2.2 Enable Two-Factor Authentication
Two-factor authentication is a great way to add a layer of security to user logins for your site. In this lesson, I’ll teach you about a few of the two-factor plugins that are available and show you how to configure them.
1.Introduction1 lesson, 01:31
2.WordPress Security Top Tips8 lessons, 34:28
3.Conclusion1 lesson, 00:49
2.2 Enable Two-Factor Authentication
Hello everyone, I'm Reggie Dawson. Welcome to the WordPress Security Tips Course for Tuts+. As I mentioned in the last video, another way to protect your site is by the use of two-factor authentication. How this works is by using some sort of secondary authentication with your login. Have you ever been forced to enter a secondary code that was sent to your phone when using some online service? This is two-factor authentication. Now even though an intruder may steal your password, they will not have access to the device that the secondary authentication is sent to. Now by default, WordPress does not include two-factor authentication. Fortunately, there are a lot of plugins that can provide this functionality for us. In this video, we will look at a few of them. Now be aware that some general security plugins may provide this, as well, but for now, we will just focus strictly on two-factor plugins. Now bear in mind, this is not a definitive list. There is, strictly speaking, no right answers, it is all a matter of preference. A lot of the plugins I talk about I've actually used in a production environment. Understand that every WordPress installation is different and your experience may vary. As a result, I will talk about a few different plugins and you can choose the best one for your needs. Now the first plug-in we will look at is the Google Authenticator plugin. This plugin is designed to work in conjunction with the Google Authenticator app available in the Google Play store. This app lets you scan a QR code or enter the code manually. We can easily install this plugin by searching for it in our plugin menu. It goes without saying that we will install and activate the plugin. Once it's installed, we just need to go to our user profile. Here, you scroll down until you see the Google Authenticator settings. You will need to click on Active to activate it for this account. Then in the description, you can add something so that you can recognize this code in the authenticator app. Then you have the secret, which is the code that you can use if you don't want to scan the QR code. Now if you click on the show/hide QR code button, we can display the code. This is the code that we can scan with the authenticator app. The app will then generate the code that you'll need to log in to your site. Now it goes without saying that you can lock yourself out of your site with these plugins, so be careful. Another plugin that we can use is the Two-Factor Authentication Plugin. This is very similar to the Google Authenticator Plugin, but it gives you a bit more in the way of configuration. After I install and activate the plugin, we will find a new menu under the setting. Here we can control which roles have two factor authentication available. We can also make two factor required, but that is only in the premium version of the plugin. We can also use this plugin to require XMLRPC requests to use two factor authentication. This is because any apps that use WordPress, such as a mobile app, could be communicating with your WordPress site through XMLRPC. This doesn't use two-factor authentication and could be considered a security risk. Many programmers have not accounted for two-factor authentication in their apps, so by requiring two-factor authentication here, you could cause your mobile app not to work. Then we have the default algorithm that controls how our code is generated. The one used by Google Authenticator is type P, which is time based. This requires your devices to have accurate time, but that shouldn't be an issue with a computer or mobile device. Then in the Two-Factor Auth menu we can enable it. Again, be careful because you can lock yourself out, although this plugin does have a way to disable it if that should happen. The one-time password is used once you enable the plugin and log out. You will be asked to verify with this password, then you have the QR code like the other plugin. We can use this with any app that can generate our code using the QR, including Google Authenticator. Then we also have our private key that we can use if we don't wanna scan the code. This plugin can also generate emergency codes, in case a user has lost their device. Unfortunately, this is a paid premium feature of the plugin. Overall, this is a good plugin, but many of the better features are only available in the premium version. The final plugin we will look at is the WordPress 2 step verification plugin. Now when we install this plugin and go to Users, we have a new menu. At the top, it tells us the plugin is turned off for our account and give us the link to enable it. If we want to use the QR code with Google Authenticator, we can click on the Android, iPhone, or Blackberry link. If so, we can follow the same process of scanning the QR code. This plugin also gives us the added option of sending our code through email. This will generate our code for us and have it sent to email. All we have to do is add the email that we want to use right here. Now if you cannot send email from your WordPress, you may need to use some sort of email plugin. This plugin also allows us to generate backup codes. These are for one-time use, if your device is unavailable. We can also use this plugin to set this as a trusted computer. This will only prompt the computer for a verification code once a month. That way, you won't have to use two-factor authentication all the time, but be careful what devices you grant this to. Then finally, we have app passwords, which we can use to generate passwords for external apps. Now these are just a few of the plugins that we can use to add another layer of security into our logins. Again, there is no right answer. It's all just preference. You may not like any of these plugins, and choose a different one. In the next video, we will learn what steps an administrator of a WordPress site can take to protect it.