Two-factor authentication (2FA) on your WordPress website

One of the largest risks to be hacked is found in the use of unsafe passwords. Hackers are continually active online trying out passwords. So, odds are that one day they’ll guess what they are. Including the password of your WordPress website. We continually get new customers for our WordPress hack-free plans to end this once and for all.

The technology of two-factor authentication (or 2FA) is being used increasingly to minimize the risk of malicious logins. In this article, we explain how 2FA works and what the possibilities are for using 2FA on your WordPress website.

What is two-factor authentication (2FA) for WordPress?

2FA requires you to identify yourself in two ways (by two factors), so it can be determined with greater certainty that the identification is legit. One simple example is paying with your debit card in the store: you not only need to physically hold the card, you also need to know the personal identification number. 2FA for WordPress can mean that you need to get a code from your phone and enter this on your screen, after you’ve already logged in successfully with a password. In case a hacker has guessed your password, he can still do nothing, because he physically needs your phone for the second step. The chances of a hacker both guessing your password and stealing your phone is of course very small.

Two-factor authentication (2FA) options for WordPress

You can secure your WordPress website in different ways using 2FA. We will discuss four different methods to do this.

1. Google Authenticator (free)

A widely used form of 2FA for WordPress is the free solution of the Google Authenticator plugin. Next to a username and password for your WordPress website, this plugin also demands you enter a code from your phone. For this, you need a smartphone with the free Google Authenticator App installed on it. The app generates a unique code for you. You copy the code to your screen, which allows you to login successfully. The code is valid for 5 minutes, so if someone were to accidentally read the code from your phone they wouldn’t be able to use it later to login to your website.

Google Authenticator is supported by more and more online services, so you only need one app on your phone to secure your accounts with all these services. Think of all the Google services, but also Dropbox, LastPass and Amazon. Very convenient!

2. Duo Security (free up to 10 users)

Next to offering the same type of product as the Google Authenticator, Duo Security offers a few different ways to login as a second step to identify yourself. For example, you can confirm your identity by getting a call-back and receiving a code. Or you can link a USB keychain that you have to plug into your computer. To activate Duo Security on your WordPress website, you need the Duo Two-Factor authentication plugin.

Some great advantages of Duo Security are that you can add multiple users to your account and that you can demand a specific security policy. This is perfect for organizations that want to implement 2FA for more than one employee. Up to 10 users it is even free (with somewhat limited options). Plus, you can link many other online services to Duo Security.

3. YubiKey 4 ($ 40 per key)

The YubiKey is a USB keychain with a button. When you plug it into your computer, you push the button and the keychain ‘types in’ a unique code on your computer. This code is different every time and for one-time use only. The validity of the code is verified by the Yubico servers, the company behind the YubiKey. Then, your identity is confirmed. The YubiKey has several security certificates, which makes it very suitable for companies that need to comply with high security standards. The YubiKey is used by employees of, for example, Google and Facebook. In the Netherlands, it is used by several government departments, where employees have access to sensitive information.

The YubiKey 4 can be purchased for $ 40 at Yubico or for € 46,15 at the YubiKey Shop. To integrate the YubiKey with WordPress you need the Shield WordPress Security plugin. You can activate your YubiKey under ‘Login Protection’ by following the steps in the settings.

4. NitroKey (€ 9 per key)

The NitroKey is a USB key chain, that is made according to the U2F standard. The U2F standard has been developed, among others, by Google. Unfortunately, is not yet very widely supported. The NitroKey does not ‘type’ a unique code for you, like the YubiKey does, but it identifies itself one-time to your web browser when you plug it into computer. That’s why a U2F key also has to be supported by your web browser. Unfortunately, this means the NitroKey can only be used in the newer browsers of Chrome and Firefox at this time. This makes the NitroKey mostly useful for single users and not for multiple users, working with different computers and different browsers. Plus, it requires your website to be secured with a SSL certificate and your WordPress website to run under a domain name that starts with https://.

When testing the NitroKey, we found that the key doesn’t connect very well with a Mac USB port. On PC’s, testing did not result in any problems. You can purchase the NitroKey on Also, you need the Two-Factor plugin for WordPress to link your U2F key.