Two-factor authentication on WordPress strengthens your site’s security significantly. We’ll look at the types of attacks it protects you from and how to install and activate it on your site.
1. Single sign-on password is a weakness on your site
The WordPress security team has stated that « The weakest link in the security of everything you do online is your password ». If you’re lucky enough to have never had any of your passwords compromised, it’s probably only a matter of time. As you can see, Halloween just passed and I’ve decided to give you a (very) good scare.
Brute force attacks remain the most widely used technique for hacking WordPress sites. They’re fully automated with the aim of finding combinations of logins and passwords to break into your site.
The choice of combinations is not random. On the contrary, for years, there have been many studies of stolen databases to determine how people choose their passwords. As a result, hackers try the most commonly used logins and combine them with the most frequent passwords. According to one of these studies, the most common password is 123456, which seems a bit crazy!
These data breaches have provided valuable information to hackers, of course, but also to IT security experts who can now urge users to create strong passwords. Moreover, without a password manager, it is very difficult to remember all your passwords and re-using the same ones is more often the rule than the exception.
Here is the most common scenario that occurs regularly. An random website is the victim of a discreet but effective data breach. You have created an account on it with the password or one of its variants that you use everywhere. Nobody notices the theft for a few months. Meanwhile, the collected data is sold to the highest bidder in the dark corners of the internet.
Then, the passwords in the breach are decrypted. Either they were badly encrypted or badly stored by the site, or the hackers manage to decrypt the simplest ones, those famous passwords that everyone uses. Then begin the brute force attacks on the most interesting sites to hack, including your Paypal account, bank account, e-commerce sites, etc.
These same techniques are also used on your WordPress site. If you or your users don’t create strong passwords, the chances of being hacked increase considerably. Now that the stage is set, let’s take a look at what you can do to strengthen your site’s security.
2. What is two-factor authentication
Two-factor authentication is, as the name suggests, a way of identifying yourself that takes advantage of two separate steps. To be effective, both factors must be secure and cannot be hacked in the same way or at the same time. Thus, two different passwords to be entered one after the other to identify yourself would not offer any advantage because they have the same weaknesses. There are three techniques to authenticate yourself: what you own, what you are and what you know.
2.1 What you own
This method, probably one of the most widely adopted at present, involves using a device that you own. For example, you receive an SMS text message or a notification on your phone or you have an application that generates a six-digit code. Since we often have our phones within reach, this seems to be the easiest solution for most of us.
Hence, this process has the advantage of being simple and easy. However, the method can be more or less secure. Indeed, SMS messages, which are not encrypted, can be intercepted relatively easily. Therefore, their security depends on many factors, including the telephone service provider through which they travel.
Six-digit codes generated by an application are more difficult (but not impossible) to hack. For this reason, on WordPress, this system is probably the most widely used. You can also receive a code by email, the security of which will depend on how you log in to your inbox and whether or not emails are encrypted.
Finally, a technique that is increasingly used, particularly by Google, is to send a message to another device on which you are already logged in. You will then receive a notification on your Android phone asking you to confirm that it is you who is trying to log in to your Google account from a computer.
2.2 What you are
You may be using this method on a daily basis to unlock your phone. It involves identifying you through biometric data or physical characteristics that are, by definition, unique to you. Think, for example, of a fingerprint, your DNA and even your behaviour.
These techniques have many advantages which, in my opinion, are all invalidated by their main disadvantage. This is because the file on which your fingerprint is stored can be stolen and, as a result, it is compromised for life. You will not be able to change it, unlike a password, and if you continue to use it, the process can no longer be considered secure.
The security of the computer file depends on many factors, but in many cases it depends on the infrastructure and the seriousness of the company or institution that uses the data. As you may have guessed, biometric data has been stolen in the past, without anyone noticing for months.
Imagine a theft of data from the servers that store biometric passport or ID card information. All this data would become unusable for secure authentication. Logically, this scenario will eventually occur often enough that biometric data will simply become obsolete.
2.3 What you know
We have already discussed passwords, but security questions are also something that you know. I won’t go back to the weakness of passwords, but be aware that security questions can also be compromised.
For example, if a site asks you to confirm your identity by answering a personal question, such as your mother’s or grandmother’s maiden name, the name of your first pet or your favourite food, a hacker could easily find the answer to these questions by scanning your social networking profiles or the comments you leave here and there. It’s called social engineering and with the amount of data we voluntarily share on the internet, it has a bright future ahead of it.
3. Which WordPress two-factor authentication method to choose
Currently, double authentication using an application that generates a six-digit code is the most secure and probably the least troublesome to use. This is the one I recommend you use on your WordPress site. There are many applications that generate codes, the best known being Google Authenticator, Authy, Duo, or LastPass.
Some of them offer a backup, others don’t, notably Google Authenticator. Therefore, if you lose access to your device or if your phone is stolen, you will also lose access to accounts that have two-step authentication enabled.
That said, there are other ways to regain access to your accounts, even if your app has a backup feature. Most sites and apps where you set up two-factor authentication will offer to download one-time recovery codes. If your device is lost or stolen, you can use these codes. It is recommended that you print them out and keep them in a safe place.
Note that two-step authentication, although it strengthens the security of your site, has the disadvantage that you have to complete an additional step, that is the concept, before you can access your site. So you will have to choose whether you force users to set it up or not. In the future, we will probably have different systems that facilitate the use of two-factor or multi-factor authentication.
4. How to set up two-factor authentication in WordPress
To configure two-factor authentication, you will need to install a plugin or configure your existing security plugin. This is because WordPress does not have two-step authentication by default.
All two-factor authentication plugins allow you to configure the user roles required to use this system. I strongly recommend that you force all administrator accounts to use it, as these are the most sensitive.
4.1 WP 2FA: simple and effective
This plugin allows you to set up different systems and in particular has compatibility with several code generation apps. You can also use the technique of sending a code via email, but make sure your WordPress installation sends emails correctly. It is recommended that you install an additional plugin, such as WP Mail SMTP, to ensure that emails are actually sent.
4.2 Wordfence : full version or Login Security version
If you are already using Wordfence, which I recommend as a security plugin, it has full WordPress login protection. So you can set up two-step authentication using a code generation app and download recovery codes.
But if you don’t want to install the full version, Wordfence also offers a lighter plugin that only offers login protection features. So you can activate it in addition to your security plugin.
As you can see, WordPress two-factor authentication can save you a lot of trouble, even when choosing the least secure systems. I hope I’ve scared you into action and you will enable this method to make your WordPress site a little more secure.
Let me know in the comments if you are already using a two-step authentication method and, if so, which one.