How To Secure WordPress Website With Two Step Authentication
How many Online accounts do you possess ? All of them password protected ? and How many accounts share the same password ? If an unwanted User or We can say Hacker gains control of one account, he may easily gain control of others. Even You will make it easier for him if you use easy to guess passwords or if you use public networks. In this way your private data and most important you websites will get Hacked.
Everyday, bots attack thousands of WordPress websites Online and expose their visitors to malware and Spam. A website Which is infected by bots or Malware, gets removed from search engines quickly, Also sometimes Web Hosting providers may block the websites. This means that the websites begin to lose traffic and Earning. Also All your hard work is reduced to nought.
What is Two Step Authentication ?
Passwords can be broken by brute force attacks even if password is strong and secure. This is why we need another layer of security which is Two step Verification or authentication. What is two step or two factor authentication? Basically two step authentication means users will have to confirm their identity not only by passwords but also using some device that they have in their possession. Most of time users have to enter a captcha as two step authentication. Or user may be required to enter an additional PIN number to Login. Some websites need to identify a pattern before login.
In this Two Step Process, You can login as usual, but after Your login you’ll need to enter a code that will be sent to your mobile, email or any other device. Two step authentication offers an additional layer of security without that code no one can open your site. so that even if your password is hacked, the hacker cannot access your website, without that additional piece of code. This code is sent to your registered smartphone number or verified email address. It is commonly referred to as OTP (One Time Password) and only after entering code user can access website.
Methods to Receive the code used for Verification?
Before you start to use Two Step Authentication on your Website, you have to understand various ways to receive code, so that you can chooses the best one suited for you. The code that you input during verification can be received in any one of the following ways,
- SMS: If you choose SMS then Code will Send to Verified mobile phone.
- Email Services: When User try to login, code generated and send to users email.
- App Generated Codes: Some Apps like Google Authenticator and Authy will automatically generate new code when user try to login, The app may take a bit of setting up.
- USB Tokens: in USB tokens Method You will have to insert a token or Pin from USB port. Nothing further. This is a very safe method, as there is no way to intercept authentication. This Method don’t work with mobiles, as it needs to be inserted into a USB port.
The first two methods SMS and Email need internet or cellular connection for receiving the code, while the last two USB Tokens and App Generator are not dependent on any connectivity.
Different Services offer different options to receive code, Some services may offer more than one option as from SMS and also emails but some provide only one option, so you must choose what is best for you.
Two step authentication has been around for quite some time. More and more websites are accessing and activating two step authentication. It prevents account takeover, website hacks and data theft also provides strong authentication and enhanced security.
Here are Some Top Free Plugins and App that help with two step authentication.
No Password and No Codes, but Very Secure sign in, that’s what Clef Do. Clef is Free Two Step authentication WordPress Plugin and app. To use this, you will have to install it on WordPress and activate it. also You will have to download the Clef app into your mobile. You can Select the login option with your phone. for login User have to sync mobile and Clef wave using web camera on login Screen. Sign out can be done with timer or manually logout.
Clef uses RSA Public key cryptography. In this, the website holds Public key and user holds Private key on Mobile. When user Try to log in to website, a new signature is generated by Private key on Mobile that is verified by the Public key on website. The Public key cannot generate any signature. that’s why Clef is foolproof security without any password.
Additionally Clef disables Password Authentication function at WordPress login, Dashboard, and at API level to avoid Password Phishing and hijacking through emails.
Rublon is the one of easy to use plugin, just install and activate. which don’t need any configuration or any additional code. It don’t Provide or send One Time Passwords but sends verification link only once for new devices. While first time login After installing this plugin, You will have to log in by entering username and password as usual and then you will have to click on a link that plugin sends to your email for verification, without that confirmation User cannot view dashboard or admin panel. Next login from same devices don’t need to verify again, but if you try to login from different devises as mobile tablets then you have to verify.
For additional security and more control, Rublon also Provide mobile app(optional). if you choose app, Then You will have to scan the code on mobile which is generated by the plugin to confirm user identity. Once identity is confirmed, user can access his dashboard or website. All communication between website, Rublon also mobile app is encrypted.
Rublon is free and can use on one website as personal use. To add Rublon to business WordPress website or multiple site, you will have to buy Paid Rublon Business API. With these Pro Plans, you can make users group and assign different security levels to each group. You also can prevent other users from changing your password, as any password changes will need confirmation via your email account.
5sec Google Authenticator
5sec Google Authenticator is one of the best Premium Plugin.You can buy it from Codecanyon for just $18. Once you have Activate 5sec Google Authenticator, no one can log into your website even if they have your password. Every time When user logs in, OTP is generated, users can receive OTP from Mobile. And only after entering correct code user can Access to the website. The OTP is valid only for 5-10 minutes only.
This plugin will also protect WordPress websites from brute force attacks, as it include IP based brute force protection. In case you leave website without logging out then Plugin will automatically log you out, and the login box will open in lightbox. So you can resume work where you left off after entering new OTP.
What happens if you lose Phone ? Well, in that case unique site specific URL can be used for login using just username and password.
Duo Two Factor Authentication
Duo Two Factor Authentication is simple with multi option plugin, All the users and admins will need to verify themselves with device that they have. Duo Plugin provide multiple ways to verify identity or receive OTP including:
- One Tap Authentication using Duo’s mobile app
- One Time Pass codes generated by Duo’s mobile app
- One Time pass codes delivered by SMS service.
- Phone Callback to any phone even landline if you choose.
- One Time Pass codes generated by an OATH.
To Use this plugin, you will have sign up for their services. Also You have to specify the user roles for which you want to enable two factor authentication.
Authy is a very Simple and Best Plugin for two step authentication. To use Authy, You will have to sign up and obtain API keys.
After that, Simply install and Activate by typing the API keys. you can choose users groups for which authentication must apply like admins, editors. When these users login, OTP will be sent to their cell phones. Once they verify by OTP, they can access your Website.
WP Google Authenticator for WordPress
Once you install app on mobile, you need to install and activate Plugin on WordPress site. You can add you website to app on mobile by just scanning QR Code. You also can select which users or user group can use this Two Step login method.
The plugin also provide few set of code, you have to keep for in case you lost mobile or you cant assess app, you can use that codes to login to you site. You can generate that codes again by Google Authenticator.
WP Google Authenticator is fully compatible with Authy. You can add WP Google Authenticator and use Authy to generate OTP.
Two Factor Auth
Two Factor Auth don’t have there own OTP generator it works with third party apps like Google Authenticator to generate 6 digit Code. Two Factor Auth have two ways to receive OTP as from emails and also from mobile app but user can choose only one ether mobile or emails.
Codes are generated by the Industry standard algorithms TOTP or HOTP. Where TOTP is time based OTP, while HOTP is event based.
Two Factor Authentication by miniOrange
Two Factor Authentication from miniOrange is the same as other Verification plugins, But it have few additional features and options that make it more useful and attractive.
This plugin provide miniOrange App for mobiles and also It can works with Google Authenticator and Authy two factor Authentication App without any problem or errors. If you lost your mobile then you can recive OTP by email.
The miniOrange app provide 15 authentication methods including SMS, QR Scanning authentication, Email varificaion, Tokens, Push Notifications and more. if you login from mobile then you can choose security Question based login instead of OTP. This Plugin also works for WooCommerce websites.
This Are few Popular Plugins for Two Step Authentication. if you use any other then please share you thoughts on comments.