The Importance of WordPress Two-Factor Authentication
By Brian Jackson, Updated: June 5, 2017
We take security very serious here at Kinsta and that is why we are excited to announce that we now have two-factor authentication for all WordPress customers. It is available for everyone within your My Kinsta dashboard. Today we will dive into why WordPress two-factor authentication is important, our new feature update, and a great free way to setup two-factor for your website.
Why Two-Factor Authentication Is Important
If you take a look at the top CMS platforms such as Joomla!, Drupal, and Magento; WordPress is leading with over 59% of the market share. Due to its popularity this also means it is attacked more than the others. You can’t really say that one platform is more secure than the other. Mainly more attacks occur because of the mere volume of sites out there. Another reason is due to unskilled website owners. One reason WordPress is awesome is that almost anyone can pick it up and start using it, but that also means there are a lot of beginners most likely leaving back doors wide open by not patching, not locking things down with correct permissions, etc.
WordFence surveyed a large number of WordPress site owners in 2016 and asked them to answer the following question: “If you know how your site was compromised please describe how the attackers gained access.” 61.5% responded saying they didn’t know how the attacker compromised their website. They also ran another survey to see what attackers do with compromised WordPress sites. As you can see, 25% are typically took offline or defaced. This is probably one of the worst things that could happen if you run a WordPress business. That is why you should implement security measures first, not after.
There are many ways you can lock down a WordPress site, one simple tweak is to change your WordPress login URL. This will instantly knock down the number of failed login attempts you have to your WordPress site from bots and scripts constantly scanning the web looking for a way in. But one of the most important things is to simply choose a complex password. Sounds pretty easy right? Well, check out SplashData’s 2015 annual list of the most popular passwords stolen throughout the year (sorted in order of popularity).
That is right! The most popular password is “123456”, followed by an astonishing “password”. That is one reason why here at Kinsta on new WordPress installs we actually force a complex password to be used for your wp-admin login (as seen below on our one-click install process).
Security starts from the basics. Google has some good recommendations on how to choose a strong password. And one of their recommendations is to enable two-factor authentication.
Two-factor authentication involves a 2 step process in which you need not only your password to login but a second method. It is generally a text (SMS), phone call, or time-based one-time password (TOTP). In most cases this is 100% effective in preventing brute force attacks to your WordPress site. Why? Because it is almost impossible that the attacker will have both your password and your cellphone. Check out more below on how to enable WordPress two-factor authentication.
Kinsta Two-Factor Authentication
There are really two parts when it comes to two-factor authentication. There is first is your account and or dashboard that you have with your web hosting provider. If someone gets access to this they could change your passwords, delete your websites, change DNS records, and all sorts of horrible things. We now have two-factor authentication available for all customers under your My Kinsta dashboard. We have partnered up with Authy which has a strong history of providing secure login authentication solutions for large companies such CloudFlare, Twitch, coinbase, and SendGrid. They have desktop and mobile apps for every platform, including browser extensions.
CloudFlare says Authy has “created a beautiful, simple, elegant app that implements TOTP.” – Techcrunch
To enable, simply click into “Settings” in your My Kinsta dashboard and at the bottom click on the “Enable Two-Factor Authentication” button.
You will then be prompted to input your cellphone number.
Next you will need to install the Authy app on your mobile device or via your browser. Then launch it and you will need to confirm your phone number. You can have it call you or text you you with the registration pin.
The next time you login to your My Kinsta dashboard you will now be promoted with the following window to enter an SMS code.
Simply launch your Authy app and it will generate a temporary code for you to enter.
And that’s it. You can rest easy now knowing that your Kinsta account is much more secure!
Enable WordPress Two-Factor Authentication
Now that you have your Kinsta dashboard secured, you can also enable WordPress two-factor authentication on your website. Authy does have an official WordPress plugin which you can download and use.
However, their free plan is limited to 100 authorizations per month. Their starter plan though is very reasonable at only $0.09/auth with unlimited users and authorizations. If you are looking for a completely free solution, the Google Authenticator WordPress plugin works great. Note: That does mean however that you will be bouncing around two different apps. You can determine which is most time effective for your environment. If you want to stick with one app, upgrading to their starter plan might be the way to go. We will be using the free Google Authenticator in this example.
The Google Authenticator plugin has 20,000+ active installs with a 4.5 out of 5 star rating, and is actively kept to date by the developer, Henrik Schack. It is completely free and you can set it up for an unlimited amount of users. Most of the other auth plugins out there you will notice they have limitations in place, unless you upgrade to a paid plan. You can download Google Authenticator plugin from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins.
Once installed you can click into your user profile, mark it active and create a new secret key or scan the QR code.
You can then use one of the free Authenticator Apps on your phone:
After enabling this it will now require your normal password to login plus the code from the Google Authenticator app on your phone. You will notice an additional field that now appears on your WordPress login page. Also, this plugin is fully compatible with the plugin that we recommended earlier to change your WordPress login URL.
And that’s it! You now have two-factor authentication on your Kinsta account and on your WordPress website.
We are excited to bring two-factor authentication to Kinsta, as this has been one of our most requested features. Securing your WordPress websites just got a little easier! Make sure to check out our more advanced guide on WordPress security to see how to really lock down your site.
Have any questions about how WordPress two-factor authentication works? Feel free to leave us a comment below or open a support ticket from within your My Kinsta dashboard.