Did you know that WordPress accounts for over 30% of the CMS market share? It is one of the most loved CMS platforms for developing sites, but with this kind of popularity comes a certain amount of risk. WordPress has become a major target of cyber-attackers who are always looking to exploit vulnerabilities in WordPress installations so that they can gain access to a percentage of the entire internet. This is why you ought to keep an eye on your WordPress security and one of the simplest ways to do this is by adding an extra layer of protection/authentication to your WordPress login pages. This is otherwise known as two-factor authentication (2FA) and the beauty is that there some cool plugins you can use to do this today. Below we will be reviewing 5 two-factor authentication plugins that you can use to secure your WordPress login pages from attacks. Let’s dive in, shall we?
IThemes Security is a very popular security plugin for WordPress featuring a plethora of WordPress security features that include Two-Factor Authentication. This plugin covers more than just 2FA as you can also get features such as Malware Scan Scheduling, WordPress Salts & Security Keys, the ability to customize login URL, and the ability to import and export security settings among others.
The 2FA feature allows you to increase the security of your admin panel by adding a second screen after the usual login page. This screen will prompt the user to enter a code sent to a paired phone or email address. An additional benefit of this plugin is that it works with iOS and Android two-factor authentication apps that support TOTP (time-based one-time password provider). This includes the likes of Google Authenticator, Authy, Toopher and FreeOTP Authenticator on Android and iOS devices.
The only downside is that most of the cool security features on iThemes Security come with the pro version including the 2FA feature.
- The plugin is bundled with a good selection of security modules for WordPress e.g tools for Brute Force prevention, malware detection, 404 error detection, tools for managing and configuring passwords, reCaptcha, Two-Factor Authentication among others
- It is relatively easy to install and navigate through the plugin features plus it has a good documentation
- Most of the security features are only available to premium subscribers including the Two-Factor Authentication feature.
WordFence Security plugin is another freemium plugin that adds 2FA to WordPress sites. Just like iThemes Security, this plugin features a wide variety of security features like a WordPress firewall, security scanner, and other security tools that come in the shape of Live Traffic monitoring and two-factor authentication to stop brute force attacks. The plugin’s 2FA tool has two methods of authentication: you can opt for an SMS code or use the Google Authenticator App installed on your mobile device to add security to your WordPress. There are two security options afforded by Wordfence 2FA as well. You can require 2FA for all administrators or you can enable separate prompt for the code.
If you chose to go with the former, then all the admins on your site will have to login via the 2FA but one admin user must have 2FA enabled before enabling this option. Enabling a separate prompt, on the other hand, will give a user the option of entering the code after entering the usual WP user-password combination.
- It offers other security features apart from the two-factor authentication e.g Spam filter, Country blocking, malware scanning and real-time blocking etc.
- It comes with a number of 2FA options
- The plugin is easy to setup and use
- The 2FA feature is only available for Premium subscribers
Mini Orange is one of the fastest growing security companies with a very good track record when it comes to matters of Cloud Security, Identity & Access Management, Mobile and Security Vulnerability Management. The two-factor for WordPress plugin is one of their cool tools designed to help add a layer of security to protect your WordPress account. Like most of the other 2FA plugins, you can pair up with a phone to add another step before you can login into your WordPress. The only difference though is that miniOrange have their own custom app you will use to pair up with your phone. In other words, you will not need to use another app like Google Authenticator to pair up your WordPress account with your phone.
- The plugin is easy to setup, a feat that has been made even better by the documentation provided by miniOrange
- The plugin comes with its own phone app, i.e the miniOrange Authenticator app which adds extra security in terms of data encryption and build-in pin protection
- This is a premium plugin but there is a free trial
- It doesn’t support hardware-based authentication
This is a plugin developed by Duo Security with an aim of providing two-factor authentication as a service. Again, the plugin helps you add another layer of security by letting users or admins verify their identities through something like a phone or hardware tokens. Using the plugin is also simple. You just need to sign up to the Duo Security service, install the two-factor plugin and enable 2FA for your WP users. The plugin allows a variety of authentication options including using the Duo Mobile app, one-time passcodes via SMS, phone call and passcodes through OATH-compliant hardware token
- It offers multiple ways to authenticate to the WP site including via a phone call
- The plugin is well documented making it easy to install and navigate through
- It is a free plugin
- The free version only allows up to 10 users
Google Authenticator for WordPress is one of the best free plugins for adding an extra layer of security to your site’s backend. It is a plugin that lets you use your Android, iPhone or Blackberry phone to implement 2FA on your WordPress site. The setup is quite simple, you just need to install the plugin within WordPress then enable Google Authenticator settings on your user’s panel and finish up by scanning the QR code with the Google Authenticator app installed on your phone.
Once you have set it up, you will see the second form of authentication the next time you want to login to your site. It is that easy, no wonder Google Authenticator For WordPress is one of the most used 2FA plugins on WordPress
- It’s free
- It is pretty simple and straightforward to setup and use
- You will need to disable the plugin manually via your Cpanel in case you lose the phone paired with your site.
- There is no option of implementing 2FA to all users thus you have to do this manually for all users
That’s it! It’s now time to take your pick. You can go for a free plugin if you are looking to only secure your login pages from things like brute force and phishing attacks. Alternatively you can buy a premium 2FA plugin if you want to implement advanced WordPress security.
And don’t forget, if you need help implementing security on your WordPress website, WPbees is just an email away!