2FA for WordPress: How to Prevent Unauthorised Access

June 10, 2024 by Paul G. | Plugins, WordPress Solutions

Security should be a top priority for any website owner. Passwords are a good start, but strong protection goes beyond numbers and special characters. Two-factor authentication (2FA) adds an extra layer by requiring a second form of identification for site access.

Why is this necessary? Every day, new threats emerge on the internet, from brute force attacks to phishing schemes and beyond. For WordPress site owners, these risks could result in data theft, website downtime, and the loss of customers and their trust.

With software like Shield Security PRO‘s 2FA, you can protect your site and keep your domain and reputation safe.

Does WordPress Offer 2FA?

WordPress does not offer 2FA by default. It only requires a username and password for logging in.

Maintaining strong password practices, such as using complex passwords, and never reusing the same password across different services will mitigate risk. However, relying solely on this approach may no longer be enough. Expecting all users to adhere to such standards is unrealistic, especially if your audience isn’t security-conscious.

This is where 2FA really shines. Two-factor authentication requires an additional verification step before access to the site is granted, even if passwords are compromised.

Despite the default limitations of WordPress, integrating 2FA into your site is easily done.

How to add 2FA to your website

To add 2FA to your site, users will need to use a plugin. It can be a security plugin with a built-in 2FA feature or a plugin specifically designed for 2FA. Let’s explore your options, starting with how to set up 2FA using the Shield Security PRO plugin settings.

Enabling 2FA in Shield Security PRO

Go to your WordPress dashboard and click the Shield Security PRO plugin link in the left-hand navigation menu.
Once in the plugin dashboard, choose Security Zones and then Login.

Among the top tabs, you’ll find four separate approaches to 2FA:
1. Adjust your general settings, enable email-based 2FA, 2FA OTP, and passkey-based 2FA according to your preferences.
  1. For example, enable Google Authenticator for 2FA in the 2FA :: OTP tab.

In the general configuration, you can choose between the default WordPress login page or a custom page created by Shield Security PRO. (The custom page resolves conflicts with the WP login page for 2FA, which can arise due to certain themes and settings).

In the 2FA: Email tab, you can enforce email-based 2FA for specific user roles and offer some users the option to activate 2FA via email.
Configure your settings, save them, and go to Users → Add a new user to test your setup without losing access to your site.

You’ll be faced with an authentication option

Log in with the new user account in an incognito window. If it’s working, you will be prompted to verify your email address. Simply supply the 2FA code provided in the email to confirm the login.

Shield Security PRO Call-To-Action: Purchase

2FA-specific WordPress plugins worth considering

If you want a standalone plugin to enhance your WordPress site’s security with 2FA, there are several options. Here are a few worth considering:

miniOrange Google Authenticator

MiniOrange Google Authenticator is a plugin that enhances security, starting at $30 for a single site licence. It supports Google Authenticator, a widely trusted 2FA method. Users can generate backup codes for emergency access and configure 2FA for specific user roles. It can enforce 2FA for login attempts from specific locations, adding an extra layer of protection against unauthorised access.

Two-Factor Authentication

Two-Factor Authentication offers a free basic version, with premium features starting at $49 per year. It provides multiple authentication methods, including email, time-based one-time passwords (TOTP), and FIDO Universal 2nd Factor (U2F). The free version offers essential 2FA functionality, while premium features include advanced security settings and support for additional authentication methods. Users can customise 2FA settings based on user roles and enforce 2FA for specific actions.

WP 2FA

WP 2FA offers a free basic version with premium features starting at $19.99/year. It’s a user-friendly plugin for adding 2FA to WordPress sites. It supports time-based one-time passwords (TOTP) and allows 2FA enforcement for specific user roles. The free version provides essential 2FA functionality, while premium features include backup code generation and customisable 2FA settings. Premium users also get priority support and ongoing updates for compatibility with the latest WordPress releases.

Comparing types of two-factor authentication

As we’ve seen, 2FA is essential for securing WordPress sites. It offers an additional layer of protection beyond passwords.

Let’s look at the available 2FA options.

Authentication apps

Authentication apps like Google Authenticator or Authy, provide a convenient and secure method for 2FA. Users install these apps on their smartphones to generate time-sensitive codes required alongside passwords for login authentication. Shield Security PRO integrates with these apps, offering real-time monitoring and logging of login attempts for security.

Email-based authentication

Email-based 2FA verification with Shield Security PRO.

Arguably the most well-known form of 2FA is email-based authentication, which relies on users’ email accounts for verification. Users receive verification codes via email after they login and enter them into the 2FA form to verify their access.

Some drawbacks of email-based 2FA include delays in receiving emails, and the fear of a highly-targeted attack wherein a legitimate users’ email address has already been compromised.

One-Time Passwords (OTPs)

One-Time Passwords (OTPs) are single-use temporary authentication codes. While OTPs enhance security by providing unique codes for each session, they may inconvenience users due to code generation and entry.

Passkeys

Passkeys are a newer 2FA method used as unique identifiers to authenticate logins, typically in the form of encrypted strings or tokens linked to verification methods such as fingerprint scanners or facial recognition. This method enhances security by resisting phishing attacks and unauthorised account takeovers. Shield Security PRO allows easy implementation of Passkey authentication.

Users can enable this option in settings and register FIDO2-compatible authenticators to their WordPress profiles. The feature supports various devices and authenticator apps, offering improved security options. While Shield Security PRO uses passkeys solely as a 2FA method, future updates will include passwordless login methods using passkeys.

Best practices for setting up 2FA

When setting up Two-Factor Authentication (2FA) on WordPress, some best practices to consider include:

Explore the different 2FA methods available, such as SMS, Authenticator apps, email, hardware tokens, and biometrics. Each method offers different security levels, with Authenticator apps and hardware tokens providing the highest protection. Shield Security PRO’s Passkeys feature offers advanced security, as it’s highly resistant to phishing and other attacks.
Choose the most suitable 2FA method based on factors like the sensitivity of the information being protected and available resources. Remember to securely store backup codes and other 2FA credentials to prevent unauthorised access.
It’s important to educate users on the importance of 2FA and provide clear guidance on how to use it. Implement organisational policies mandating 2FA use to strengthen overall security.
Use Shield Security PRO’s features to enforce email-based 2FA for specific user roles. This enhances security without sacrificing accessibility. Features like 2FA “Remember Me” help you to balance security and usability.

Secure your site with Shield Security Pro today

Your WordPress site doesn’t protect itself. Don’t wait for a threat to happen, risking clients’ trust and sensitive data. Instead, start using 2FA today – it’s easier than ever – by using a trusted cybersecurity plugin like Shield Security PRO.

With the plugin’s 2FA options, you can verify user access and protect your site from unauthorised access. Secure your WordPress site with Shield Security PRO today!

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials

@symphonyoflove

Awesome

Thank you for making this great plugin.

@tomdekok

Excellent security!

This plugin is awesome. Very easy to setup and maintain. And it does it’s job very well too of course. After many plugins this is the one to stick with. Thanks guys for developing it!

@davidtomen

Stopped the spammers

Thanks for developing this plugin. I’ve one website that was getting 2 – 300 spam comments a day even with comments turned off. I found your plugin searching WordPress.org, installed it, and comment spam stopped. Completely! Thanks, David

@joelovrek

Truly the best security plugin I've tried

Reasons to use: It’s Free Stops xmlrpc.php attack which slows down your blog Login using two-factor authentication and IP address restriction, this is good because it verifies that it’s you that is logging in It has way more features, but for just these three, I can’t recommend it highly enough.

ESSENTIAL WORDPRESS SECURITY NEWS

Get ShieldNOTES, our excellent weekly WordPress security newsletter!