Online security is the primary concern for everyone, and your WordPress site is like your information repository. You must have already selected a unique password for your WordPress admin account. Do you think that is enough for your data security?
Just like Google, Facebook and WhatsApp, WordPress now allows you to set up a two-factor authentication to secure the WordPress site doubly.
What is a two-factor verification process?
Two-factor authentication or two-step verification is a way of securing your online accounts from hackers. This method requires not only knowing a password for login but also verifying the login process through a code delivered to a linked mobile device, in real-time.
While securing your WordPress site with two-factor authentication, you would need to verify your mobile with a code sent to you by WordPress team. Once your mobile device is verified, every time you try to login to your WordPress account, you will be sent a new code that you need to enter on the wp-login page.
Other than the method mentioned above, you can also secure your account with the Google Authenticator app. However, before discussing the verification process, it is essential to know why two step-verification is necessary for online security.
Why should you add a two-factor authentication for your WordPress admin?
Have you ever thought how easily online accounts get hacked? The easiest trick that hackers apply to trespass your online accounts is known as brute force attack. Hackers use automated scripts to guess or steal your username and password. This way they can get access to all your confidential data and inject malware into your website.
The two-factor authentication method saves your online account from any malware attack and stolen data. Even if somebody gets access to your password, they would require your verified mobile device for crossing the final step of getting account access.
Adding a two-factor authentication to your WordPress account is not difficult. Let us quickly have a look how easily you can set up two-factor verification for your WordPress login.
01. Two-Step SMS verification
After entering your WordPress username and password, the two-step SMS verification method asks the user to enter a code sent to the verified mobile device to login to your WordPress account.
Here is your step-by-step guide to set up two-step SMS verification on WordPress admin screen:
Firstly, Install the “Two Factor” and “Two Factor SMS” plugin to your WordPress account.
Two Factor –
This plugin offers you multiple methods to set up a two-step verification for WordPress login.
Two Factor SMS – This is an add-on plugin for “Two Factor”, which provides additional support.
Install and activate both the plugins.
After activating both the plugins, navigate to the “User” section and click on “Your Profile”. Scroll down to select the SMS (Twilio) option. If you want to make SMS (Twilio) your primary verification method, click on the radio button next to SMS (Twilio).
As you can see in the above-displayed screenshot, you would require a Twilio account to go further.
Twilio is a service provider for voice messaging, phone and SMS for your applications. Creating an account on Twilio is free of cost.
Go to the Twilio website, click on “Sign up” and create your free account. On the signup page, you need to enter your details like first name, last name, company name (optional) and email. Set up your desired password and then select the product you want.
You have to select “SMS” as your chosen product, two-factor authentication for building option and PHP as your language.
Once the signup is completed, the site will take you to the Twilio dashboard. Click on “Get Started”.
Navigate to the Settings page where you need to click on “Get your first Twilio number”. A pop-up window will display the designated Twilio number; click on “Choose this Number” and save it to a .txt file.
Exit the wizard and go to Settings > Geo Permissions > Messaging Geographic Permissions section. Select the countries from where you need to receive the SMS. Now, navigate to the Twilio Console Dashboard. Here you will get your first Twilio Account SID and AUTH Token. Copy and save the information on Console Dashboard for further use.
Go back to the WordPress Dashboard > User section > Your Profile and navigate to the Twilio section to fill Twilio account information.
Fill in Twilio Account SID, AUTH token and sender phone number. In the “Receiver Phone number” column enter your phone number and click on “Update Profile”.
Your two-step verification setup is complete. Test the setup by logging out, refreshing the page and try to login again. The login page will first ask for your username and password, and then a verification code that you will receive on your mobile device.
02. Two-factor Verification with Google Authenticator
Two-factor verification with Google Authenticator app is useful when it is not possible for you to receive an SMS verification code.
To setup Google Authenticator, go to “User” section of your WordPress dashboard and click “Your Profile.
Scroll down and select “Time Based One-Time Password (Google Authenticator)” from the list. Enable the app and click on “View Options” to setup Google Authenticator.
WordPress will show you a QR code to scan with Google Authenticator app.
To scan and verify the app with WordPress, you need to install Google Authenticator on your Android device.
Once the installation is done, click on the button visible at the right bottom corner of the app and scan the QR code from the plugin settings page with your mobile camera.
After scanning the QR code, click on “Update Profile” and logout from WordPress.
In case you lose your phone or by mistake delete the Authenticator app, use a backup code to access your account. Fill in your login details like username and password and enter the backup code instead of the verification code. The backup code is only valid for one-time usage, so enter the code carefully.
A website is a significant investment. You need to protect it against hackers through various security methods. Two-factor authentication is by far the best way to keep WordPress secure.