We take security very seriously here at Kinsta and that’s why we offer two-factor authentication for all of our WordPress hosting clients. Nothing could be worse than someone hijacking access to all of your sites! This feature is available in our MyKinsta dashboard and we highly recommend everyone take advantage of it. Today we will dive into why WordPress two-factor authentication is important, how our 2FA feature works, and a great free way to setup two-factor for your WordPress site itself.
If you take a look at the top CMS platforms such as Joomla!, Drupal, and Magento; WordPress is leading with over 60% of the market share. Due to its popularity, this also means it is attacked more than the others. You can’t really say that one platform is more secure than the other. Mainly more attacks occur because of the mere volume of sites out there.
Another reason is due to unskilled website owners. WordPress has always been awesome due to the fact that almost anyone can pick it up and start using it, but that also means there are a lot of beginners most likely leaving back doors wide open by not patching, not locking things down with correct permissions, etc.
WordFence surveyed a large number of WordPress site owners in 2016 and asked them to answer the following question: “If you know how your site was compromised please describe how the attackers gained access.” 61.5% responded saying they didn’t know how the attacker compromised their website.
They also ran another survey to see what attackers do with compromised WordPress sites. As you can see, 25% are typically taken offline or defaced. This is probably one of the worst things that could happen if you run a WordPress business. That is why you should implement security measures first, not after.
There are many ways you can lock down a WordPress site, one simple tweak is to change your WordPress login URL. This will instantly knock down the number of failed login attempts you have to your WordPress site from bots and scripts constantly scanning the web looking for a way in. But one of the most important things is to simply choose a complex password.
Sounds pretty easy right? Well, check out SplashData’s 2017 annual list of the most popular passwords stolen throughout the year (sorted in order of popularity).
That is right! The most popular password is “123456”, followed by an astonishing “password”. That is one reason why here at Kinsta on new WordPress installs we actually force a complex password to be used for your wp-admin login (as seen below on our one-click install process).
Security starts from the basics. Google has some good recommendations on how to choose a strong password. And one of their recommendations is to enable two-factor authentication.
Two-factor authentication involves a 2 step process in which you need not only your password to login but a second method. It is generally a text (SMS), phone call, or time-based one-time password (TOTP). In most cases this is 100% effective in preventing brute force attacks to your WordPress site. Why? Because it is almost impossible that the attacker will have both your password and your cell phone.
Check out more below on how to enable WordPress two-factor authentication.
There are really two parts when it comes to two-factor authentication. There is first is your account and or dashboard that you have with your web hosting provider. If someone gets access to this they could change your passwords, delete your websites, change DNS records, and all sorts of horrible things. We now have two-factor authentication available for all customers under your MyKinsta dashboard.
We have also partnered up with Authy which has a strong history of providing secure login authentication solutions for large companies such CloudFlare, Twitch, Coinbase, and SendGrid. They have desktop and mobile apps for every platform, including browser extensions.
CloudFlare says Authy has “created a beautiful, simple, elegant app that implements TOTP.” – Techcrunch
To enable, simply click on “Settings” in your MyKinsta dashboard and at the bottom click on the “Enable Two-Factor Authentication” button.
You will then be prompted to input your cell phone number. Click on “Send.”
When it comes to logging back in you have two different options.
The first option is to receive an SMS (text) message via your mobile device. The next time you log in to your MyKinsta dashboard, click on the “Request New Code” and a unique code will be sent to your mobile device.
The second option is to utilize a free application called Authy. The advantages of using Authy is that they have applications for all devices, including your desktop, mobile, and even a browser extension. To configure this you will need to install the Authy app on your mobile device or via your browser. Then launch it and you will need to confirm your phone number. You can have it call you or text you with the registration pin.
The next time you log in to your MyKinsta dashboard you will be prompted with the following window to enter your authentication code.
Simply launch your Authy app and it will generate a temporary code for you to enter. If you’re utilizing the browser extension it should pop up automatically.
And that’s it. You can rest easy now knowing that your Kinsta account is much more secure!
Now that you have your Kinsta dashboard secured, you can also enable WordPress two-factor authentication on your website. We recommend one of the following two plugins.
The Two Factor Authentication WordPress plugin is developed by the same authors of UpdraftPlus, the popular backup plugin. It supports standard TOTP + HOTP protocols (Google Authenticator, Authy, and many others). There is both a free and premium version.
It currently has over 7,000 active installs with a 4.5 out of 5-star rating and features the following:
If you’re looking for a completely free solution, the Google Authenticator WordPress plugin works great. Note: That does mean however that you will be bouncing around two different apps. You can determine which is most time effective for your environment. If you want to stick with one app, upgrading to their starter plan might be the way to go. We will be using the free Google Authenticator in this example.
The Google Authenticator plugin has 30,000+ active installs with a 4.5 out of 5-star rating. It’s completely free and you can set it up for an unlimited amount of users. Most of the other auth plugins out there you will notice they have limitations in place unless you upgrade to a paid plan. You can download Google Authenticator plugin from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins.
Once installed you can click on your user profile, mark it active and create a new secret key or scan the QR code.
You can then use one of the free Authenticator Apps on your phone:
After enabling this it will now require your normal password to login plus the code from the Google Authenticator app on your phone. You will notice an additional field that now appears on your WordPress login page. Also, this plugin is fully compatible with the plugin that we recommended earlier to change your WordPress login URL.
And that’s it! You now have two-factor authentication on your Kinsta account and on your WordPress website.
We are excited to offer two-factor authentication to Kinsta clients, as this has been one of our most requested features. Securing your WordPress websites just got a little easier! Make sure to check out our more advanced guide on WordPress security to see how to really lock down your site.
Have any questions about how WordPress two-factor authentication works? Feel free to leave us a comment below or open a support ticket from within your MyKinsta dashboard.
Send this to a friend