“Two-factor authentication” is an additional login security feature which is used by banks, government agencies, and military worldwide. It is one of the most secure forms of remote system authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors: 1. something they know, 2. something they possess, or 3. something they are.
Everyday Example
An everyday example is the withdrawing of money from an ATM; only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.
Online Experience
Online you may have experienced 2FA with banking, HMRC or some social media platforms. My bank has used a small dedicated digital Pocket Token for many years, others use a card reader.
2FA Within WordPress
We now can use 2FA within the WordPress ecosystem. You need to install a free authenticator app such as Microsoft Authenticator, Google Authenticator or another that one takes your fancy and have a suitable plugin active in your WordPress backend. Visit the security page in your WordPress backend and add a new entry to the app by scanning the QR code.
Logging In
When you next log in to the website, the security will ask for the six-digit number displayed on your app, beware this only lasts for 30 seconds before it changes. Also make sure you select the correct website if you have more than one website registered in the app. On success you will gain entry to the website. When you set up the security you also have the option of saving recovery codes — 16 letters and numbers instead of only 6 numbers these can be used only once and come in useful if you have lost access to the app.
Improved Security
I also see this as a way of stopping the sharing of login details, which alone improves security.
All Role Levels
Two-factor authentication is now available for WordPress websites for logging in at all role levels from Admin to Subscriber and custom roles. As part of our dedication to client security, routeToWeb now offers this to all clients who use our Priority Maintenance plans from level 2 and above.
Help Your WordPress Security
Help improve your WordPress’s security and stability and have piece of mind by subscribing to one of our monthly priority maintenance plans.
A website backup is not a backup if it’s on the same server as your website
I often see website backups made only to the same server where the site is hosted.
What happens if the server goes down? Yes, you’ve guessed it, no backup.
Make sure your backup is hosted securely elsewhere.