Tres candados enlazados, de FLY:D

Maybe you are tired of memorizing so many different passwords and you assume your hosting company is taking care of the security of your website. But I assure you: if you protect and take care of the security of your website, you will save yourself from major unpleasantness and unwanted consequences. Keep in mind that a security breach on your website does not only affect you and your business, but it can also affect your customers and you can even end up with legal problems for not having taken the appropriate security measures.

To help you sleep a little easier (if that’s possible in this day and age), I’ll explain how you can make your WordPress website more secure with multi-factor authentication.

What is Multi-Factor Authentication (MFA)

Not only have you seen Multi-Factor Authentication (MFA) in a lot of movies, but you already use it to confirm online payments with your credit card or by logging into your email, among others. It is a method of computer access control in which a person is only granted access after they present more than one different proof of identity. These proofs or authentication factors can be diverse:

  • Some physical object that the person possesses, such as a USB stick with a unique identifier, a credit card, a key, etc.
  • Some secret that the person knows, such as a password, a pin, etc.
  • Some biometric characteristic of the person, such as a fingerprint, iris, voice, typing speed, keystroke interval pattern, etc.

The case of combining only two factors is also known as “two-step verification” or “two-factor authentication” or “2FA.” And the idea is that multi-factor authentication will always be more secure than just a username and password.

Why Should I Add MFA to My WordPress Website

One of the methods for cracking passwords is still a brute-force attack. This attack consists, as the name suggests, of brute testing possible combinations of users and passwords. These types of attacks are carried out by botnets using increasingly sophisticated algorithms and tools.

Many hosting companies already include firewalls and other tools to prevent such attacks. Even so, there are also other recommendations that can help mitigate a security breach, such as forcing users to add strong passwords or forcing them to change them every 3 months.

Gif in which actor Ken Jeong comments that he doesn't remember his new password.

But adding multi-factor authentication to your website makes it 100% secure against brute force attacks. That extra factor and step of identifying the person is checkmate for this type of bot.

How to Implement Two-Step Verification

Adding a two-step verification means that we will have to add an additional verification step to the usual user and password authentication. The easiest way is for each user to have an authentication application installed on their phone that displays a temporary code that is only valid for a few seconds and that this is the one they have to add as a form of verification (in addition to the password).

The best-known mobile apps are Google Authenticator, Authy, HENNGE OTP, FreeOTP, or SoundLogin (in case of sound authentication), among others. All of them available as Android and iOS apps.

Let’s see below how we can implement two-step verification with Google Authenticator. Note that the process would be very similar with any of the aforementioned apps.

Google Authenticator

Google Authenticator is a simple app that is available on Android and iOS and simply displays a 6-digit numerical code that changes every 30 seconds. This is the one you should use after you’ve logged in to your WordPress or any other service where you are using it, such as your mail service, hosting, cloud, social networks, etc. For each account, you’ll see a code and the time left until it’s refreshed.

All people who are going to access your WordPress using 2FA must download the Google Authenticator app on their mobile in order to verify their identity with this system.

Install and Activate a Plugin for 2FA

There are several plugins available that allow you to perform two-step user authentication, such as Google Authenticator, Wordfence Login Security, miniOrange’s Google Authenticator, or Two Factor Authentication. Let’s see the steps to follow with the Google Authenticator plugin.

First of all, from your WordPress dashboard, click on “Add new” plugin:

View of the actions to add a new plugin in WordPress
Add new plugin in WordPress

Find the plugin you want to install, which in our case is “Google Authenticator”, and click on “Install” and “Activate:”

Find the Google Authenticator plugin
Search for the Google Authenticator plugin.

Set Up the Plugin

After activating the plugin, you will have the new Google Authenticator settings option.

Google authenticator plugin installed in WordPress
Google Authenticator plugin installed in WordPress.

In the Google Authenticator configuration window you have the option to indicate whether you want the users themselves to decide whether or not to use double authentication and which roles you want to have double authentication enabled.

Configuring the Google authenticator plugin
Setting up the Google authenticator plugin.

Next, in the profile of each user who has one of the roles marked with double authentication, you will find the Google Authenticator configuration options.

Adding 2FA with Google Authenticator
Adding 2FA with Google Authenticator.

You can indicate whether the user must have 2FA enabled, whether the user needs extra time to log in, the name of the account displayed in the app installed on your phone, a secret code, show the QR code, and whether to allow adding a password in the app.

Add the Configured Account to the Mobile App

Now, the first time that someone who has been instructed to log in with 2FA logs in, the following window will appear asking them to scan their QR code on their mobile and confirm the generated code that they see in the app.

WordPress initial screen with Google Authenticator
Initial WordPress screen after logging in and having activated Google Authenticator.

In the Google Authenticator app on their mobile, the user must click on the “+” button at the bottom right of the app screen to add a new account, select to scan a code, and, after scanning the code shown by your WordPress site, they setup will be ready.

Now all the user has to do is enter the code that appears in the app on the initial screen and the configuration is complete.

The next time the user wants to access the site, they’ll have to do it in two steps: first entering their username and password and, next, their Google Authenticator code.

And that’s it! With this you will have doubly ensured the security of your website.


Maintaining the security on your website involves following a set of best practices to minimize the risk of being a victim of attacks. Although protecting yourself 100% is impossible, you have already seen that installing a double security barrier on your website is simple and free, so don’t wait until you have a problem when you know that prevention is better than cure!

Featured image of FLY:D on Unsplash.

Leave a Reply

Your email address will not be published. Required fields are marked *

I have read and agree to the Nelio Software Privacy Policy

Your personal data will be located on SiteGround and will be treated by Nelio Software with the sole purpose of publishing this comment here. The legitimation is carried out through your express consent. Contact us to access, rectify, limit, or delete your data.