How to secure your WordPress password? Or better ... how to secure the passwords of everyone who has access to your WordPress site? That's a scary question, isn't it? While we hope you are following all of the password best practices, it doesn't change the fact that the most common passwords around the world are still " 123456 " and " Password"

To combat the propensity for weak passwords, you can use something called: two-factor authentication. This is a common method for those who care about connection security. Among those who use it we can count Google, banks, universities, and… WordPress site owners!

In this tutorial, I'll briefly look at two-factor authentication and tell you why it's important. Next, I'll show you step by step how to add two-factor authentication to WordPress so you can protect your blog and protect your users' accounts.

What is two-factor authentication?

Two-factor authentication, also known as two-step authentication, is a strategy to improve connection security by requiring users to enter both a password and a code, usually sent by SMS.

Essentially, accessing your account requires a combination of something you “know” (Your password) and something that you "have" (your phone). While hackers might be able to get your password, it's unlikely that they'll be able to steal your phone though.

Why do you need two-factor authentication for WordPress?

According to a survey of owners of WordFence's hacked WordPress sites, brute force attacks were the second most popular method of hacking and password stealing. These attacks should be a very real concern for WordPress users.

For example, in April 2013 alone, 90.000 WordPress sites were the victims of a brute force attack with common usernames and passwords.

Although there are a number of methods for protect you against the brute force attacks and password theft (securing wp-login.php, adding connection attempt limits, using unique passwords, etc..), two-factor authentication is another great way to protect yourself.

How to set up two-factor authentication on WordPress

To set up two-factor authentication on WordPress, you can use a freemium plugin called " Google Authenticator ". I know there are a number of other two-factor authentication plugins available ( besides, it's not the first time we've done a two-factor authentication tutorial:

Step 1: Install the plugin Google Authenticator

To get started, you need to install and activate the plugin. It is listed in the directory of wordpress plugins.org, so you can install it directly from your dashboard by going to “ plugins> Add New "

You will notice that there are two plugins that have the same name. We have already done a tutorial for the plugin Google Authenticator ". So be sure to install the right plugin. In addition, you can always refer to the tutorial of the other plugin if you opt for that one.

Step 2: Activate the plugin and create a miniOrange account

Once you activate the plugin, you must create a miniOrange account in order to continue:

Once you submit the account information, send a miniOrange OTP (unique password) to the email address you used. This OTP verifies your email address. Simply enter the OTP and click on " OTP Validate ":

If you're having trouble finding the email, here's what it should look like:

Once you enter the office, the plugin will take you to a page that looks like a table with a price grid. Do not worry! Like I said, Google Authenticator is 100% free for one user. Unless you want a premium version, which obviously implies more options. But for this tutorial, we're going to skip that by just clicking “Ok got it”.

3 Step: Configure Security Issues for an Alternative Connection

Before we talk about the other two-factor authentication methods, it's a good idea to follow the plugin's prompt which asks you to set up security questions. These questions ensure that if you lose your phone you will still be able to access WordPress with these questions.

You don't have to complete this step - it's an option that may save your life later.

You can access the security questions either by clicking on the prompt " Click here to set your security issues "

Choose two questions, create a custom question, and enter the respective answers for these three questions. Then click Save.

4 Step: Configuring Dual-factor Authentication

You are now ready to set up your two-factor authentication methods! In the end, Google Authenticator offers these methods:

• Smartphone OTP App - choose from Google, miniOrange or Authy apps. You have methods to choose from.
• SMS - get an OTP by SMS. You will have 10 free SMS, after that you will have to take a premium subscription.
• Push Anotification - You can get a push notification on your phone.
• QR code - scan a QR code with the miniOrange app. It is like a key.
• Phone call - receive a phone call with an OTP (premium only).
• Email – enabled automatically when you have verified your account email on the previous step.

I will show you how to set up two of the most popular methods - text message and smartphone to receive the OTP using the Google Authenticator app.

How to configure text message authentication:

First, go to the " Two-Factor Setup ". Then click on OTP by SMS:

Enter your phone number, including the appropriate country code. Then click on Check:

After clicking verify, you should get an OTP SMS with 6 digits. Simply enter the OTP in the field and click on “Validate OTP”. That's all!

How to configure authentication on the SmartPhone application:

For app authentication, you can choose from any of the three apps listed above. Because Google is the most popular, I will show you how to configure it using the ' Google Authenticator ».

Start by clicking on the option " Google Authenticator In the tab " Two-Factor Setup ":

Then select the brand of your smartphone. Once you select a smartphone type, the plugin will give you a QR code to scan:

To analyze the code, you must download and install the software " Google Authentifiction ". In the application, click on " Start configuration ". Then click on " Scan a barcode ":

Once you have scanned the barcode on your screen, you will see 6 digits. Just enter this code to authenticate your account. Note, however, that the 6 OTP digits will constantly change. You must always enter the most recent code.

Once you add the code " OTP »And click on« Check and Save You will be done!

Step 5: Testing Your Two-Factor Authentication

Whenever you make a change, it's always a good idea to check that everything is working normally

To do this, open a new Incognito window and try to log into your WordPress account. First, you should just see your normal WordPress login screen. But after entering your username and password, you should have to complete one more step to log in:

If you enter the correct “OTP” code, you will be redirected to your dashboard.

Just for fun, you can deliberately enter an invalid OTP to verify that the plugin is working. If this fails, you should see a page similar to the following:

That's it for this tutorial, I hope it will allow you to add the two-factor connection on your WordPress blog.