Welcome to our 9-part series of the Ultimate Guide to Protecting Your WordPress Website.

This is Part 2: Enable Two Factor Authentication

You won’t have to be too technical to do these yourselves and I’ll be here showing you on the screen, step by step how to do it.

Here are a few things you’ll need to prepare before starting:

  • WordPress Administrative Area Login URL which is typically in most cases /wp-admin after your domain name
  • Your WordPress administrative username
  • Your Password

Today I’m going to show you how to secure your WordPress website by adding in a two factor authentication.

Passwords are the de-facto standard for logging in on the web, but they’re relatively easy to break.

Even if you make good passwords and change them regularly, they need to be stored wherever you’re logging in, and a server breach can leak them.

There are three ways to identify a person: things they are, things they have, and things they know.

Logging in with a password is single-step authentication. It relies only on something you know.

Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one.

In practice, however, current two-step implementations still rely on a password you know, and the use of your phone or another device to authenticate with something you have.

Here are some of the most popular Plugins if you want to do some research on your own.

For demonstration purposes, we’re going to be using Clef – Clef has over 600,000 installs and is one of the most popular and free, two-factor authentication plugin.

Configuring Clef

  1. Log into your WordPress Admin Area
  2. Head over to Plugins and click Add new
  3. Search for Clef and install “Clef Two-Factor Authentication”
  4. Once the install is finished, click Activate Plugin
  5. After Activation, you will be presented with the setup screen. Click on “Get Started”
  6. Select your country, enter your cellphone number and click Get Started again
  7. You will receive a text message with link to download the app. Click on the link and install the Clef app for your smart phone. Meanwhile you will see the waiving bars waiting on the clef setup screen.
  8. Answer the security question on your smartphone and follow the instruction.
  9. When all is complete, click “Complete Setup”
  10. In order to take advantage of Clef, I recommend checking the following boxes (at the very least):
    • “Disable passwords for Clef users”
    • If you have multiple users with different roles, select “Disable passwords for all users with privileges greater than or equal to – Contributor”
    • Leave “Show Clef wave as primary login option” checked (you’ll still have a way to switch to password login, but that will only for subscribers, if you chose the same options above)
  11. For best security, check the box “Disable passwords for all users and hide the password login form.” (beware, if you enable this, no one will be able to login to your WordPress dashboard without the authenticated clef app)
  12. Under “Override URL” select a secure phrase or letters and numbers combination, that will work as safeguard if all else fails. This link can be used with a password login. Drag the blue button to your bookmarks or simply write down this url in a safe place. An email with the override URL will also be sent to the admin email address set.
  13. Finally, click Save Changes on the bottom

If you want to test it – click on the admin bar and select log out. Next open the app on your smartphone and click Logout now. At this point, you will be completely logged out and next time you go to your wp-login link, you will have to open the app on your phone and scan the waves.  Below are some details about all the two-factor authentications.

About Clef

Passwords are transmitted and stored by every website that you log in to. Every time you type a password, there’s an opportunity for it to be intercepted. Attackers steal whole databases of passwords and other customer information. With passwords, or password managers, there is nothing you can do to protect yourself from this type of attack.

Clef is built on cryptography. There is no database of password information. Clef neutralizes most types of common attacks by design and provides a far better user experience across the board.

About Duo

Duo Security provides two-factor authentication as a service to protect against account takeover and data theft. Using the Duo plugin you can easily add Duo two-factor authentication to your WordPress website in just a few minutes!

Rather than relying on a password alone, which can be phished or guessed, Duo’s authentication service adds a second layer of security to your WordPress accounts. Duo enables your admins or users to verify their identities using something they have—like their mobile phone or a hardware token—which provides strong authentication and dramatically enhances account security.

About Authy

Authy helps you increase security for your user accounts in your WordPress site by using strong Two-Factor authentication. The plugin can be installed and configured in a matter of minutes.

Two-Factor Authentication protects you from password re-use, phishing and keylogger attacks. The Authy WordPress plugin was designed so that anyone can install it, configure it and use it. Security shouldn’t be painful!

About Google Authenticator

The Google Authenticator for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.

If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail/Dropbox/Lastpass/Amazon etc.

About Rublon

Confirm your identity by clicking on a link that Rublon sends via email. Your next login from the same device requires only a password. For more security, install the Rublon mobile app. Scanning the Rublon Code with your phone confirms your identity. Rublon works out-of-the-box. Activate the plugin and you’re done — no configuration needed. Users need no training, don’t have to install anything and don’t have to enter any codes. Once they confirm their identity on a device, they can log in to all web services with a password.

About WordFence

Powered by the constantly updated Threat Defense Feed, WordFence Web Application Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. Our Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of additional tools round out the most complete WordPress security solution available.

Wordfence Security is 100% free and open source.

Bookmark this page, subscribe or save it somewhere so you can check back when we publish Part 3/9 next week!

Looking for previous episodes of the Ultimate Guide to Securing Your WordPress site?

If you got any questions or comments, please comment below.