Best Two-Factor Authentication WordPress Plugins
Did you know that you can add two-factor authentication to WordPress? If you’re not sure you would want to add two-factor authentication to you WordPress website consider this – how many accounts across the internet do you possess? All of them password protected? How many share the same password? If an unwanted visitor gains entry into one account, he may most likely gain entry into others. You will make it easier for him if you use easy to guess passwords or use public networks. Is it the name of your pet dog? Your birthday? Have you written down that password in a diary?
Everyday, bots attack thousands of WordPress websites and expose their visitors to malware. A website that is bot infested gets de-listed by search engines, hosting service providers may block access to the website. This means that the websites begin to lose traffic. All your hard work is reduced to nought.
What is Two-Factor Authentication?
Passwords can be broken, especially by brute force attacks. This is where it helps to add another layer of security, beyond a simple password. Two-factor authentication is one way of doing this. In fact, many popular websites (e.g., Facebook, Gmail, PayPal, etc) use two-factor authentication to minimize security breaches in case an attacker steals user credentials.
So what exactly is two step or two-factor authentication (2FA for short)? You could call having to enter a captcha as a two-factor authentication in it’s simplest form. Or you may be required to enter an additional PIN number. Some websites need you to identify a pattern before you can login. What two-factor authentication essentially means is that users will have to confirm their identity beyond passwords using some device that they have in their possession.
The technology does not replace the password; it adds an extra step that only you, the rightful admin, can access. In this process, you would login just as usual, but after that you need to enter a code that will be sent to your mobile or any other device. 2FA offers an additional layer of security, so that even if your password is overcome, the hacker cannot access your website without an additional piece of code. This code is sent to your registered phone number, email, app etc. It is commonly referred to as One Time Password or OTP and only upon entering this is access gained to the website.
Methods to receive the code used for Verification?
Before you begin to use the the Two-Factor Authentication on your system, it makes sense to understand how the second step works, so that you can pick the one best suited for you. The code that you input during the verification can be received by you in any one of the following ways,
- Email Services: When you try to login, the code is sent to your email.
- SMS: Sent to your mobile phone.
- App Generated Codes: Apps like Google Authenticator will automatically generate a new code at very short time intervals. The code that is currently generated when you are logging in will have to be entered. The app may take a bit of setting up.
- USB Tokens: You will simply have to insert a token into your USB port (and maybe enter a token password). Nothing further. This is a very safe method, as there is no way in which the authentication can be intercepted. But it has the disadvantage of not working with mobiles, as it needs to be inserted into a USB port.
The first two methods will need internet or cellular connectivity for receiving the code, while the last two are not dependent on connectivity.
All services will not offer all the options and you must choose what is best for you. Some services may offer more than one option, in which case you will have a fall back option. Often, when you are setting up the authentication, you will be provided with Recovery Codes, which you should note down and keep safely.
In today’s post, we share our picks of the best two-factor authentication WordPress plugins to bolster security on your login page. The 2FA WordPress plugins in the following section are all easy to configure. They ship with adequate installation instructions and documentation, so we don’t expect any problems. And please feel free to share your favorite 2FA WordPress plugins or your security concerns at the end. Without further ado, let’s get down to business.
1. CM Secure Login Pro
With CM Secure Login Pro there are a variety of easy two factor authentication options. Enable settings to allow uses to choose Google Authenticator one time password, SMS text message code (note – this requires Amazon SNS), email code, or email one time login link. With the plugin installed you can also enforce 2FA for your site users, and even disable traditional passwords entirely.
What makes this plugin unique though are the additional settings. This includes options to enable or disable specific authentication methods according to user, limit total number of IP addresses per user and limit the number of approved access devices for each user. Messages are also easy to customize thanks to the use of templates, and as the admin you can view statistics for login attempts. Plus, CM Secure Login Pro is also compatible with WooCommerce forms – so it’s a great option for your e-commerce store too!
2. Wordfence Login Security
If you’re looking for reliable 2FA, then the Wordfence Login Security plugin is a great option. This free plugin adds 2-factor authentication, XML-RPC protection against brute force attacks and a login page CAPTCHA to prevent spam.
With Wordfence Login Security you can use any authenticator service or app (TOTP based) and enable the feature for any user roles. So if you are only concerned with admins and editors, enable it for them. Or if you have a forum expand to your subscribers – it’s up to you. The added CPATCHA and XML-RPC protection are a bonus to keep your site login extra safe. And the plugin is 100% free!
Two-Factor WordPress plugin is a free and open-source project. It is one of the simplest two-factor authentication WordPress plugins you will ever use.
Once you install the plugin, navigate to Users > Your Profile and scroll down to Two-Factor Options section. Under the section, you can enable and configure your two-factor authentication options.
The Two-Factor WordPress plugin supports four authentication methods. You can send codes to an email address, enable Time Based One-Time Password (TOTP), FIDO Universal 2nd Factor (U2F), and backup verification codes.
Besides, you get a dummy method that’s fantastic for testing purposes. On top of that, you can actively contribute to the project and follow the progress on their Github. Other than that, the Two-Factor WordPress plugin supports 15 languages making it a great option for a wide user base.
4. WP 2FA
Add two-factor login authentication for free with WP 2FA from WP White Security. Stop brute force attacks in their track and ensure that even weak passwords aren’t compromised with an added layer of authentication. The setup wizard makes it easy to have 2FA added to your site in no time. You can choose the authentication app (Google, Authy or any other), choose which users to enforce 2FA for and even enable a grace period.
5. Two Factor Authentication by UpdraftPlus
UpdraftPlus may be know for their backup plugin, but their Two Factor Authentication is another great security focused plugin you should take note of. You can use TOTP or HOTP to setup authentication through apps, enable QR codes for quick login, enable 2FA for select user roles or allow users to disable 2FA (if you want to give them them choice).
Another great thing about this Two Factor Authentication plugin is compatibility with popular plugins including WooCommerce, bbPress, multisite and every third party login form for WordPress. So you can secure your entire site, no matter how large of a community you’ve built.
6. miniOrange Google Authenticator
First on our list is Google Authenticator by miniOrange, a reputable WordPress plugin developer. The plugin offers you a complete solution to secure your WordPress login pages without paying a dime.
Google Authenticator is a remarkable two-factor WordPress plugin that is easy to set up and use. It ships with a beautiful set of features enough to keep the impersonating hacker at bay.
The plugin boasts of features such as a slick user interface, a variety of authentication methods, multi-language support, TOTP + HOTP support, brute force attack prevention, IP blocking, custom security questions, support for multiple WordPress form plugins, GDPR compatibility and a massive list of extra premium features.
The core plugin is free for one user, and you can always get support on the plugin’s support forum.
7. Duo Two Factor Authentication
The Duo plugin will help you add two factor security to your WordPress quite easily. All users and admins will need to verify themselves with a device that they have – a hardware token, or a mobile phone. This will also help you to keep track of user activity on your website.
To make use of this plugin, you will have to install it, activate it and then sign up for their services. On sign up, you will have access to security keys. You can then go about specifying the user roles for which you want to enable two factor authentication.
Users can authenticate or verify themselves in multiple ways. They can use OTPs delivered by messaging services to cell phones or generated by a hardware token or generated by Duo’s mobile app. They can call back to any phone or they can use Duo’s mobile app for one tap authentication.
8. WordPress 2-Step Verification
You don’t have to worry about hackers stealing your login credentials anymore with the WordPress 2-Step Verification plugin. It incorporates the best login page 2FA protection measures and ensures the attackers stay where they belong; outside your admin area.
The plugin is easy to set up and use, and we expect you to configure everything in less than 10 minutes. If you experience problems, as 247 is ready to help you via the WordPress.org support forums.
WordPress 2-Step Verification ships with a slew of amazing features, including multisite support, email codes, app-generated codes, SMS verification, and backup codes.
In case you lose your phone or verification code, you can use easy recovery via FTP, which is a lifesaver. Furthermore, you can deactivate 2-step verification on the devices you trust, such as your personal computer.
Are you wondering how the plugin supports app-generated codes? They offer an Authenticator App on Playstore. The app further helps you to provide passwords for apps that don’t support 2-step verification.
At the time of writing, the plugin doesn’t support the Gutenberg Editor, meaning you need to activate the Classic Editor. Plans are underway to add support for Gutenberg, but if you don’t mind using the Classic Editor, the WordPress 2-Step Verification plugin is a great option.
9. Rublon Two-Factor Authentication
The fourth position goes to Rublon Two-Factor Authentication. The sole purpose of this brilliant WordPress plugin is to keep the bad guys out, which it does effectively. It’s a simple solution to enable two-factor authentication on your WordPress site.
The Rublon Two-Factor Authentication plugin is super-duper easy to install and use; you need no training or technical knowledge to hit the ground running. You only need to install the plugin and connect it to the Rublon API using a system token and security key.
After that, you’ll receive a verification link via email. Once you confirm your identity, you need to configure a few options, and you’re good to rock the party.
Rublon supports several two-factor authentication methods, including email, SMS, QR code, push notifications, and TOTP, among others. Additionally, you can whitelist trusted devices eliminating the need for two-factor authentication on subsequent logins.
The plugin comes with a friendly backend interface that makes adding two-factor authentication to your WordPress site a breeze. It supports five languages, and security experts and beginners alike are saying great things about the plugin.
Perhaps the other two-factor authentication plugins on our list don’t cut it for you in terms of ease of use. If you’re looking for a useful but super-duper easy plugin, say a big hello to GatewayAPI.
GatewayAPI is not your typical two-factor WordPress plugin. It’s a complete engine that helps you to send SMS’s right from your WordPress admin area. On top of that, the plugin comes with a free and easy to use two-factor authentication feature.
Notable GatewayAPI features include the capability to add custom data to SMS, import recipient list from CSV file, bulk sending, recipient segmentation, remember devices for 30 days and more.
To get started, install the plugin and sign up for a free GatewayAPI.com account. Don’t worry; if you’re stuck, the plugin ships with helpful text and a step-by-step guide full of screenshots. Between you and me, I doubt you will need to read the documentation to enable two-factor authentication.
11. General Security Plugin
Another option is to just use an all around security plugin. Two-factor is a subset of features included in many popular security or site management plugins. So if you’re interested in a suite of security options I’d suggest checking out one of the main WordPress security plugins and skipping a login specific one. Here are a few good options:
- Wordfence – A popular, all around security plugin that also features 2FA via any TOTP based app or service.
- iThemes Security – iThemes is another security plugin which offers 2FA via apps (Google Authenticator, Authy, FreeOTP and Toopher), email or backup codes to further secure your site.
- Siteground Security – Brought to you by Siteground (and we assume originally built for their customers) this free security plugin has loads of features for 2FA, login protection, general site security, activity logs and more.
- Shield Security – A powerful WordPress security plugin that comes with two-factor authentication.
- ManageWP – Two-factor authentication is a built in feature along with all of their other helpful tools to better manage your websites.
There you have it; some of the best two-factor authentication plugins for WordPress. We hope you found your favorite 2FA plugin from our list, but if you’re having a hard time choosing, I recommend Google Authenticator by miniOrange.
That aside, remember that WordPress security is an integral part of running a successful website, so don’t take anything for granted. Two-factor authentication is an excellent way of keeping the bad guys out of your WordPress admin area.
Which is your favorite two-factor authentication plugin? Have questions, concerns, or suggestions? Please share with us in the comment section below.
great article about different ways to secure the wordpress installation with 2FA. Usually these are either local solutions which work for one wordpress installation like 5sec or two factor auth or these are clients for hosted services like duo or clef.
If you have several wordpress instances and you do not want to rely on a 3rd party auth server, you could run your own authentication system with the open source solution privacyIDEA (privacyidea.org) and the wordpress plugin (https://wordpress.org/plugins/strong-authentication/).
You can manage hardware tokens, smartphone Apps, SMS, Email, Yubikeys, U2F… centrally and use these devices for authentication at all your blogs.
Thank you Cornelius for chipping in; you put across a great point.
This is something very interesting. With the increasing attacks on WordPress websites, this is a useful feature for most of the WordPress users. Thanks for this awesome post.
Impressive article. This is really an important article. We should think again about the security of our site. Because we are living under the threats of the hackers. Only strong password and unique username are not enough to protect us. So we need another stable security shield that are really strong to protect any hackers. Two step authentication is one of the best security layer. So you need to enable two step authentication on your WordPress site. Your tips must be helpful for us. Thanks for sharing.
You know, I had such high hopes for miniOrange given the many positive reviews, but in practice it’s clear they cater to blog owners and write many of the reviews themselves. For the other guys, their free plugins have a LOT of bugs and when you report them they tell you to upgrade your license from the free tier. Other apps do work – for admin only. I sent them screenshots of their licensing saying that the free tier should work and they say no, I must have misread it, I have to upgrade.
In the end their practices are predatory – the licensing agreements and descriptions aren’t accurate and their support is rude unless you’re paying them. If it’s payware, fine, at least be honest about it – no way am I going to implement their business tier software if this is how they treat people.
Thank you for sharing your experience with miniOrange. I can totally understand your concern with the lack of support the problem is that free plugins generally get thousands, hundreds of thousands or even millions of users which can be extremely costly to support for free. Even if it’s not support but just answering questions/emails can cost thousands of dollars a month. I don’t believe that anyone should be rude or deceitful, that’s for sure, but do place yourself in their position. Based on your comment, it sounds like there is a market for a good free two-factor authentication plugin with more options and better support, I would encourage you to spend your time and money developing one and helping out the community. We would be happy to review it once it’s done 😉