WordPress.org is one of the more common self-hosted content management systems used nowadays, managing everything from company websites and intranets, to ecommerce platforms, blogs, community forums and subscription-based sites. Despite its adaptability and success, one of the most common and weakest points of attack against WordPress remains its login function. By default, the login URLs remain the same and set no limits on the number of login attempts, leaving it open to brute force attacks.
Put together the growing strength of password crackers, botnet attacks and weak enterprise authentication measures (such as default usernames and weak passwords), and you end up with a disaster waiting to happen. Of course no matter how secure you think your installation might be, you should awlays have a regular data backup policy in place, and that includes having a backup of your backup in a separate location.
Over the last year or two, there have been an increasing number of websites, such as Twitter and Google that have provided the option to add two-factor authentication. While the 'something the user has' part of two-factor authentication can be anything - including a hardware token device (used by many banks) - the most commonly used tool is a person's mobile phone.
While it used to be a cumbersome process to add two-factor security to other applications, companies like Duo have made this a great deal simpler. Systems administrators can now increase information security by adding two-factor authentication for server access (SSH and remote Unix logins), VPNs and of course WordPress sites. Enabling this layer of security for the latter is what will be demonstrated below. Note that the free version of Duo is for 1-10 users only. There are paid plans for those requiring additional security on a larger scale:
Getting started - register a Duo account
Visit Duo's website and click on the 'Free Trial' button on the top right. Fill in the required details to create your account.
You will receive an email activation link. Once you click on this you will be taken to a new form requesting a name, password and the phone that you want to associate with your Duo account.
Once you have completed the above step, you will be taken to a screen where you can choose from a whole host of two-factor integrations. In our case we select WordPress.
The settings page for the WordPress integration is relatively self-explanatory. Give the integration a name and change any settings in line with your requirements. The default settings should work perfectly fine for most.
Download and install Duo plugin
Either separately download the Duo Two-Factor Authentication plugin or do so directly from the WordPress dashboard. Once installed, visit the plugin's settings menu.
Enter provided information
The relevant information required by the plugin's settings can be found on your WordPress integration page.
Copy the information provided and paste this into the corresponding fields shown on the plugin's settings page. Here systems administrators can also require two-factor authentication based on user levels, so for example, only administrators with elevated privileges will need to be authenticated.
For ease of use, and added security, download the relevant Duo app for your iOS or Android phone. Other phones can simply use the text login codes or phone call option. If you happen to use the app, you will also be able to view the IP address of the user seeking to access the account (which should hopefully be your own).
When logging in for the first time with the Duo plugin activated, users will be asked to link their phone to the WordPress username being used to log in. The Two-Factor authentication screen will now appear every time you successfully enter your username and password.
Of course this alone should not make you think that your WordPress installation is fully secure and that there is nothing more to worry about! There are a whole host of other security features that need examining and enabling in order to ensure that you make life as difficult as possible for an attacker. Having two-factor authentication enabled though will certainly help to improve the security profile of your site and data, allowing you and your users to sleep a little more soundly at night.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.