Protect your website login with two factor authentication

We are going to look into the method of two-factor authentication to further protect your website login from being compromised.


One of the most fragile parts of WordPress and most other web applications in the login. It is often easy to work out the username for many systems because most will use your email address, so that can be easily found out.

In WordPress, you may use a username, but that could be then be shown as your author name on all your posts – and your email address probably works too.

Too many systems are relying on the password to keep your login. So these passwords need to be the best. Now there are some great tools to help you create hard to remember passwords and to then remember them for you. Please don’t use one hard to remember password on all your logins! To help me create and then remember all my passwords, I have been using Roboform for many years.

The Roboform app runs on Windows, Mac, Ipad, Ipone, Google Phone and shares all my passwords across the devices for me. I just have one master password to remember and unlock it. (It also backs me up with two-factor authentication when I have not logged in to a device for a while – more on that shortly)

We hear so often about sites being hacked and then you are told you must change your username and password immediately. Having a tool like RoboForm makes it very easy to create new passwords and do not have the worry about remembering each of them. But, if you can not trust others to keep those passwords safe for you, then what else can be done to increase our login security? – one solution if Two-factor authentication.

Two Factor Authentication

One of the most simple ways to increase your login security is to upgrade to two-factor authentication. The concept is simple. You need to authenticate from two different sources to confirm your login.

Roboform has a version of two factor authentication, by emailing a code to me when I have not used a device for some time. So a hacker needs access to my device and access to my email to gain access.

For securing my WordPress site, and to serve as an example for you to follow, I am going to use the two-factor authentication method from Google.

This means installing an App on my mobile phone, and a plugin on my WordPress site.

When I now log into my site, I need to check the phone for a 6 digit passcode and add that to my login. The code is only valid for 30 seconds, so if anyone managed to copy down my username, password and security key, they have less than 30 seconds to use it. (I like to wait until 5 seconds before the timer is up to log in)

How does it work?

You first install the plugin on your WordPress site and app into your phone. To ‘connect’ the two, the WordPress plugin creates a secret key and then gives you a QR code which you then scan into the phone app.

When you wish to login, both systems work from the universal time counter and create the passcode 6 digit number from a calculation based on your secret key, which is reset every 30 seconds. When both agree you can log in.

So, to now compromise your site, a hacker needs your login details, with your password AND access to your mobile phone or that code which is only valid for 30 seconds – and then changed!

Where can I use two-factor authentication?

Google Authenticator can secure multiple websites with individual keys. It also secures my Google Account login, IFTT account, PayPal account and updraftplus backup plugin among others.

I note that some online bank accounts now use text message codes for second level authentication or independent notification.

Summary

To stop other people maliciously logging in to your websites you want 2 independent levels of protection.

  1. A unique a secure password – For which many software applications can be used to create and remember these logins. We use Roboform.
  2. A second confirmation of login. – On another device, independent from the login. We use Google Authenticator.
  3. Remember: If you use the remember me function, then people will be able to log in without authentication. So log out when you are leaving your device lone.