personal and financial information is out there and all of us can easily be hit by an attack. The only way to protect is to be prepared. Two-factor authentication is one such lock against bots and imposters that try to attack your website. On enabling 2F authentication, you secure your account with not just your password, but a key which has a very little probability of being in the hands of the hacker.
Which brings us to the question, which two-factor authentication plugin would be best for WordPress. Our pick would be Duo. The first point being, that it is extremely easy to install and set up. The second is that it offers multiple ways to generate or obtain passcodes, aka, push notifications, SMS, Phone Callbacks, TOTP, Security Tokens or U2F devices. It is also free! With so many options, if you have an account that multiple users use, you can add this plugin without having to worry about whether or not all the users have a basic functioning smartphone! Now after all that, if you are looking to secure your website from malicious cyber-attacks and the inevitable loss of all your hard work, Download TemplateToaster, a WordPress Theme Builder for designing WordPress themes without the hassle of coding while providing full compatibility with all the plugins mentioned in this article.