Protect your login with two factor authentication

Photo by Jason Blackeye on Unsplash

One of the most fragile parts to WordPress and most other web applications ia the login. It is often easy to work out the user name for many systems because most will use your email address, so that can be easily found out.

In WordPress you may use a user name, but that could be then be shown as your author name on all your posts – and your email address probably works too.

Too many systems are going to be relying on the password to keep your login. Now there are some great tools to help you create hard to remember passwords, and to then remember them for you. I have been using Roboform for many years.

The Roboform app runs on Windows, Mac, Ipad, Ipone, Google Phone and shares all my passwords across the devices for me. I just have one master password to remember.

We hear so often about sites being hacked and then you are told you must change your user name and password immediately, so what can we do to increase our security?

Two Factor Authentication

One of the most simple ways to increase your login security is to upgrade to two factor authentication. The concept is simple. You need to authenticate from two different sources to confirm your login.

Roboform has a version of two factor authentication, by emailing a code to me when I have not used a device for some time. So a hacker needs access to my device and access to my email to gain access.

For securing my WordPress site, and to serve as an example for you to follow, I am going to use the two factor authentication method from Google.

This mean installing an App on my mobile phone, and a plugin on my wordpress site.

When I now log into my site, I need to check the phone for a 6 digit passcode and add that to my login. The code is only valid for 30 seconds, so if anyone managed to copy down my username, password and security key, they have less than 30 seconds to use it. (I like to wait till 5 seconds before the timer is up to login)

How does it work.

You first install the plugin on your wordpress site and app into your phone. To ‘connect’ the two, the wordpress plugin creates a secret key and then gives you a QR code which you scan into the phone app.

When you wish to login, both systems work from the universal time counter and create the passcode 6 digit number from a calculation based upon your secret key, which is reset every 30 seconds. When both agree you can login.

So, to now compromise your site, a hacker needs your login details AND access to your mobile phone.

Google Authenticator can secure multiple websites with individual keys. It also secures my Google Account login, IFTT account and updraftplus backup plugin among others.