A couple of weeks ago we released our brand new security plugin for WordPress.
Today’s upgrade adds the easiest Two-Factor Login Authentication option for WordPress available.
Read on to find out why this rocks, and 3 huge reasons you should have this on your blog today!
What is 2-Factor Authentication login for WordPress?
First, what is 2-factor authentication?
Two-Factor Authentication is where, after you log into a website or service, that service will try to verify that you really are the person you say you are.
This verification can be done in several ways… most common is email-based two-factor authentication. Typically you’ll log into the web service and they’ll send you an email with a link to verify yourself. You click this link and you’re in.
And that’s 2-factor authentication in a nutshell.
Would you like to have the same level of protection on your WordPress site?
Now you can, with the Shield Security plugin for WordPress.
Why is 2-Factor Authentication so important for WordPress?
There are couple of big reasons why this is good for you and your websites’ security:
1. Protection against brute force WordPress login account cracking
Brute force attacks work by repeatedly, very quickly, trying to log into an account using a username and a series of guessed passwords.
When 2-factor authentication is put in place, the attacker can never gain access to your WordPress account and will never know if a login was successful or not. They can of course gain access if they have access to your email account, but by then, you probably have far greater problems to worry about.
2. Ability close any unattended session.
If you log in from 1 location, and leave this signed-in or unattended, simply logging in from another location will cause the other session to be terminated as soon as it’s used.
3. Reduce account sharing and abuse.
Since only 1 IP address may assigned to a given username, and this is in effect assigned to 1 email address, account sharing and abuse, depending on your systems, is reduced.
How 2-Factor Authentication works with the Shield Security plugin
At the time of writing the plugin has 2 main pieces of functionality:
- A Firewall.
- WordPress Login Protection.
The WordPress Login Protection feature handles the Two-Factor authentication (amongst other things).
It works by linking 2 pieces of information:
- WordPress Login Username
- Connecting IP Address
It will create a dedicated database table on your site to which it will store the combination of IP addresses and usernames. When the feature is enabled, all users on the site must have a corresponding and verified IP address.
When a user successfully logs into the site from a new/unrecognised IP address, it will send an email to your registered email address. This email will contain a verification link that you must click in order to verify the IP address and your username.
Once this is done, any previously registered IP addresses for that username will be invalidated – that is, only one IP address may be associated to a user at any time.
How to activate 2-Factor Authentication on your WordPress site
When you install and activate the plugin, a Security Zone menu will appear. This will have a sub-menu item called “Login Protection”.
Clicking this will load an options page and you’ll first need to enable the “Two-Factor Authentication By Email” option, and save.
Then, simply click the link in the verification email you receive.
You wont need to verify yourself again until your IP address changes.
We go into further details on this here.
Protect your WordPress site today from Brute Force attacks
This WordPress plugin is simple to use, and to protect your site against brute force attacks requires no expertise and no practically ZERO configuration steps. You just turn it on!
Hi Paul
I use the WordPress Simple Firewall plugin and I’m thinking of activating this feature.
I don’t have a dedicated IP address so I’m wondering if this will cause me problems each time I log in or will I simply have to use the email method…
“This email will contain a verification link that you must click in order to verify the IP address and your username.”
Regards
Hi Keith,
Alternatively you can use the Cookie method which will authenticate you and set a cookie on your browser. In this way it doesn’t matter than your IP address changes.
I’m considering how to tweak the 2-factor system in general, but for now it works quite well though there is room to improve it. Select only cookies for now if your IP address changes frequently.
Hope it helps!
Paul.
Sorry for second question Paul, but can you try this out on a local install say using XAMPP?
I think two factor should work with local installations – I can’t see why not, so long as you can locally access your own site.
Hi,
I turned on two factor, and tried to use the IP address option but when my wife logged into the site using different credentials from the same IP address I was logged out, and we both ended up locked out. I also tried the cookie two factor option and the same behavior occurred.
Hi Mike,
Sorry for the trouble you’re having here. I’ll take a look at the code and see if there’s any bug in there pertaining to the same IP address.
I assume you were both using different computers (at least different browsers) ?
When you say “locked out” what exactly do you mean? What was happening to lock you out of the site?
Thanks,
Paul.
Hello,
I installed your firewall, and must have activated the “The WordPress Login Protection feature handles the Two-Factor authentication (amongst other things).” without adding a password, etc.
I have used FTP to remove the files, etc, and re-install, but I keep getting the “The WordPress Login Protection feature handles the Two-Factor authentication (amongst other things). coming up, and I cannot login as the administrator. Something is either caching the plugin or I’m not completely removing all files attached to this plugin. Please Help! – Thanks
Hi Robert,
I’m really not sure what’s happening here. That text isn’t even in the plugin… can you confirm what message is being shown? Thanks.
Hey Paul, I think I realize it was the function originally used that allowed you to rename the admin login page. This is what I’m getting now-
After re-installing plugin
My admin login shows this link:
Pages says. Oops! This link appears to be broken. with a search box that says “america we trust log” inside the search already.
Looks like by renaming the admin login originally the plugin must have removed the original login file for admin or some such thing…
Paul, does the plugin re-write the .htaccess file when renaming login?
This plugin doesn’t rename any files, or write/touch/look at any .htaccess or WordPress core files (especially admin). I’m not sure what you’ve done, or perhaps there are other WordPress plugins you’ve used or at play interfering here.
Hi Paul.
I am not receiving emails (I tried two different email ids) when I try to login from a new source.
I keep getting this message : “Login is protected by 2-factor authentication. If your login details were correct, you will have received an email to complete the login process.”, without actually getting the email.
Can you please help me in this regard?
Thanks and Best Regards
Anshul Sukhwal
I’m not sure what you mean by “different email ids”… what is this?
The email will be sent to the email address registered for the given user you’re trying to login as.
If the email is not sent, your WordPress site has issues with sending emails and you should look into this. The plugin simply uses the native WordPress wp_mail() function and if this doesn’t work, then your site hosting has email sending problems.
I hope this helps you narrow down the problem.
Thanks,
Paul.