Beef Up WordPress Security with Multifactor Authentication from Google

As many of you know, the recent security breach at wordpress.org caused millions of users to have to reset their passwords. If wordpress.org can be hacked into, you’re dreaming if you think that your WordPress site is impenetrable.

WordPress’ single factor authentication requires only a username and a password for entry into a site. If you want to get serious about WordPress security, you should strongly consider adding multifactor authentication to your login process.

What is multifactor authentication?

You’ve probably already experienced multifactor authentication with a bank or credit card, as websites that handle your money demand high levels of security. By definition:

Multi Factor Authentication, also called strong authentication, involves the use of two or more authentication factors. The generally accepted rule is that multi factor authentication requires the use of identity factors from at least two of the three factor categories:

  • personal – something you know
  • technical – something you have
  • human – something you are

Source: delfigo security

How to Get Multifactor Authentication for your WordPress site:

Google Authenticator is new plugin that quietly slipped into the WordPress repository last month. So far it’s only had 142 downloads. This plugin gives you multifactor authentication using the Google Authenticator app for Android, iPhone, and Blackberry.

Google Authenticator allows you to enable the multifactor authentication requirement on a per user basis. For example, you might enable it for your administrator account but login as usual with less privileged accounts. Here’s what the enhanced login box will look like with the plugin installed:

The Google Authenticator plugin adds settings to the Profile and Personal options page for setting the secret key and displaying the QR code:

You’ll get a screen similar to this on your mobile device with the Google Authenticator app:

The Google Authenticator verification codes are time based, so you’ll need to be aware of that when using this plugin. Also, your PHP installation will need the SHA1 & SHA256 hashing algorithms.

You can download the Google Authenticator plugin for free from the WordPress plugin repository.

Recent security scares have got me wondering – is it time to think about multifactor authentication as a standard for WordPress sites? What’s your opinion? Will you be adding more layers of security to your site?