6 Best WordPress Security Authentication Plugins
It doesn’t take much for your digital life to be totally destroyed, as Wired’s Mat Honan discovered (check it out, it’s an eye-opening read).
Remembering usernames and passwords can be a real pain in the backside, so it’s no surprise most people use the same information across several accounts, such as email, social media and even banking. But if one account’s password is hacked and cracked, that security leak can put your other accounts in danger.
If you manage a WordPress site, or even several sites for clients, beefing up the overall security of a site is a no-brainer. Most users know how to strengthen passwords, but a tougher way to crack down on brute force is two-step authentication. Even if a hacker guesses your username and password, they will not be able to login to your site without a code or token, which is usually connected to your smartphone.
In this round-up, we’ll look at some of the top authentication plugins available for WordPress.
The Google Authenticator plugin is probably the most popular security authentication tool available for WordPress. This plugin gives you two-factor authentication using the Google Authenticator app for iPhone, Android and Blackberry.
Once installed and activated, the plugin’s settings will appear in User > Your Profile. From there, you can set a secret key or use a QR code. You will then need to download the free Google Authenticator app on your smartphone and enter the secret key or QR code so you can link the app to your WordPress site. Once that’s all set up, any time you login to your site you will need to open the app on your phone and enter the provided authenticator key before the timer runs out.
This is a great plugin if you want to easily increase login security on your site.
I have to say, Clef is fantastic for a free plugin. This plugin and app combo allows you to replace usernames and passwords on your WordPress site with your smartphone.
This is how it works: Download the app directly from the Apple iTunes or Google Play stores, then download, install and activate the Clef plugin from the WordPress Plugin Repository. When you set up the smartphone app for the first time you create a profile on your phone. Clef uses that profile to generate a new digital signature each time you want to login to your site. Rather than login with a password, your login screen will be replaced with the “Clef Wave,” which you will need to sync with another Clef Wave on your phone. The smartphone app will then grant you an hour-long session to use your site unless you increase the session time on your phone.
This is a great plugin/app and definitely worth checking out.
Clockwork SMS offers two-factor authentication using SMS, so you don’t necessarily need a smartphone to use this plugin. However, while the plugin is free, you do need to spend cash to send SMS messages to your phone each time you want to login to your site.
After installing and activating the plugin you will need to get an API key from the Clockwork site.
While this plugin is helpful for non-smartphone users, it does cost money.
Duo Two-Factor Authentication allows you to add an extra layer of login security to your WordPress site using your smartphone.
1.6 million WordPress Superheroes read and trust our blog. Join them and get daily posts delivered to your inbox - free!
You will need to download and install Duo’s plugin and app, and also create an account on the Duo Security website to obtain security keys.
The next time you login to your site, you will be directed to another login page where you can choose how you would like to authenticate. There are multiple ways you can authenticate, including using the mobile app, one-time passcodes generated on the app, one-time passcodes delivered via SMS, phone callback to any mobile or landline phone, and one-time passcodes generated by an OATH-compliant hardware token. I prefer to use Duo Push, which sends a message to your phone and opens the Duo app, allowing you to approve or deny a login request.
This plugin/app is a great way to keep track of who logs into your site and when.
The OpenID plugin allows you to login to your site using an OpenID. If you use online services such as Google+, Yahoo, Flickr, WordPress.com, you probably already have an OpenID.
Once installed, this plugin adds new options to Users > Your OpenIDs and Settings > OpenID. You can add OpenID accounts in the Users section so you can log in using your social accounts.
The only problem with this plugin is that you can still login to your WordPress with your usual login details or your OpenID, so it doesn’t really offer an increased level of security like the other plugins in this list.
Authy offers a quick and easy way to add two-factor authentication to your site.
Just download the Authy plugin from the WordPress Plugin Repository, install the Authy smartphone app and sign up for an Authy account. After you’ve installed and activated the plugin, enter the API key from your account and choose which roles you would like the authentication to apply to. Then you will need to enable authentication for each of your users by adding their cellphone numbers.
The plugin works by texting a token to your phone when you attempt to login to your site. Once you’ve entered the token, you can successfully login.
Which Authentication Plugin Works Best?
After testing each of the above plugins, I was most impressed with Clef. It’s easy to install and have up and running within minutes, plus the Clef Wave just looks so damn cool.
Google Authenticator is also a popular tried and tested plugin, with an average rating of 4.8 stars in the WordPress Plugin Repository. It’s reliable and regularly updated.
Authy and Duo are also solid plugins that are straightforward to set up and are easy to use.
Clockwork, while easy to set up, asks for cash and when there are free alternatives like Clef and Google Authenticator available, the free options are going to win every time.
OpenID is a novel idea, but just doesn’t offer the same level of security as the other plugins.
Do you use two-step authentication on your site? Which plugin do you use? And if you don’t use authentication, why not? Tell us in the comments below.