Ensuring the security of your WordPress-based site – or any other CMS – involves a lot, but one aspect that is often overlooked is the authentication or admin access mechanism.
Gaining access to the WP administrative area, even when using secure passwords, is one of the main forms of intrusion, simply because the person in charge has not adopted a more robust authentication mechanism.
That’s why our work today you will understand the importance of increasing your security and presenting a variety of plugins used to solve the problem.
What is two-factor authentication?
Two-factor authentication (TFA or 2FA or even Two-way Factor Authentication) is the institution of a second verification step by the system that will be accessed, to ensure that it is a legitimate user or that it has permission to do so. log in.
The more secure the protocol will be, the more detached from the first ro, is the second verification method.
Therefore, when the additional protocol uses, for example, a possession requirement, such as a key generated by a token or a digital certificate card or even a SMS sent to a cell phone, proceeding after the second step, requires possession of the device (token, card or cell phone), which makes it impossible for the attacker to access, even if he has knowledge of the username and password.
Therefore, a two-factor authentication is so much stronger, the more unlikely it is for a third party to meet the two required requirements.
There are 2FA methods that can also be called MFA or Multi -Factor Authentication (Multi Factor Authentication in Portuguese), as they can use three or more means of authentication, even if they only require two different ways to guarantee access.
A well-known example of MFA employment, is access to Microsoft accounts, which in addition to the traditional username and password, also makes use of a PIN (Pers Identification Number) for Windows login, mobile number, Authenticator (Android and iOS app), verification email and an alphanumeric key (recovery code), for certain situations.
Why use a two-factor authentication plugin in WP?
Two-factor authentication – TFA or 2FA or Two-way Factor Authentication – is present and becoming more and more most adopted in different daily situations, such as accessing the main free e-mail services, the main social networks, banking apps and a series of other online services.
In times when discusses the security of the digital world, data leaks, site invasions and all other associated threats, there are plenty of reasons to justify the adoption of mechanisms that make the security of everything we do more robust.
When we analyze the most traditional authentication method – username and password – and which is still thebarrier that distinguishes a legitimate user from a cyber criminal, the reasons why it consists of such a fragile barrier are evident:
- Brute force – through botnets – “robot” + “network” (network) – carry out brute force attacks against any WordPress-based sites they can find, every day, using different techniques, such as dictionary attack to guess passwords and gain access;
- Weak password – the use of weak passwords is one of the main causes of access by third parties and that sometimes does not even require being the target of a massive attack by a botnet;
- Malwares – if the device used to access the admin is infected by some classes of malware, having the password revealed is common;
- Public Wi-Fi – access to the WP administrative area using public Wi-Fi that does not have a minimally adequate security policy, may be a possible cause for having your password revealed;
- Vulnerable network – just like public Wi-Fi access, not taking care of the security of the Wi-Fi router / home modem or even the company, is an easy access route for intruders, who can get your data;
- Outdated CMS – any CMS – and not just WordPress – that is not frequently updated, may contain security flaws that allow not only access to the data such as the password, but like any others stored;
- Third-party device – make use of third-party devices , whose security cannot be attested and which may contain malware or other flaws such as an outdated operating system can also be a reason to have an exposed password;
- Phishing (social engineering) – being a target of phishing, where social engineering techniques are are used in order to persuade the user and provide data that they should not, is also not uncommon.
Two-factor authentication (2FA) plugins for WordPress
Before we present each of the options that we have brought, it is important to note that the list is not necessarily ordered from the best to the worst, because such a classification would have some subjectivity. The order in which they appear is completely random.
Consider just a reasonably extensive list of choices.
1. Wordfence
The first option is not just a plugin for 2FA, but a complete security solution. This security plugin for WordPress, among everything it offers, includes a two-factor authentication tool.
Wordfence has a paid (premium) and a free version, whose differences between one and another is the frequency of updates, technical support and some additional features.
2. Google Authenticator
This alternative deserves to be on any list of this type, due to its ease and reliability.
Many people who already use 2FA methods in services such as Gmail, Dropbox, Amazon, among others, you have already had to use it and, therefore, you already have the app installed on your Android phone or iPhone.
So, install and use it with Google Authenticator for WordPress will be a simple and familiar process.
3. Two Factor Authentication
Another option that uses a mobile app that generates short-term / validity codes (30 seconds) for single use and after that, they expire .
Two Factor Authentication It can be used with different tools of the type, but we recommend using the Authenticator (Microsoft), since it generates a backup that can be used in case of loss or theft of the device, or before any procedure that means reinstalling the app.
4. Two-Factor
Just similar in name to the previous one – but shorter – Two-Factor is actually an MFA alternative, in that it is possible to choose different methods for the second authentication.
There are four alternatives that can be selected: codes sent to an informed email account, temporary one-time generated codes (TOTP) via the Google Authenticator app, physical security (FIDO/U2F) and which are a physical and proprietary element and, finally, backup codes for single use.
5. Duo
Duo WordPress is also an MFA solution, as it offers different ways for an alternative access method.
It is possible choose from five options:
- A simple confirmation through its own app, with one touch;
- Unique temporary codes (TOTP), but generated by the Duo app;
- Keys delivered by SMS;
- Phone call;
- Codes generated by OATH tokens connected via USB.
6. Rublon
For those who like to have different alternatives for the second layer of security, Rublon Two-Factor Authentication (2FA) appears as another good option.
Like Duo, it offers push confirmation (mobile) with just one touch for confirmation, one-time temporary passwords (TOTP) and keys sent via SMS, tokens with physical security keys (FIDO/ U2F). Alternatively, it also has confirmation links for a previously registered email account and QR Codes to be read by a smartphone using the app itself.
Conclusion
Including two-factor authentication in a WordPress site is one of the most important measures to ensure the site’s security against digital threats.
