Multi-factor Authentication

If you only make one security improvement to your WordPress site, this should be it. Let’s talk about multiffactor authentication or more specifically two factor authentication or 2FA because yes, a strong password is great, but a strong password plus something else.

That’s where the security really starts to hold up. Let’s get our terms right, though. Multiffactor authentication, MFA, just means you need more than one type of proof to login. Two-factor authentication is a type of MFA where you need two types of proof. So, if you’re logging in with your password, something you know, and a code from an app, something you have, that’s 2FA. If you add fingerprint scanners, smart checks, biometrics, and all that, then you’re very much in MFA territory. It’s a it’s it is a bit of a blurry line and it’s okay to refer to both 2FA and MFA when talking about WordPress normally.

Now, I’m going to make this really simple. There isn’t a two-factor authentication inside WordPress core. So, there are two plugins that I recommend for 2FA on WordPress. Which one you pick depends on your needs. The first one is two hyphen factor and it’s by the WordPress security team. It’s lightweight, it’s free, maintained by trusted contributors, doesn’t nag you, won’t lock you out, and is and it’s completely free, ideal if you just want to offer 2FA as an option.

It supports all the main 2FA methods like TOTP, i.e., Google authenticator or uh it does email codes, which is yeah, less secure, but it’s still better than nothing. It also does hardware tokens. It provides backup codes and best of all works without any sort of like JavaScript for most of the part. So, it’s great for accessibility and older browsers. So, if you want something that’s sensible and just doesn’t get in your way, this is the one that I recommend.

This is the one that I use on most of my personal sites. Uh, and yeah, for most people, this is the route to go down. However, there is also 2FA by Melapress. It’s a I’m gonna be honest, it’s a bit more complex. It’s a bit of a clutch to set up. The admin interface is not great, but it’s okay for the end user once they’re using it. It is designed for really enforcing 2FA. Uh so you can set different policies for different role levels. And it’s so it’s great if you need uh 2FA for a specific role or person.

You can say, Bob, you need to have 2FA installed. I’m going to mandatorily make it happen. And next time they log in, they have to enroll. Let’s say you want admins, editors to use 2FA. That’s when I would use the MelaPress plugin. Everyone else can opt out. This plugin really makes that easy. It also has on boarding flows for users. So they’re guided for a step up for the next setup. And unlike 2FA where that unlike two hyphen factor, sorry, where they are in just dumped in the user section and you have to find it yourself. Uh 2FA will guide you through.

It supports email apps, backup codes, all of that stuff. If you need to enforce the use and you can’t gently nudge people, this is the one that I I would use. Now, let’s talk about the types of uh different factors because not all 2FA is equal. So, here are the main ones. TOOTP, timebased onetime passwords. That’s basically your Google authenticator apps, your ory apps and one password bitward and those sort of things all have to TOTP in them. It’s probably arguably the best option for the most users. It requires a device you already have, your mobile phone or your password manager. And yeah, it’s easy to get started and go. Email codes.

This is where the site will email you it some a code. Technically, it is 2FA, but I I’d argue only just is if your email account gets compromised, then obviously this is absolutely worthless.

The counterargument to that is if your phone gets stolen, then your TOTP password is possibly also worthless. But it is a lot easier maybe to intercept and get access to that email possibly depending on how things are set up. And it’s important to remember that it’s better to have something than no 2FA at all. The third one is hardware tokens. Uh a small device that either plugs in to your computer or uses NFC and you tap it on the back of your phone and it generates a token similar to the TOTP tokens. Uh, these work really well and have the advantage of being completely independent devices. They’re tiny little things, but also really easy to lose, which reminds me, I wonder where I’ve put mine. Oh, yes, mine plural. Make sure you have two tokens.

Otherwise, you will be locked out when you you do lose them. The final option really is pushbased. And this I don’t think there have seen any major plug-in that supports this inside WordPress, but it’s still worth us talking about and probably will be in the future. And that is pushbased notifications. So things like Duo and Microsoft Authenticator. These are good. They basically send a notification to a separate device and you press and click to say yes, that was me. Uh similar to how many banking apps work. So what should I aim for? Best case, either using TOTP app or hardware token.

Decent case, email and a strong password. Worst case, well, is that password only, but we really do want to enable people to get on using 2FA. So, make it as simple as possible. Don’t fall into the trap of waiting for users to adopt. They just won’t. If you’re serious about site security and especially for admins, you should force enable 2FA where possible and require it for higher privileged users, i.e. admin users. And ideally everybody, everybody should be using it. One final note, be ready for support questions. Someone will lose their 2FA token. Someone will lock themselves out. Make sure you have a backup counts for yourselves and ways to get in with backup tokens. Uh document the reset process and yeah, remind users to keep those backup codes. So to recap, 2FA is the lowest effort, highest impact security upgrade you can make. uh use two factor plug-in for simple sites and for sites where you are trust the admin users to actually enable it. Uh use WP-2FA by MelaPress when you need to well enforce it because they haven’t enabled it. And remember, even a weak second factor is better than nothing at