How to Enable Two-Factor Authentication in WordPress

In Blog by Jerad Hill2 Comments

Security has never been more important than it is today. Every day you hear of a new company falling victim to a hacking of their website or social media account. Those of us who run WordPress as a content manager or even as the platform for our entire website need to look at security and how to manage it. WordPress is a pretty secure platform, but those who know what they are doing can easily find a way into your website where they can wreak havoc on your data or post malicious content to your live website.

There are many WordPress plugins that help make your website more secure. In this post, I am going to cover How to Enable Two-Factor Authentication in WordPress. The number one point of entry into a website is through the login form. Many people have simple passwords that are easy to guess. I have been using WordPress and other platforms for years and some of the passwords my clients choose are unfortunately laughable. I understand where they are coming from though. Nobody wants yet another password they have to remember. This is where two-factor authentication comes in with WordPress.

Two-Factor Authentication puts another layer of security between hackers and your WordPress website. If a hacker was successfully able to guess your password, they would not be able to make it past the second layer of security which is linked to your smartphone in the case of this tutorial. Here is how two-factor authentication works as I will describe below:

  1. Login to your WordPress website using the same login form you have been used to using.
  2. The authenticator sends a notification to your phone with a randomly generated numerical code to enter into the next screen on your website.
  3. You are now logged in as normal.

Hackers may be able to guess your “cats name” password, but they don’t have your smartphone and will not be able to spoof that randomly generated code that expires after 20 seconds. There are many different forms of two-factor authentication out there, but I am a fan of using a service from a company named Authy. I like their service because I can use their free smartphone app to manage two-factor authentication from other websites that support it such as Facebook, Buffer, Google, Dropbox, Microsoft, Gmail and more. Using Authy with your WordPress website is not free but on average Authy estimates their service costing you about $0.25 per month per user. That is extremely cheap and well worth the tiny investment. Authy is deployed on PCI DSS Level 1 and ISO 27001
service providers. All of their systems have been designed with a series of technologies to prevent and detect unauthorized access.

Setting up Two-Factor Authentication in WordPress with Authy

Step 1: Install the Authy Plugin for WordPress:
You can install the Authy Plugin for WordPress by going to Plugins in your WordPress Admin menu, choosing Add New, search for “Authy Two Factor Authentication” and then install the plugin. Make sure that you installing the plugin that is from Authy and not another developer. I have no experience with Authy plugins other than the plugin developed by Authy. Authy Two Factor Authentication Plugin: https://wordpress.org/plugins/authy-two-factor-authentication/

Authy Two Factor Authentication WordPress Plugin

Step 2: Activate the Authy Plugin for WordPress.

Step 3: Go to Authy.com and sign up: http://www.authy.com/signup

Step 4: Download the Authy App to your smartphone. Download for iOS | Download for Android

Step 5: Generate the API Key. From your Authy Dashboard, generate an application api key. I titled my application for my personal blog “WP – JeradHill.Com”

Authy Dashboard

Step 6: Enter the API Key. Go to the Authy Plugin Settings in WordPress and enter the API Key.

Authy Two-Factor Authentication Plugin Settings

Step 7: Enable Two-Factor Authentication. Go to your user profile on WordPress and enable Two-Factor Authentication.

Enable Authy Two-Factor Authentication in WordPress

The last step is important. If you do not enable two-factor authentication for your user account, you will not have it. It is also important to note that it must be turned on for each user. If your WordPress website has other users that do not activate two-factor authentication, hackers may be able to access their account and gain access to your website. I would make sure that all users who have Administrator or Editor privileges on your WordPress website have two-factor authentication activated.

You will have to logout and then log back in to try it out. Here is what you will see after you enter your normal username and password.

Authy Two-Factor Authentication Token Login Form

You can access your Authy Token a variety of ways. I use the Authy Smartphone app that I have installed on my Android Phone. Your phone will get a notification within seconds of the request for the token or you can just open the app. The authentication token will be displayed on your phone and you can enter it into your browser. Alternatively to the smartphone app is a Google Chrome extension that makes it easy to authenticate as well.

Here is a screenshot from my Android phone. This token refreshes every 20 seconds so you have to type it in fast.

Authy Two-Factor Authentication WordPress Android

Here is a screenshot from my desktop. I am using the Google Chrome browser with the Authy Chrome Extension installed. The Chrome Extension makes it even easier to authenticate because you don’t need your smartphone handy to generate a authentication code.

Authy Authenticator with Google Chrome Extension

Using Authy to add Two-Factor Authentication to your WordPress website is easy and logging in is easy as well. It is a simple process that will save you the headache of having to restore your website should a hacker get in and ruin everything Setting up Two-Factor Authentication makes it a lot harder for hackers to access your WordPress website. They may give up and move on to the next target.

Best of luck. If you need help setting this up or help with WordPress in general, please reach out to us.

Comments

  1. Hello Jerad,

    I found your walk through on Authy extremely helpful, I have a question though, I have created a custom login page on my wordpress site and have enabled authy for myself, when I login through the custom login page I am redirected to the page (5th screenshot from the top) where I am asked for the authy key after entering the valid authy key I am still not being able to login to the site, can you point me into the right direction here, how do I solve it and what might be the problem.

    Thanks,
    Manish

    1. Author

      Is there some sort of other login redirect happening? Does your theme make any changes to the original login page?

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.