In this lunchtime #WPQuickies, I show you how to implement Two Factor Authentication (2FA) for secure WordPress logins.
What Is 2FA?
Aka multi-factor authentication, two-factor authentication adds a secondary layer of security to your regular username and password combination login.
2FA is usually implemented using a secondary device such as a mobile phone, key fob or a USB stick that is only accessible to you.
Something easy for you to carry around and access at all times.
The format of 2FA is usually numeric or alphanumeric code, varying in length, which times out after some time, usually 60 seconds.
Authentication codes that expire after a set time are also known as One Time Passwords (OTPs).
The codes can be generated from an app, directly from your key-fob or USB stick, SMS or email.
In addition to logging in with your regular username and password, any system configured to use 2FA will also ask for the authentication code.
You must enter the correct code before it times out and generates a new 2FA code.
Expiring codes on a device that only you can access makes it difficult for a hacker to log in using guessing or brute force attacks.
How Secure Is 2FA?
Two-factor authentication is not infallible.
If a hacker manages to get physical access to your authentication method, they can use it to log in.
So, don’t lose your authentication device!
SIM Hijacking
As many 2FA codes are sent via SMS to a registered phone number, SIM hijacking has become prevalent.
Sim hijacking is where a bad actor convinces a mobile phone carrier to change the SIM card associated with a phone number.
The bad actor then gets access to the phone number and can receive the 2FA codes sent to that number via SMS messages.
This type of hack usually requires social engineering to convince the current phone owner to read out a SIM transfer code disguised as a parcel tracking number or fake order ID.
Authenticator Apps
There have been hacks targeting the authenticator apps themselves, trying to find a way to intercept the codes generated by the mobile phone app.
A few articles in 2020 detailing how Android malware could read the 2FA codes generated by the Google Authenticator app.
Ref: https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/
2FA Security Levels
YubiKey
Direct 2FA security USB sticks like the YubiKey generally offer the best type of security as they are a self-contained system, difficult to hack and require biometrics (your fingerprint) to work.
There is a GitHub plugin repository for connecting your YubiKey to WordPress for logins.
https://github.com/shield-9/u2f-login/
Smartphone Apps
Smartphone authenticator apps are the second-best type of 2FA security. There is a chance somebody could steal the codes if a bad actor places malware onto the phone’s operating system.
2FA codes sent via SMS messages are not very secure because SMS messages are transferred in unencrypted plain text and move through several networks before ending up on your phone.
A bad actor could theoretically intercept the codes anywhere along the transmission network.
Email OTP codes, in general, are the least secure method of implementing 2FA, again because they are transferred through multiple networks in plain text.
How To Use 2FA Logins For WordPress
The easiest way to enable 2FA logins for WordPress is to use the Wordfence security plugin along with the Google Authenticator app for your smartphone.
Google Authenticator App
You can download the Google Authenticator app from Google Play https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 for Android phones or from the Apple App Store https://apps.apple.com/au/app/google-authenticator/id388497605.
Wordfence
Once you have installed and activated Wordfence, navigate to Wordfence > Login Security
You will see a screen similar to this one.
he steps are very simple to complete.
Simply scan the QR code into your smartphone’s Google Authenticator app and enter the generated code in the field in the 2nd column and press activate.
Before leaving this page, download the backup codes to somewhere private and safe.
You can use these codes if you are unable to use the Google Authenticator app on your smartphone.
Once 2FA is activate, the next time you login to WordPress, after you enter your username and password, you will be asked to enter the 2FA code for the account.
For more detailed setup instructions, see the Wordfence blog https://www.wordfence.com/help/tools/two-factor-authentication/.
Other Google Authenticator Plugin
If you don’t want to use Wordfence or you use some other security firewall plugin, you can also use the minOrange Google Authenticator plugin at https://wordpress.org/plugins/miniorange-2-factor-authentication/.
The setup is similar to Wordfence where you scan a QR code and enter the corresponding code to activate 2FA security for your logins.
Summary
Using 2FA for your WordPress logins significantly increases your level of security.
You should be using 2FA on all of your WordPress sites.
#WPQuickies
Join me every Thursday at 1 pm Sydney time for some more WPQuickies – WordPress tips and tricks in thirty minutes or less.
Broadcasting live on YouTube and Facebook.
Suggest a #WPQuickies Topic
If you have a WordPress topic you’d like to see explained in 30 mins or under, fill out the form below.
https://forms.gle/mMWCNd3L2cyDFBA57
Watch Previous WPQuickies
Setting Up Cloudflare For WordPress
