This year identity theft and hacking are up 70%. That’s a crazy increase. This is why I have 2FA (Two-factor Authentication) on everything I can when the option is available, including all my WordPress websites.
Someone accessed my business PayPal account and added a Visa gift card. They then ” filled the gift card with funds from my PayPal balance. PayPal has since upgraded its security. Even admitting that should never have happened without my confirmation as the account owner.
The last thing you want is for your website to be compromised where your server and resources are used for nefarious activities. They tend to go after the little guys because they know they don’t go after security as they should.
WordPress Security is a Thing
When it comes to my WordPress websites, they are locked down because that is in my control to control. Not infallible, nothing is, but I have the peace of mind of knowing I’ve covered all the bases that I can.
My article Tips to Secure Your WordPress Website covers 2FA as well. When I login to a site that doesn’t have 2FA in place, I immediately make that recommendation. But recommending doesn’t mean they follow through.
Is it because there is an extra step to look at your phone and type in a code? That’s the exact thing that prevents strangers from accessing your stuff.
If your site gets compromised, you’ll look at those extra steps a bit differently. After going through a site recovery, 2FA is something you’ll actually enjoy.
Compromising WordPress Websites
There are two ways that your WordPress website can get compromised on the server side and through your dashboard.
This is where a quality host comes into play. A website host’s responsible for securing those servers and their network. You can assist by having a crazy complicated and long password to access your hosting and FTP accounts.
The same goes for your WordPress dashboard login. The more complex the password, the better.
If you don’t want to remember whacky passwords — check out LastPass. I have it on my desktop, tablet, and phone. Once a password is saved, I don’t have to worry about typing it in again.
Setting Up 2FA The Easy Way
By setting up 2FA to access your WordPress website’s dashboard, you and any other users you designate will need to enter the 2FA code sent only to their phones to gain access. Without that code, no entry.
The 2FA settings are located in Wordfence > Login Security. WordFence is an all-around security plugin and will also allow you to keep tabs on the shady activity on your WordPress website.
You’ll see two tabs: Two-factor Authentication and Settings. Let’s start with the Two-factor Authentication tab:
- Now you have to install the Google Authenticator app for your phone. It is free and available for iOS (Apple App Store) and Android (Google Play Store).
- Once installed, go to the Left Sidebar: WordFence > Login Security
- Scan the QR code on that page with your authenticator app (open the app and click the + sign).
- Download the recovery codes to your computer if you don’t have your phone sometime in the future and need to login to your site.
- Enter the code from the app into the 123456 box and activate it.
Once you are set up, when you login to your site, another step will appear to add the code from the app into the 2FA box. This code will refresh to be a different code each time you login.
You’ll notice an option to not ask for a login code for 30 days. Check that.
2FA Settings Tab
Go to the Settings tab, where you’ll see the user summary noting if 2FA is active.
- Enable 2FA for these roles: This sets the user levels you want to use 2FA on your site.
- Require 2FA for all administrators: Admins have the most permissions within your dashboard. Minimally you want to require that all Admins have 2FA activated.
- Grace period to require 2FA: You can set the date before 2FA kicks in and click SEND NOTIFICATION to inform all Admins.
- Allow remembering device for 30 days: If enabled, users with 2FA enabled may choose to be prompted for a code only once every 30 days per device.
- Enable reCAPTCHA on the login and user registration pages: eCAPTCHA v3 does not make users solve puzzles or click a checkbox like previous versions. The only visible part is the reCAPTCHA logo. If a visitor’s browser fails the CAPTCHA, Wordfence will send an email to the user’s address with a link they can click to verify that they are a user of your site.
Safe and Secure
Now you can relax a bit with the knowledge that you added an additional security layer to ensure that your WordPress dashboard can only be accessed by those you designate. Remember, nothing is 100% guaranteed. However, by adding 2FA combined with crazy, wacky, long, and non-sensical passwords, you minimize your risk dramatically.
At your service,