The two-factor authentication is need of hours. One of the prime targets of the hackers' bot is the administrator account on WordPress websites. Therefore, it is essential that administrator account must be inside a multi-layer security grill. A mere password is not enough to shield it from hackers' bot.
Very soon, two-factor authentication is going to be part of the WordPress core. Along with password, you would be able to set two-factor authentication for login accounts. No deadline has been set yet, though. The work is on to develop robust inbuilt two-factor authentication for WordPress websites. WordPress core developers have been testing a plugin for that. Once the plugin becomes stable, it would merge into the WordPress core. Read also Get a Secure Reliable Email with Feature Advantage of Gmail.
Best Plugin to add two-factor authentication on WordPress website
Currently, not many plugins are there in the WordPress repository to add two-factor authentication on WordPress websites. Moreover, the top-rated plugin claim to provide secure two-factor authentication takes enormous server resource to make the plugin work. In fact, most of them have a big size with some unwanted features hence puts unnecessary load on the website server. Read also Solved-Cookies Are Blocked or Not Supported By Your Browser.
I have tested the top-rated plugin for two-factor authentication; most of them were increasing server response time. Having a secured login but a slow website would be foolish. Google would demote your site in search rankings. Plugins are for adding qualities, making the website more secure and enhancing visitors’ experience. You do not install a plugin, which throttles performance of your site.
Now the question is which plugin is the best to implement two-factor authentication? How to enable two-factor authentication on your WordPress website?
The official two-factor plugin is the best solution. The plugin is light (only 55.5 Kb), user-friendly, and the rationale behind the authentication methods are well thought out. On top of that, it would not take server resource to provide two layers of additional security to the login accounts. It is a great plugin, and its functioning going to bring you peace. In fact, enabling this plugin on your site meaning login accounts on your WordPress website is adequately secured. No longer have you needed to fear hackers' bot.
Not to worry about the plugin being in the BETA version. As I already suggested above it is an upcoming feature on WordPress. And, the feature is currently being tested in the form of a plugin. Soon it is going to merge with WordPress core. Until then it would remain in a BETA version plugin. The developer has confirmed although the plugin is stable and can be installed on a live website.
Here I am going to guide on how to install and set up the two-factor plugin on your WordPress website. If you follow me here, you will complete the task successfully. However, if you do it your own, very likely you might end up screwing up login method of your website.
In my last article on this website, I explicitly argued that whenever you intend to alter login/access method, first think all pros and cons, then take a full backup of your site, and then move forward. Follow the next eight proper steps to install the two-factor plugin on your website successfully. Read also How to Secure Administrator Account in WordPress Website.
Setup two-factor plugin on your website in eight easy steps
Assuming that you have made a full back up of your WordPress website, follow the steps to implement two-factor security.
Step One: – Install and active the two-factor plugin on your website.
Step Two: – In “All users,” can you see a new column erected at the end to show the enable/disable status of two-factor for each account.
Step Three: – Click on the edit link associated with the account you need to enable two-factor authentication. That should be the primary administrator account.
Steps Four: – Scroll towards the end you will see two-factor options.
Step Five: – Enable all the options other than the “FIDO universal 2nd factor” and “Google Authenticator OTP.” To setup “FIDO Universal 2nd factor” requires a particular device that would cost not less than 2000 Rupees. So ignore it. The rest four options are more than enough to authenticate login securely to your website. The primary authentication at this point should be set to email code.
Currently, we are doing just test setting. It is not the final settings. Only two authentication options should remain active, one as primary, and another as a backup method in the final settings of the plugin although.
Step Six: – Generate and Download single-use verification code. These codes are vital would be needed if other authentication methods fail. Next, scroll to the end and hit update the profile. I just hope alteration in the account has been accepted and saved — without any error.
Step Seven: – Setup Google Authenticator. You must have a smartphone with a rear camera and Google Authenticator app installed on it. Click on the view option to open up the QR Code in the two-factor setting on the website. Next, open the Authenticator app on your smartphone, click on the plus sign, and now scan the QR code shown there.
Step Eight: – Enter the code showing (valid for 30 seconds only) on the Authenticator app into the authentication code box there on your website. Now quickly move and update the account profile before the code expires.
Thus, the initial setup of the two-factor plugin on your website has been completed. Time is to test the settings.
Test Two-Factor Authentication on your WordPress Website
Log out, log in again, and test the validity of the each of the four methods of authentication. Also, check what happens if a wrong code provided, then how the server responds. Can you login to the site after completing authentication? It means the plugin for the settings is working fine. You have successfully implemented two-factor authentication on your WordPress website. Now after giving username and password, you have three ways (not including the dummy method) to re-verify yourself as a genuine user.
After the final settings, only two ways should remain enabled on a well-secured website. Uncheck dummy and backup verification code method, keep the primary way Google Authenticator OTP, and Email code as the backup method in case you lose your phone. Alternatively, you can keep it vice-versa. Now the installation process of the two-factor plugin on your WordPress website has been completed.
Recently, I was trying to set up the two-factor plugin on my friend's website. Since she was not comfortable with the Google Authenticator OTP option, I selected only the Email and Single Use code method. I asked my friend to log out and log in again and test the two-factor authentication to check whether it works or not. The website was throwing 403 Error instead of sending an email code to complete the login process. Then we had to use the backup method a single-use code to get access to the site.
That is why I asked to enable all the four methods to authenticate in the initial setup. You cannot be sure which way would work and which would go error. All three approach should work — depends on website setting, server setting. Therefore, in the initial configuration, all the four login authentication ways must be enabled.
How to Access the Website when all the methods fail
There could be numerous reasons to forbid you to complete authentication and access to the dashboard of your WordPress website. You might lose your phone, wrongly uninstalled Google Authenticator app, Mail Engine failure on the server…anything is possible. It is unlikely but cannot be ruled out that the plugin fails to match the code. In such a situation how you are going to log in to your WordPress website.
Do not worry the process is straightforward. Login to your website server and reach to the file system. Next, go to WP-content and now open the plugin folder.
Can you see the file folder for the two-factor plugin? Rename it to anything. Renaming the folder will disable the plugin, and you would be able to get access to your website by using the account username and password. Once you have successfully logged in, rename the plugin folder to its original name, or delete it — the choice is yours.