How to Set up Two-Step Authentication on WordPress

Two-step authentication is like backing up your WordPress website: Everybody knows they should do it, but most people don’t bother, and their websites suffer.

Most people avoid two-step authentication because they think it sounds complicated, but the thing is that if you’ve ever used a debit card or tried to log in to YouTube from a computer you don’t normally use, you’ve already come in contact with two-step authentication.

What is two-step authentication?

As its name suggests, two-step authentication (also called “Two Factor authentication” or “2FA”) is an identity authentication process in which you need to follow two steps to prove that you are, in fact, the person authorised to access certain data.

For instance, if you want an ABM to tell you your bank balance, you’ll need to swipe your card (proving that the card associated with your account is in your possession) and you’ll need to enter your PIN (proving that you know your PIN).

If someone stole your card but didn’t know your PIN, they wouldn’t be able to siphon off your account, because they’d only be able to follow one of the two steps.

Similarly, if you try to log in to YouTube using an unfamiliar device, you’ll first need to enter your email address (proving that you know what it is), then you’ll need to enter a PIN that’s automatically sent to your phone (proving that the phone associated with your account is in your possession).

YouTube is a massive website, but, just like dedicated servers, two-step authentication isn’t a luxury afforded only to huge websites.

In this very guide, we’ll show you how to set up two-step authentication on your own WordPress website!

How to set up two-step authentication on WordPress

The first thing you need to know is that WordPress authentication isn’t a feature of normal WordPress sites. But, just like with everything WordPress-related, you can add WordPress authentication with a few well-chosen plugins.

Plugins to enable WordPress authentication:

1. The Two-Factor Authentication plugin

The aptly named Two-Factor Authentication plugin supports Woocommerce forms, so you can easily give your customers an extra layer of security. It’s also compatible with WP Multisite. Here are some more features of this handy plugin:

  • Includes support for the WooCommerce and Affiliates-WP login forms
  • Each user can turn on or off WordPress authentication
  • Displays graphical QR codes for easy scanning on your phone or tablet
  • Asks for second identification only if users have WordPress authentication enabled (users who don’t have it enabled won’t see any messages of the sort)
  • Simplified user interface and code base

2. Shield Security

If you’ve been around WordPress for a while, then you may, at one time, have known the Shield Security plugin as “WP Simple Firewall”. This is an all-in-one WordPress security plugin with lots of great features, including these:

  • Powerful Core File Scanners that automatically detect malicious file changes and hacks that would otherwise fly under the radar
  • Guided Wizards to help configure Shield and run scans
  • Automatic limits for login attempts, and automatic blocks against brute-force attacks
  • An automatic IP Black List, which completely removes the need for you to personally manage IPs
  • Blocks 100% Automated Comments as spam
  • reCAPTCHA
  • Firewall
  • HTTP Headers
  • Automatic Updates Control

3. Jetpack

Jetpack is one of WordPress’s most popular plugins for social sharing and site optimisation, and if you modify your theme’s functions.php file, you can also use Jetpack to add two-step authentication to your visitors’ login process!

4. Rublon

If you love the idea of two-step authentication, but you don’t want your visitors inconvenienced every single time they try to log in to your website, check Rublon. It might be just the WordPress authentication plugin for you. Their claim to fame is that it does things a little differently: Instead of asking visitors to authenticate their identity by sending a one-time code via text message for every log in, Rublon asks your visitors to complete the login process via email. Once you’ve logged in, Rublon remembers the device they used to log in. So, as long as they’re using that device, they don’t have to repeatedly go through the two-step authentication process!

Make your website even more secure

If you’ve run a security scan on your WordPress site and weren’t completely satisfied with the results, it might be time to add two-step authentication. This way you can keep your visitors’ data secure. To beef up your security even more, be sure to perform frequent backups. For added security, see if you can move your website from a VPS to its own dedicated server.

Wrapping up

Two-step authentication protects your website and gives it an air of credibility. It’s a vital step and makes things safer when your visitors enter their username and password. There are so many easy-to-use plugins available for free. So, there’s really no excuse not to have two-step authentication enabled on your WordPress website.