We take security very seriously here at Kinsta and that’s why we offer two-factor authentication for all of our WordPress hosting clients. Nothing could be worse than someone hijacking access to all of your sites! This feature is available in our MyKinsta dashboard and we highly recommend everyone take advantage of it. Today we will dive into why WordPress two-factor authentication is important, how our 2FA feature works, and a great free way to set up two-factor for your WordPress site itself.
- Why Two-Factor Authentication Is Important
- Kinsta Two-Factor Authentication
- Enable WordPress Two-Factor Authentication
Why Two-Factor Authentication Is Important
If you take a look at the top CMS platforms such as Joomla!, Drupal, and Magento; WordPress is leading with over 60.8% of the market share. Due to its popularity, this also means it is attacked more than the others. You can’t really say that one platform is more secure than the other. Mainly more attacks occur because of the mere volume of sites out there.
Another reason is due to unskilled website owners. WordPress has always been awesome due to the fact that almost anyone can pick it up and start using it, but that also means there are a lot of beginners most likely leaving back doors wide open by not patching, not locking things down with correct permissions, etc.
WordFence surveyed a large number of WordPress site owners in 2016 and asked them to answer the following question: “If you know how your site was compromised please describe how the attackers gained access.” 61.5% responded saying they didn’t know how the attacker compromised their website.
They also ran another survey to see what attackers do with compromised WordPress sites. As you can see, 25% are typically taken offline or defaced. This is probably one of the worst things that could happen if you run a WordPress business. That is why you should implement security measures first, not after.
There are many ways you can lock down a WordPress site, one simple tweak is to change your WordPress login URL. This will instantly knock down the number of failed login attempts you have to your WordPress site from bots and scripts constantly scanning the web looking for a way in. But one of the most important things is to simply choose a complex password.
Sounds pretty easy right? Well, check out SplashData’s 2018 annual list of the most popular passwords stolen throughout the year (sorted in order of popularity).
That is right! The most popular password is “123456”, followed by an astonishing “password”. That is one reason why here at Kinsta on new WordPress installs we actually force a complex password to be used for your wp-admin login (as seen below on our one-click install process).
Security starts with the basics. Google has some good recommendations on how to choose a strong password. And one of their recommendations is to enable two-factor authentication.
Two-factor authentication involves a 2 step process in which you need not only your password to login but a second method. It is generally a text (SMS), phone call, or time-based one-time password (TOTP). In most cases, this is 100% effective in preventing brute force attacks to your WordPress site. Why? Because it is almost impossible that the attacker will have both your password and your cell phone.
Check out more below on how to enable WordPress two-factor authentication.
Kinsta Two-Factor Authentication
There are really two parts when it comes to two-factor authentication. There is first is your account and or dashboard that you have with your web hosting provider. If someone gets access to this they could change your passwords, delete your websites, change DNS records, and all sorts of horrible things. We now have two-factor authentication available for all customers under your MyKinsta dashboard.
We have also partnered up with Authy which has a strong history of providing secure login authentication solutions for large companies such as CloudFlare, Twitch, Coinbase, and SendGrid. They have desktop and mobile apps for every platform, including browser extensions.
CloudFlare says Authy has “created a beautiful, simple, elegant app that implements TOTP.” – Techcrunch
To enable, click on your avatar in the bottom left-hand side of the MyKinsta dashboard and then into “User Settings.” Scroll down and click on the “Enable Two-Factor Authentication” button.
You will then be prompted to choose your country and input your cell phone number. Then click on “Enable.”
When 2FA is enabled, you will see it under the 2FA column in the “User Management” screen. If 2FA is disabled on your account, you will receive an instant email notification. If you get one of these notifications and you didn’t disable 2FA yourself, please reach out to our support team right away.
Two Options For Logging Back In
When it comes to logging back in you have two different options.
Option 1: SMS via Mobile Device
The first option is to receive an SMS (text) message via your mobile device. The next time you log in to your MyKinsta dashboard, click on the “Request New Code” and a unique code will be sent to your mobile device.
Option 2: Authy
The second option is to utilize a free application called Authy. The advantage of using Authy is that they have applications for all devices, including your desktop, mobile, and even a browser extension. To configure this you will need to install the Authy app on your mobile device or via your browser. Then launch it and you will need to confirm your phone number. You can have it call you or text you with the registration pin.
The next time you log in to your MyKinsta dashboard you will be prompted with the following window to enter your authentication code.
Simply launch your Authy app and it will generate a temporary code for you to enter. If you’re utilizing the browser extension it should pop up automatically.
And that’s it. You can rest easy now knowing that your Kinsta account is much more secure!
Enable WordPress Two-Factor Authentication
Now that you have your Kinsta dashboard secured, you can also enable WordPress two-factor authentication on your website. We recommend one of the following two plugins.
Two Factor Authentication
The Two Factor Authentication WordPress plugin is developed by the same authors of UpdraftPlus, the popular backup plugin. It supports standard TOTP + HOTP protocols (Google Authenticator, Authy, and many others). There is both a free and premium version.
It currently has over 10,000 active installs with a 4.5 out of 5-star rating and features the following:
- Graphical QR codes for easy mobile scanning
- Includes support for the WooCommerce and Affiliates-WP login forms
- WordPress Multisite compatible (plugin should be network activated)
- Emergency codes and premium design layouts (premium version)
If you’re looking for a completely free solution, the Google Authenticator WordPress plugin works great. Note: That does mean however that you will be bouncing around two different apps. You can determine which is the most time effective for your environment. If you want to stick with one app, upgrading to their starter plan might be the way to go. We will be using the free Google Authenticator in this example.
The Google Authenticator plugin has 30,000+ active installs with a 4.5 out of 5-star rating. It’s completely free and you can set it up for an unlimited amount of users. Most of the other auth plugins out there you will notice they have limitations in place unless you upgrade to a paid plan. You can download Google Authenticator plugin from the WordPress repository or by searching for it within your WordPress dashboard under “Add New” plugins.
Once installed you can click on your user profile, mark it active and create a new secret key or scan the QR code.
You can then use one of the free Authenticator Apps on your phone:
After enabling this it will now require your normal password to login plus the code from the Google Authenticator app on your phone. You will notice an additional field that now appears on your WordPress login page. Also, this plugin is fully compatible with the plugin that we recommended earlier to change your WordPress login URL.
And that’s it! You now have two-factor authentication on your Kinsta account and on your WordPress website.
We are excited to offer two-factor authentication to Kinsta clients, as this has been one of our most requested features. Securing your WordPress websites just got a little easier! Make sure to check out our more advanced guide on WordPress security to see how to really lock down your site.
Have any questions about how WordPress two-factor authentication works? Feel free to leave us a comment below or open a support ticket from within your MyKinsta dashboard.