August 31, 2017

How Two-Factor Authentication Can Help Keep Your WordPress Site Safe

Image by RLJ Photography NYC

There are lots of hacked WordPress sites on the web. Hacked sites are often the victims of botnets that brute force the login process, trying lots of different combinations of usernames and passwords until they hit one that lets them in. After they have access they can plant malware or other undesirable content on a site.

The success of this sort of attack has almost nothing to do with the security of WordPress itself and everything to do with the behavior of WordPress users. In principle, username and password combinations are a very safe way of securing a site. In practice, people don’t understand how to use passwords properly and value convenience over security. If they can get away with having “pa55word” or an equally guessable combination as their password, many will.

We can rail against this sort of complacency all we like, but as responsible site owners we just have to accept lax password security as a part of the landscape. Education helps, but not much; we need to implement other mechanisms for ensuring that our sites don’t fall when the botnets come knocking.

Usernames and passwords work because the number of possible combinations is enormous. For a sufficiently long, complex, and random password, it would take even the most powerful computer many years to hit on the right combination. For a sufficiently simple password, it can take fractions of a second. If users aren’t willing to use random and complex passwords, the solution is to implement another verification mechanism — a second factor – that will ensure the chances of guessing a valid combination remain remote.

There are various ways of implementing two-factor authentication — biometrics such as fingerprinting are one, but that’s more complex to implement than the method I’m about to suggest, one-time passcodes.

Unlike a password, a one-time passcode works for a short amount of time, usually about 30 seconds. The TFA service and the user share a secret — frequently a long string of numbers — which is used in combination with the time to create a unique passcode known to the TFA service and the user without it ever having to be communicated between them. It’s much safer than using passwords alone and because the choice of passcode isn’t up to the user, they can’t circumvent security by using an easily guessable combination.

The typical scenario would go as follows: the user wants to log in to your WordPress site. They enter their username and password, after which they are asked for a further passcode. They will have an application from the TFA service provider installed on their smartphone or a dedicated device, which will generate a passcode that can only be used for a short time. When they enter the passcode correctly, they are logged in.

There are a several good TFA services that integrate well with WordPress, but I’m going to suggest you take a look at two: Duo Security and Authy 2FA.

If you run a multi-user WordPress site, particularly if you have several admin users, implementing two-factor authentication will make it almost impossible for casual brute-force attackers to successfully breach your site. It’s well worth the minimal effort to avoid the risk of becoming a vector for malware or a hacker’s playground.


Nexcess, the premium hosting provider for WordPress, WooCommerce, and Magento, is optimized for your hosting needs. Nexcess provides a managed hosting infrastructure, curated tools, and a team of experts that make it easy to build, manage, and grow your business online. Serving SMBs and the designers, developers, and agencies who create for them, Nexcess has provided fully managed, high-performance cloud solutions for more than 22 years.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.