How to secure your WordPress login with 2FA – TechRepublic

Image: Jack Wallen

Nothing is perfect. No matter what you do to lock down every account you have, you’re still at risk. However, doing nothing is akin to opening the metaphorical door and inviting trouble in. You don’t want that. Even though it might seem futile, you still want to enable every possible hurdle to make the hacker’s job as difficult as possible.

This is true for every account you have—even your company’s WordPress website. If you’re not doing everything you can to protect that site, there’s no telling what could be at stake. Company information, client and customer details, bank accounts, third-party logins…you name it, and it could be laid out for nefarious takers.

To that end, you should secure WordPress logins with two-factor authentication (2FA). Fortunately, this is just an add-on away. I’m going to show you how it’s done.

SEE: Security incident response policy (TechRepublic Premium)

What you’ll need

How to install the add-on

Log in to your WordPress instance as an admin user and go to the Plugins section. Click Add New and then, in the resulting window, type WP 2FA in the search field (Figure A).

Figure A

Locating the 2FA add-on for WordPress in the Plugins section of your wp-admin page.

The WP 2FA plugin should appear below the search, where you can click Install Now to add the feature. Once the plugin is installed, click Activate to activate WP 2FA (Figure B).

Figure B

Activating WP 2FA for your WordPress site.

How to configure WP 2FA

After you activate the plugin, you’ll be presented with a very easy-to-use wizard that will walk you through the setup (Figure C).

Figure C

The WP 2FA setup wizard can walk anyone through the setup of the feature.

You have two choices on how to use the 2FA code:

One time code via an app (such as Authy or Google Generator)

I’ve tried both options and they work fine, so choose whichever method best suits your needs. After you’ve successfully set up the 2FA authentication, you can then configure which method regular site users are required to work with. To be safe, I’d go with the email option—otherwise, you’re going to have to also instruct your users how to install and use a third-party application. Make this as simple as possible and go with email (Figure D).

Figure D

Configuring how users interact with WP 2FA on your site.

You next need to select if you want to use 2FA all the time for all users (Figure E). 

Figure E

How you want to enforce 2FA on your WordPress site is up to you.

Finally, you can exclude certain users and roles from having to use 2FA on your site. If you want to go for the most secure option, I wouldn’t recommend excluding anyone from this list. The only reason you might is to ensure you have one admin user who can always gain access to the wp-admin section of the site. I’ve had one instance where an update to the MiniOrange authentication plugin broke my ability to log in to a site. I had to SSH into the site and manually disable the plugin, to log in. Do what’s best for you, and go with the configuration that best fits your security needs.

And that’s all there is to securing your WordPress sites with 2FA.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

This content was originally published here.