Before the Major Brute-Force Attack Occurred on WordPress Sites, WordPress announced its “Two Step Authentication” process to improve the WordPress security.
What is Two Step Authentication?
It is a kind of feature or process introduced by WordPress to tighten its security. It adds another layer of security to your WordPress accounts. Those who have enabled the two step authentication with Google accounts must have an idea about it. The two step authentication with WordPress.com works similarly. WordPress also uses your mobile device to send a verification code to your account, which is impossible-to-guess.
How to Improve WordPress Security with Two Step Authentication?
Logging in with Two Step Authentication
There are two different ways you can enable the two step authentication, which are:
- Two Step Authentication via Smartphone’s
- Two Step Authentication via Email
Two Step Authentication via Smartphone’s
In order to enable two step authentication via smartphone’s it is required to install the “Google Authenticator app” on your smartphone, which is available for iOS, Android, and Blackberry smartphone’s.
Every time when you log into your wordpress.com account that has enabled the Two Step Authentication process, it will ask you to:
- Enter your username and password at WordPress.com, which is the first step.
- Enter a secret verification code that you receive on your smartphone – is the second step.
The secret code that is sent to your phone will keep on changing with each login you make. If you don’t have one of the above mentioned phones you can also receive it via SMS (text message).
Two Step Authentication process significantly diminishes the probability that someone could attempt to get an unauthorized access to your WordPress.com account. To get access to your WordPress account, possibly they would require access to your username, password, and phone.
Also, another way is to create “Application-Specific Passwords”. There are several apps out there which people subscribe to WordPress blogs. The most common you will find are WordPress mobile apps and Jabber apps.
For such kind of apps, you can create unique passwords for each phone and tablet. Providing the application name and generating a password will create a unique 16-character password which can be used every time when you login from that particular device. It will help you secure your WordPress account across several devices. In case, your device is lost, you can remove the application from your WordPress account to disable the password so that others won’t be able to access your account via that application on your lost device.
You can find detailed steps for the above Authentication ways on the wordpress.com site.
Two Step Authentication via Email
WordPress users that have opted for WordPress Hosting service with another web hosting companies and don’t have a smartphone to implement the above authentication ways can still take advantage of the Two Step Authentication log-in process via the “WordPress 2-step Verification” plugin available in the Plugin Directory of WordPress.
This WordPress 2-step Verification plugin enables you to generate a unique verification code via iPhone/Android/Blackberry smartphones or via Email. If you don’t have a phone, it provides you another option which is Code Verification via Email. Kindly follow the steps given below to enable the “Two Step Authentication via Email”.
Step 1: Log in to your WordPress Dashboard.
Step 2: Go to Plugins >> Add New and Search for the plugin “WordPress 2-step Verification”.
Step 3: Install the plugin and Activate it.
Step 4: Now, go to Users tab and you will see the “2-Step Verification” in the list as shown in the image below. Click on that option.
The 2-Step Verification configuration page will look like this:
If you are using the smartphone for authentication you can choose the “Mobile application” option. Here, we are going to enable the 2-step authentication via Email.
Step 5: Click on the “Add an Email” link. Clicking the link will load a form to enter the details. There will be three steps to enable the email authentication: Add an Email, Verify Computer, and Activate.
Now, enter the desired email address in the field as shown in the image below so that plugin can send codes and click on the “Send Code” button to send the verification code to your email.
Check your email, and enter the verification code in the box as shown in the image above and Click on the “Verify” button to complete the next step. It will show you this message: “Your email is configured. Click Next to continue.”
Step 6: If you select the option “Trust this computer”, it won’t ask you for the verification every time you login. However, if you unselect the option it will generate a new code every time you login to your WordPress account. If you are using different computers and devices to login, then it is recommended to keep the box unselected.
Click on the “Next” button.
Step 7: This would be the last step to enable the “Wordpress 2-step Verification” plugin process. Simply, click on the “TURN ON 2-STEP VERIFICATION” button in red color to enable the verification process as shown in the image below.
Now onwards, every time you login to your WordPress Admin Dashboard, it will prompt you to enter the verification code sent on your email address. (See image below)
In order to login successfully, you just have to copy the verification code from your email inbox and enter it in the box shown in the image above.
Hope the steps shown here will help you secure your WordPress sites from such attacks.