In this blog, we’ll cover securing WordPress with 2-factor authentication. That is, adding an additional security step when you log-in to your website WordPress admin page. I’m going to use a plugin called Wordfence. It has 3+ million active installations (according to WordPress), and is one of the most widely used WordPress firewalls and security scanners. For the token generation, I’ve chosen the Authy application on a mobile phone.
The reason I chose Authy is that it’s possible to have it on more than one device and they’ll give the same one
If you’re wondering if your site is getting login hacking attempts, try logging in to your WP admin account and browsing to “Settings>Limit Login Attempts” and look at the number of times the account has been locked out.
I know from the login attempts below none were mine because the “admin” account doesn’t exist, so I’d never use it. The below statistics were from a WordPress site that was little more than two weeks old.
1; From the WordPress dashboard go to “Plugins>Add New”, search for keyword “2FA” and select “Install Now”.
2; Activate the plugin from “Installed Plugins>Activate”.
3; Enter the email address to which you’d like Wordfence to send notifications. Select the other options you’d like and click “Continue”.
4; Select “No Thanks” when prompted for a premium key. You can upgrade at a later time if you’d like.
5; Click “Wordfence>Login Security” and click “Next” through the prompts until you get to the “Two Factor Authentication” tab.
Activating the two factor authentication
6; The next step is to activate 2fa on the site and to do that you need the Authy application, either on a laptop, tablet or phone. I won’t cover the installation of the application because that can be covered in another post.
In this case, we’reusing the Authy application on a phone and that means we have access to a camera that we can use to scan the QR (Quick Response) square barcode on the activation page.
In the Authy app, from the main screen, click on the three dots to the top right of the screen, then click on “Add Account”.
7; Click on “Scan QR Code”.
8; Use the camera to scan the square barcode from the Wordfence Two Factor Authentication page. If your device had no camera, you could have copied the text from below the barcode into the app. At this point also copy the do
9; Click done to add the account to Authy. You can click “Select Another One” to change the icon and use a WordPress icon instead.
10; Enter the token code from Authy into box number 2, replacing the greyed out 123456 and then click on Activate, (see the image in step 8 above). This will confirm that the Authy app and the Wordfence plugin agree on the codes and are in sync with one another.
11; Select the Settings Tab and adjust the various settings to your liking. Below ar the settings I chose to go with.
12; Logout and then log back in to test it all works. You should be presented with your usual password prompt followed by a request for the 2FA token.
To cut a long story short, the summary
WordPress web sites represent a tempting target for hackers with over 170,000 being hacked last year and we could see evidence of login hacking attempts to this site even though it had only been online for a very short period of time.
It’s fairly easy to add a second step to the login process providing more security with Two Factor Authentication.
We chose Wordfence as the WordPress security plugin and Authy as the token generation application. Wordfence because it has a widely installed base and good reviews, and Authy because it’s easy to back up and allows the user to have more than one device.
If you’re a network engineer and you could use an IPv4 subnet calculator check out the free techiedoodah IPv4 excel subnet calculator spreadsheet and if you get a lot of time hands on rackside and need a tray to put your laptop on, let us know what you think of the Portable Rack Mount Laptop Tray and sign up if you want one. Type with two hands instead of one, be more comfortable, improve your productivity and get out of the server room sooner, (or wherever the rack happens to be).
Techiedoodah blogs are created in the hope that they can help others by giving real-life examples. If this has been useful to you please feel free to leave a comment. If you’re reading this post on the home page, you won’t be able to post comments here, so follow this link to the blog, and then scroll to the comments section at the bottom of the page.Securing WordPress with 2-factor authentication