December 12, 2017

Cloud Computing, Cloud Security 4 min read

Keep your WordPress Website Safe with Two-Factor Authentication

Do you have a WordPress website? If you do, then you understand that it’s not just an ordinary website. It is your own unique space on the Internet. As such, you want to ensure that it’s safe from unauthorized third-party access. In fact, we wrote an article in the past about steps you can follow to secure your WordPress website so you don’t fall victim to various cybercrimes which continue to persist to this day.

One of the steps we mentioned is implementing Two-Factor Authentication to add an extra layer of security. Aside from having a hard-to-crack password (your first line of security), we recommend you enable 2FA (or Two-Factor Authentication).

This is to lessen the chances of any security breaches to your online account. While we primarily focus on websites in this article, you can actually use 2FA on all your online accounts like Facebook, Twitter, PayPal, Gmail, bank accounts, and many more.

What is Two-Factor Authentication?

Two-Factor Authentication is a security process that requires a two-step verification before a user can log into their account. The reason why it’s two-step process is that:

1.) you need to provide something that you know (e.g username and password)

2.) you need to possess something with you (e.g. smartphone or fob key)

If you enabled 2FA for your website account, then you need to do a second step verification by entering a time-sensitive security token generated from your mobile device associated with your website account.

The good thing about 2FA is that you’re not only limited to generating these security tokens from a mobile device. Two-factor authentication can be done in different ways. There are instances when you need to enter a PIN (Personal Identification Number) in addition to a username and password. Others may require you to complete a distinct visual pattern before granting access to your account.  

Some high-end companies like banks offer their clients with a key fob as an added security when logging in to their online account. A key fob is a small hardware device that displays random series of numbers that you need to enter into a blank field to authenticate your identity. As the name suggests, you can easily attach your key fob to a keychain. The series of numbers periodically change every 30-60 seconds. As for WordPress, here are some options you can choose when setting up two-factor authentication.

WordPress Two-Factor Authentication Plugins

You can install a plugin to enable 2FA on your WordPress website. Just search for a 2FA plugin here:

As you will see, there’s a lot of 2FA plugins to choose from. The popular ones are those found on top with the best star ratings and the most number of positive reviews.  

If this is your first time downloading any plugin, please take a few minutes to read this article: WordPress Plugins Guide for New Users. Here you’ll find helpful tips for downloading and installing plugins. These are just a few of the two-factor authentication plugins we recommend you use for your site:

Once you have successfully downloaded and installed your plugin, just follow the steps indicated specifically to that plugin to enable 2FA for your WordPress website.

Google Authenticator Mobile App

One of the methods to set up 2FA for your website is a mobile app, Google Authenticator. Many people may have already installed this on their smartphones to enable 2FA for their other accounts like Google and Outlook. If you already have this on any of your mobile devices, we suggest using this also for your WordPress website for the obvious convenience.

Here are the steps to set up with Google Authenticator app via

  1. If you haven’t already, download and install Google Authenticator app from your mobile phone’s app store.
  2. Open a web browser, sign in to with your username and password.
  3. On the upper right side of your WordPress account, click on your Gravatar profile.
  4. On the left-hand side, click on “Security”.
  5. Go to “Two-Step Authentication” on the upper right side. Click the “Get Started” button.
  6. You will be prompted to enter your country code and mobile phone number (without any spaces or dashes).
  7. You have two options here. The first option is “Verify via SMS”. Choose “Verify via App”.
  8. From your mobile phone, open your Google Authenticator app. Click on the button option to “Scan a barcode”.
  9. Scan the QR barcode.
  10. Go back to the “Verify Code” step on your account, enter the six-digit number generated from the Google Authenticator app on the blank field, then click “Enable”.
  11. The last step is to generate backup codes. Please don’t skip this. Backup codes are important if in case your phone is lost or stolen. You can copy or print these one-time backup codes and save them to a safe place.
  12. Tick the “I have printed or saved these codes” button and finally, click “All Finished”.

Your WordPress website is now set up for two-factor authentication. You can try to check if your backup codes are working by typing in the backup code on the blank field here:

SMS Codes

To set up SMS Codes via

  1. Do steps number 2-6 above.
  2. Choose “Verify via SMS”.
  3. Within a few seconds, you should receive a text message with a random 7-digit number.
  4. Enter this number into a blank field provided.
  5. Click “Enable”.
  6. Don’t forget to print, save and double check your backup codes.  

Chrome Browser

If you prefer to access Google Authenticator from your computer desktop on a Chrome browser, you can do by installing any  one of these Chrome extensions:

Click on the “Add to Chrome” blue button on the upper right-hand corner. Make sure to follow the steps for that specific extension when implementing 2FA for your website.

Second Line of Defense

With the growing numbers of websites affected by security breaches each year, we find it extremely important for all website owners to be proactive when it comes to maintaining the security of their sites.

Adding two-factor authentication does not guarantee that you won’t be hacked at all, it just makes it a little more difficult for hackers to gain access to your WordPress website. Now that we’ve shared the different ways you can implement 2FA for your website, which one would you use? We’d definitely love to hear your thoughts in the comments below.

Skip to section