WordPress sites are frequently targeted by hackers, mainly because it’s the most popular CMS that powers about the 30% of all websites on the web. There are many methods that can add extra layers of security to a WordPress site; two factor authentication is one of them. It takes action on the login page by requiring the user to use a second authentication factor. The additional verification can happen by email, text messages, QR codes, push notifications, one-time tokens, or other methods.
There are many plugins in the official WordPress repo that promise two factor authentication (or 2FA in short). However in reality, many of them include the feature only in the premium plan. In this article, we have collected the seven best two factor authentication plugins you can get for free.
SecSign replaces the default WordPress login screen and allows you to log in to your site with your smartphone or Apple Watch. This also means that you don’t have to type in your WordPress password when you sign in to your site.
So, if there’s no password where does the two factor authentication come from? The first factor is the possession of the mobile device onto which you need to install the SecSign app. You can get the mobile app both for iPhone and Android. And, the second factor is either the knowledge of the PIN that you chose for yourselfg or your biometric identification.
Logging in with the SecSign plugin feels like a breeze. First, you simply enter your SecSign ID on the login screen. Then, you quickly perform the authentication on your smartphone or Apple Watch, and you’re inside the WordPress admin.
The Google Authenticator plugin by miniOrange adds an extra layer to the login page of your WordPress site. It allows you to choose between no less than six kinds of two factor authentication methods:
- Email verification
- SMS verification
- Phone call verification
- Soft token
- QR code authentication
- Push notification
If you want to use your desktop for authentication you need to choose email verification. The other methods all require a smartphone, however phone call verification also supports landline calls. Soft tokens (6-digit codes), QR codes, and push notifications are generated by the miniOrange Authenticator App. You can download the mobile app both for iPhone and Android.
Google Authenticator supports device notification as well and you can also use it on WooCommerce sites. Even better that the plugin author has another plugin for authenticating WordPress registration forms. If you use both miniOrange plugins your login and registration pages are both protected at the same time.
The RapID Secure Login is a simple but great plugin if you want two factor authentication for your WordPress site without too much hassle. It was designed with the purpose of providing WordPress users with a well-functioning and easy-to-use replacement of Clef. You can really set this plugin up in a few minutes and it has all the options you may want for your WordPress site.
To get started, you need to install the RapID Secure Login app on either your iPhone or your Android phone. To register your WordPress site with the mobile app, you only need to scan the QR code you find on the configuration page of the plugin.
This plugin is a great choice if you don’t trust one-time passwords received by email or SMS. The first factor of authentication is the QR code you need to scan using your smartphone & the second factor is either a PIN or your fingerprint. Straightforward, isn’t it? Moreover, you can also enable or disable the two factor authentication feature based on user role.
UNLOQ is not simply a two factor authentication plugin. It also allows you to decide if you want to use it for passwordless login or two factor authentication. If you choose the latter, the first factor of security is your WordPress password and the second factor is UNLOQ’s own authentication that can take three different forms:
- Push notification
- Time-based one-time password (TOTP)
- Email verification
The setup process is quite quick and straightforward. First, you need to verify your email address, then connect your WordPress site to UNLOQ’s mobile app via a QR code. That’s all. You can find the app in both the App Store and the Google Play Store.
The UNLOQ plugin has a beautiful admin interface. It even has an admin section where you can customize the appearance of your login screen with options such as a custom app icon, a logo, a background image, and colors. Plus, you can easily activate and deactivate users’ devices from the WordPress admin.
The Keyy Two Factor Authentication plugin allows you to log in to your WordPress site by scanning a code with your smartphone. The plugin changes the default WordPress login screen with a custom login widget where you can choose between a QR code and a Key Wave to log in. However, if you don’t have your smartphone with you there is still an option to log in using the traditional method (WordPress login + password).
The two factors of authentication are the QR code or Keyy Wave you need to scan and your fingerprint or a 4-digit passcode you need to enter when you log in to the mobile app. You can download the app both for Android and iOS.
Keyy uses RSA public key cryptography which is the same technology SSL websites use for secure data transfer. The digital key is created and stored on your smartphone and is secured either in the Android Keystore or in the Apple Keychain. This is a huge plus, as it means the authentication feature doesn’t rely on any third-party software.
The 2FAS Light plugin uses the Google Authenticator mobile app to provide two factor authentication for WordPress sites. The authentication process of this plugin is quite straightforward. First, it checks if the device you want to log in from has already been trusted. If not the plugin asks you for a security code generated by Google Authenticator.
Good news for Windows mobile device owners that Google Authenticator is not only available for iOS and Android, but you can also download it from the Windows Store. Even better news that the plugin also works with other token generator apps such as Authy, Free OTP, 2STP, OTP Auth, and others.
Once you installed the authenticator app on your smartphone, you need to scan the QR code the 2FAS Light plugin displays in the WordPress admin. Then, the mobile app generates a 6-digit token you need to enter on your site and you are all set. Whenever you log in from an untrusted device, the plugin will ask you to generate a token with the authenticator app. You can easily edit the list of trusted devices and remove unnecessary devices as well.
If you are a Telegram user this plugin can be the perfect solution for you if you want to quickly set up a second authentication factor on your site. To use this plugin, you need to create your own Telegram Bot. If you haven’t yet made a bot with Telegram this may be a little bit intimidating, however the plugin has an excellent FAQ page in the WordPress admin that informs you about every step of the process.
The setup process consists of only three steps. It doesn’t take too much time, even if you have never used Telegram before. First, you need to create a new bot by starting a conversation with @BotFather and using the
/newbot command. Then, you need to create a chat ID by starting a conversation with WordPressLoginBot and entering the
/get_id command. Finally, you need to activate the service by opening a conversation with your own bot you created in the first step and using the
/start command. Don’t worry, the setup is not that hard, and the FAQ page explains every step very well.
What is really great about this plugin is that every user can enable or disable the two factor authentication feature from their own profile. Moreover, the admin gets a message on Telegram every time a user fails to log in to the site. If you want a simple and straightforward plugin and not scared of bots (which you shouldn’t) this plugin is definitely worth a try.
In the world of malicious attacks, running a secure WordPress site is not for the faint of heart. Two factor authentication is an important step towards increased security but there are many other tasks to do.
To get more insight into WordPress security, read our previous articles on how to identify WordPress vulnerabilities, how to create security for your own plugin, and what are the main disadvantages of WordPress you need to consider.