Securing your login screen is one of the simplest things you can do to help increase the security of your WordPress website. By implementing two-factor authentication, you make it much harder for people to gain unauthorized access to your WordPress dashboard. Fortunately, Duo Security is a free service (for up to ten users) offering two-factor authentication for WordPress websites.
Two-factor authentication is based on a simple concept: logging in requires you to know something and have something. So in addition to needing to know the username and password for the login, you must have something in your possession to complete the login process. In the case of DuoSecurity, that something is simply a telephone.
Using any phone available, you can receive a telephone call during which you must press a certain key in order to be allowed to login. If you have a mobile phone, you can get a passcode via text message. Smartphone users can generate one using the Duo Security mobile app. Finally, iPhone and Android users have the additional option of being able to respond to a push notification. You simply choose the style of secondary authentication you wish to use. This video shows Duo Push in action:
You can have multiple devices set up for your account, all easily managed through the Duo Security website. And you can use the same login across multiple websites, all using the same configuration.
Duo Security is so easy to set up and provides such a strong layer of protection, you would be crazy not to set it up on your WordPress website. Visit Duo Security to set up your account.
Did you enjoy this article?
Then why not sign up for email updates?
Privacy Policy
You could also mention https://www.shieldpass.com 2nd factor authentication which isnt vulnerable to mobile trojans and you dont need to carry a smartphone for.
Matt–
I could, but as I understand it, the ShieldPass service is not two-factor authentication.
ShieldPass is based on the PassWindow system, which provides users with a one-time use, constantly changing password. The end user must have a “decoder card” with which they can read the current password. And I agree, this is a great idea for single-factor authentication. But, if I lose my passcard my site is open to attack from whoever has my card until such time as I can get to my ShieldPass account and deactivate that particular card.
Have I misunderstood the ShieldPass/PassWindow service, Matt?
With two-factor authentication, if my password is compromised, the attacker still cannot get in to the site without my smartphone or hardware token. If someone steals my phone, they still need to know my password to access the site. So I am better protected using two-factor authentication.