Improve WordPress Security with Two-Factor Authentication

The moment you walk into a jewelry store you are greeted by a friendly salesperson. After a few moments they start talking to you about the weather or something going on locally in the news. Once this conversation has started then the salesperson’s intent is accomplished.

See the salesperson was looking to quickly build rapport with you. After all, if you’re going into a jewelry store, you’re likely going to spend a significant amount of money with them. And it isn’t always easy to find that special connection between the salesperson and the customer. That rapport is going to help the salesperson connect with you so they can truly help you find something you are looking for.

I remember when I walked into the jewelry store to buy the engagement ring for my wife. I had an idea in my mind of what she would like and of course I had a budget in mind. But what I didn’t account for was the different cuts, different types of clarity or color. I wasn’t prepared.

Thankfully, the salesperson was there to help.

The same goes for your website and doing eCommerce. Whether you are running your own store or had someone build you one, the process is similar. You have taken necessary steps to have your site feel safe.

You make sure that when your site was designed it was aesthetically pleasing. The language you use on your site to communicate what you do or what you sell speaks to your visitors. Photo by Artem Sapegin on UnsplashIt draws them in. Finally, you make sure your site is running over HTTPS and you have a valid SSL certificate.

Your goal is to make your visitors feel safe.

Though, all too often, you see articles that talk about a website getting hacked and customer data breaches where millions of users have their personal information exploited. Look at the case of Equifax. Over 143 million consumers had their personal information leaked because of a vulnerability that criminals were able to exploit.

Thankfully there’s a way we can protect our customers and ourselves. There is no way to totally prevent security attacks, they are going to happen in this day and age. But we can at least provide ways in terms of having extra security measures in place, to give everyone accessing our site a better level of comfort.

Enter Two-Factor Authentication

Two-Factor Authentication, or 2FA for short, is an extra layer of security that requires not only a password and username, but also something that only that user has on them, e.g. a piece of information only they should know or have immediately on hand—such as a physical token.

This process makes it harder for intruders to gain access and steal the data of your customers, and of yourself. As recently as 2011, Google announced two-factor authentication, online for their users, followed by MSN and Yahoo!.

What many people probably don’t know though is that this type of authentication requires hardware tokens or special apps (or text messages) to work. The setup process for your customers can be confusing, especially if they are not computer savvy.

However, when your site is running WordPress and you have opened your WP-Admin up to the world, you should take these precautions yourself. If you are running a non-WordPress site you can read more about two-factor authentication on our blog. Thankfully, there’s a number of options for you to use.

iThemes Security Pro

Our partners over at iThemes have been consistently improving their Security plugin. Not only does it offer numerous security enhancements to better protect your site, but their Pro version has two-factor authentication built right in.

iThemes Security Pro takes two-factor so seriously that when you first install the pro version of the plugin, you’re greeted with a notice about activating 2FA right away.

The options for 2FA that iThemes Security gives you are the best I’ve seen. You can choose how to get your code, either by mobile app or email. What’s great about this is that if you choose mobile app, you can set up just about any mobile app you want and it will work.

Other WordPress Plugins

If you don’t want to use iThemes Security Pro, or feel that it’s too powerful for your needs, there’s a few other plugins we’ve found that work great with our Managed WordPress platform that you could consider. Even if you aren’t using our hosting, these should work on any host that supports WordPress.

Authy

The Authy for WordPress plugin helps increase security for your user accounts by hooking up with their own 2FA built system. The configuration for Authy does require you to have a Twilio account (Twilio own Authy). Under the settings page within WP-Admin, it’s a simple form to fill out with your API key and a few other settings you will need to choose.

What I do like about Authy is that you can easily select the user roles you want to enable 2FA for. This is great because if I was hosting a membership site, I would set up my admins and likely the editors—anyone that was working on the site—with 2FA, but for any of my members, it seems to be a big headache to explain how to set up 2FA. I could just see all the support requests that would come in for it. Not to mention, during my testing I didn’t test this with a membership plugin, so I’m unsure if it will display the Authy piece on the front-end when a user accesses their profile. Many membership sites will not allow their members to access the wp-admin.

A final note on Authy. We recently had a customer that was trying to get Authy to work with our Managed WordPress(link to our product page) and we were able to work directly with Authy(link to cosper’s pull request) to help fix their plugin so that it would be work better with Managed WordPress hosts where we have specific security measures in place.

Duo Security

As another Michigan-based company, I always want to support our local community. Duo Security offers not only a mobile app, but they offer a WordPress plugin as well. Duo Security’s WordPress plugin is very similar to Authy in that there is some configuration you need to do on the settings page prior to making it available to your users. Duo Security has a few more fields than Authy, and they offer the same ability to limit 2FA to certain roles. During my testing of this plugin, I found that it was coded very well and worked right out of the box.

Once I had WordPress set up, it was very simple to get it working with Duo Security’s iPhone app. I don’t believe you needed to use their mobile app, you could use whatever favorite app you are currently using.

Dovedi

Dovedi is one of the oldest independent two-factor plugins out there. It’s very easy to setup. All you have to do is activate it and then for each user that wants to enable 2FA on their account, they access their profile in wp-admin, display the QR code and take a picture of it in your mobile app.

What I really like about Dovedi is that I didn’t need another service. It worked all within WordPress, so the setup was very simple. I activated the plugin and accessed my user profile and clicked the enable 2FA.

I am a little unclear how secure this type of plugin is though. Since it’s not using a 3rd party service, if WordPress was to get hacked from an exploit, how protected would the user accounts be and would it matter?

Two Factor

Jetpack lead developer George Stephanis created this 2FA plugin simply called, Two Factor. Two Factor has a few more options than Dovedi in that you have the ability to setup which way you’d like to get your two-factor code. There’s email, time based one-time password (like using your mobile app), and FIDO Universal 2nd Factor (U2F)—which means you could buy something like a YubiKey.

It also has a nice feature that I like that gives you backup verification codes. If you use your mobile phone with app to display your 2FA keys, you can run into instances—like getting a new phone—where you might need to use these backup codes to be able to login to the site and setup your new phone with 2FA.

Wrapping up

Two-factor is a way to level up the security on your site by protecting your users. You’re able to protect them by making it harder for hackers to get access to your site through a user account. Remember that adding additional steps of security doesn’t mean that you won’t get hacked ever, it just means that you are making it harder for hackers to gain access to your site.

Do your own research on these plugins. My main criteria was if they worked on our Managed WordPress platform. Each one not only works, but overall were easy to setup. Depending on the needs of your site, you may choose to use one over the other.

And that’s ok.

No matter which plugin you use, it will help protect your site.