WordPress Two Factor Authentication (2FA)

Using two factor authentication to keep WordPress site secure.

There are many vectors of attack that can compromise your WordPress website, and the list is growing as hackers are improving their methods. But oddly enough, brute force attacks remain one of the largest and fastest-growing of these threats. Web security firm Sucuri tracks brute force attacks on a daily basis across its network of protected WordPress sites, and the statistics are startling. From January 2015 to February 2016, the daily number of brute force attacks on their network grew by a whopping 833%. You will definitely want someone in your corner who knows what to do if your WordPress site gets hacked.

Graph showing increase in WordPress Brute Force Attacks explains the need for two factor authentication.

Savvy WordPress site owners have traditionally attempted to mitigate brute force and other forms of attacks by securing their sites with passphrases, strong passwords, and SSL. But these techniques alone are not enough. Site owners need to complement these methods with other advanced approaches, and they must do so as cost-effectively as possible. One of these approaches that rather nicely fits the bill is two-factor authentication.

What is Two-Factor Authentication?

What is two-factor authentication?

Two-factor authentication is widely used by many security-minded companies to help protect their users from brute force and other types of attacks that involve compromising user accounts. Examples of industries widely leveraging two-factor authentication include financial services, retailing, and online service providers like email providers. As a matter of fact, chances are that sometime in the last few days you yourself used two-factor authentication without even realizing it.

Simply put, two-factor authentication is a method of verifying a user through a combination of two different forms of authentication. In most cases, the first factor is a username/password combination and the second factor is a token or other form of unique identification. One of the most prevalent examples of two-factor authentication in use today comes from the retailing sector. Do you remember the last time that you paid for groceries using your debit card? The first factor of authentication that you provided was the debit card itself, which you swiped. The second factor was the pin code that you entered into the credit card terminal. Individually these items are not of much use, but when used together they provide access to the money in your account.

There are many different methods of generating and delivering the tokens/passcodes that act as the second factor of authentication.

Modern Methods of Two-Factor Authentication

Modern Methods of 2 step authentication

Modern, online forms of two-factor authentication are quite effective at combating brute force attacks. That’s because they require a second factor to authorize account access that is generated on the fly for one-time use. In general, this involves the account holder supplying a passcode or token that is generated by an application or by the provider directly. The way that the account holder receives or views this authentication token varies, but most commonly it is one of the following methods:

  • An email to a verified email address that contains a token
  • A text message to a verified phone number that contains a token
  • An application like Google Authenticator generates time-based tokens for authentication
  • Other types of applications like Clef provide more sophisticated mechanisms for unique forms of verification

The process is actually straightforward. A user visits a website that they want to log into and supplies their username and password for the site. The site then sends a security token to the user based on one of the methods listed above and then asks the user to enter this token. Sites may offer only some or all of the options noted above for delivery of the secondary token, and the method used is set by the user in their account preferences.

So what happens if a user loses access to the method of delivery that they specified for their secondary token? For example, a user may have selected to receive a text on their smartphone, but had their smartphone stolen. In this instance providers typically offer a one-time recovery code or a set of one-time recovery codes to account holders for use in a situation where a user cannot access their preferred delivery method. Users can print and store these codes for future use if the need arises.

Delivering Two-Factor Authentication on WordPress

The adoption of two-factor authentication by WordPress site owners has been growing significantly in the last couple of years. This has been due in large part to the range of plugins that are now available to quickly and affordably deploy this method. We have assembled a shortlist of some of the leading plugins in use today.


Infographic of Two factor authentication using both a phone and computer.

There is a two-factor authentication feature up for consideration to be merged into WordPress Core 4.6 (pending completion, of course). The Two-Factor project is led by George Stephanis, who is a member of the JetPack team. George also has 19 plugins to his credit including RICG Responsive Images and Update Control, which both boast over 10,000 downloads. Two-Factor still exhibits some slight bugginess, but it is very easy to use and provides support for the following methods of authentication:

  • Time-Based One-Time Password (TOTP)
  • Email
  • Recovery Codes
  • FIDO U2F

Additionally, this plugin gives WordPress administrators the ability to manage, modify and force two-factor authentication options for other users on their site.

Google Authenticator

Google Authenticator

The Google Authenticator plugin provides the Google Authenticator method of two-factor authentication and is very simple to use. Users install the Google Authenticator App on their smartphone and then use it to scan a QR Code that is generated on the WordPress login page of your site. This in turn generates a passcode which is then entered on the login page. The plugin is easy to configure and use, and even offers simple application password functionality and management.

Two Factor Authentication

Secure WordPress login with Two factor authentication (TFA / 2FA)

Secure WordPress login with this two-factor authentication (TFA / 2FA) plugin. Users for whom it is enabled will require a one-time code in order to log in. From the authors of UpdraftPlus – WP’s #1 backup/restore plugin, with over two million active installs.

If you or your clients are looking to add an extra layer of security to your sites, you should definitely take a look at how two-factor authentication can help. With so many plugins to choose from, you are bound to find a solution that meets your needs in terms of security, effort, and cost. You should also keep an eye out for any news relating to the Two-Factor project. Having a solid two-factor authentication solution built right into WordPress will make employing two-factor authentication even easier and will benefit the community as a whole.

Jessica Frick

Jessica serves as the Director of Operations for Pressable and is dedicated to creating the best managed WordPress hosting experience possible. She’s been using WordPress since 2008, has been in WordPress-focused roles since 2010, and currently serves as one of the Make WordPress Hosting team reps. When she’s not working, you can find her spending time with her family, serving in her community, watching hilarious dog videos online, or brewing a pitcher of iced tea.

Related blog articles