Since the very beginning of personal computing, passwords have been the basic security requirements for almost everything from personal emails to corporate bank accounts. However, today, cybercriminals have a versatile arsenal of tools that could mount brute-force attacks and defeat the majority of passwords. This is why passwords are augmented by additional security features that strengthen the process of user login. An important feature on this list is WordPress Two-factor Authentication.
What is Two-Factor Authentication?
Unlike passwords, two-factor authentication (2FA) is a two-step process that requires two or three proofs of identity before granting access. Implementations of two-factor authentication use something you know (the password) and something you have/possess (such as a smartphone, an e-mail account, or a hardware key, etc.)
WordPress offers two-factor authentication via plugins. These plugins require additional identification factors including:
- A unique password (OTP) sent by SMS/e-mail
- A phone call
- A QR code
- A push notification
- Hardware-based key generators such as YubiKey, SolidPass, etc.
Here are the top WordPress plugins that implement and manage 2FA on your website.
- Shield WordPress Security
- Google Authenticator – Two Factor Authentication (2FA)
- Duo Two-Factor Authentication
- Two Factor Authentication
- Rublon Two-Factor Authentication
- Wordfence Security
- iThemes Security Pro
Shield WordPress Security
Shield WordPress Security (formerly Simple Firewall) offers two ways of authenticating the two-factor connection, by e-mail and with YubiKey. Its e-mail authentication offers two methods (IP address and cookies) that allow users to choose their preferred method.
For example, an IP-based check may be chosen if the IP address does not change frequently, and you want to create multiple WordPress login sessions from a single network location or with multiple browsers on the same computer.
The advantages of this plugin are two-factor authentication by OTP sent by e-mail and YubiKey, IP address, and cookies. However, this plugin does not support authentication via Google Authenticator, SMS, phone call, push notification, or QR code.
Google Authenticator – Two Factor Authentication (2FA)
Google Authenticator – Two Factor Authentication (2FA) is the most advanced WordPress two-factor authentication plugin. It takes proactive steps against potential threats and provides multiple backup solutions to help users during severe attacks.
With this plugin, administrators and users can activate the two-factor connection service, configure their own connection options, and can connect to WordPress website using username + password + two-factor authentication or username + two-factor authentication.
The advantages of this plugin are two-factor authentication via SMS, OTP sent by e-mail, software key, QR code, push notifications, shortcode for customized login pages, and identification of the device to avoid repeated attempts. However, this plugin does not support WordPress multisite, authentication via phone call and YubiKey.
Duo Two-Factor Authentication
To use Duo Two-Factor Authentication, simply install the plugin and sign up for the service so you can start logging in without a password. The idea is to create a simple 2FA login on your website that is easy to use and robust enough to defeat the attackers.
Duo Two-Factor Authentication gives you full control over the users who could use 2FA. It supports multiple user authentication methods, such as one-touch ID, the single password generated by the application, a unique password (OTP) sent by SMS, a phone call, or a hardware key such as YubiKey, SolidPass, etc.
The advantages of this plugin are multiple 2FA options including hardware keys, SMS, and phone call. However, this plugin does not support WordPress multisite, authentication via Google Authenticator, QR code, shortcodes to easily integrate two-factor authentication features into a page/widget.
Two Factor Authentication
Two Factor Authentication plugin allows you to enable 2FA-based on user roles. It can be enabled or disabled for individual users and displays two-factor authentication on the login page only for authorized users. It also allows the editing of front-end parameters via a shortcode and helps you display parameters without allowing users access to the dashboard.
Two Factor Authentication plugin supports the WooCommerce login form and the Theme My Login plugin allows you to customize login pages with two-factor authentication for users.
The premium version offers more features such as customized layouts, emergency backup codes, better control of administration, user codes, and more.
The advantages of this plugin are two-factor authentication using the TOTP & HOTP protocol, and QR code. This plugin also supports WordPress multisite, Google Authenticator, Authy, and various other systems. However, this plugin does not support authentication via SMS, phone call, OTP by e-mail, shortcode, and YubiKey.
Rublon Two-Factor Authentication
Rublon Two-Factor Authentication allows a one-click download and activation process, allowing you to quickly set two-factor security on your blog or WordPress website. It is free for a single user.
Rublon Two-Factor Authentication offers e-mail and its smartphone app to check users who are trying to connect. No special knowledge is required to incorporate or use the two-factor authentication feature.
Moreover, you do not need to copy/paste the unique password from your inbox. Simply click the link in the email to confirm that you are the account holder.
The advantages of this plugin are two-factor authentication via e-mail or mobile application and prevent you from verifying your identity twice from the same device. However, this plugin does not support authentication via Google Authenticator, SMS, phone call, push notification, shortcode, or hardware tokens.
As you have probably noticed, I only talk about plugins that have only one feature, namely two-factor authentication. There are however some more comprehensive security plugins, which include 2FA. Among them, Wordfence Security and iThemes Security Pro are the most popular plugin for millions of active installs.
Wordfence Security is security plugin that integrates a wide variety of features (such as firewall, country blocking, and logs) to secure your WordPress site and its content. It also performs regular checks to ensure that your site is not affected by any attack.
According to the plugin description, two-factor authentication for WordPress is included and requires the use of a smartphone, which differentiates it from a standard connection process. However, two-factor authentication is only available for the premium version.
iThemes Security Pro
iThemes Security Pro (formerly Better WP Security), the paid version of the iThemes Security plugin, includes 30+ additional security features including two-factor authentication that works with Google Authenticator or Authy. You must have this application installed on your phone to configure it with your website.
You log in using your username and password and are prompted to enter a verification code that Google Authenticator automatically generates. This code only works for a single connection and changes after few seconds.
The Last Word!
Whether you have a blog that you manage alone, or in collaboration with a team of writers and editors, or you build websites for clients, two-factor authentication plugin for WordPress will help you better protect your websites.
From the above list, my favorite plugin is Shield Security, because of its unique authentication system which makes it a first-class security system. If you have a different favorite, do leave a comment and tell the readers why you like the plugin.