As coronavirus spreads, so does hacking. Beef up the security of your website with multi-factor authentication. With any major crisis comes the risk that hackers will take advantage of business owners and their employees. One critical asset that pretty much every business must safeguard is its website. Whether it be a weak password or faulty plugins, there are a lot of ways in which a hacker can make their way into your website and wreak havoc on your business.
While it’s clear that we all need to stay on high alert for suspicious looking coronavirus scam emails, today we’re going to focus on website security and how to add an important layer of authentication to keep it protected. This extra layer is called Multi-Factor Authentication (MFA).
What is MFA?
MFA is a form of user authentication that requires multiple credentials to verify identity. Rather than simply asking you for your username and password, which can easily be compromised or guessed by hackers, MFA requires a second form of authentication. The most common form of authentication is a time-sensitive security code that is sent to you via email, text, or phone, or which is made available by using an app on your phone. All websites should be configured with MFA. While the technology sounds complex, implementation is not. If your website is built on WordPress, there are dozens of plugins available, free and paid, that can handle this for you.
How can I add MFA to my WordPress site?
Today I’m going to show you how to add MFA to your WordPress website. I’ll be using a free plugin called Google Authenticator – WordPress Two Factor Authentication (2FA) by miniOrange. This plugin is completely free and provides several different ways to configure MFA. In our example, we’ll be using the Google Authenticator app for iOS and Android, one of the most popular MFA apps on the market.
Step 1: Downloading, installing, and setting up the plugin
Log into your WordPress backend. For example, I’ll be installing MFA on our Onsharp website, so the URL will be https://www.onsharp.com/wp-admin. Sign in using your existing user credentials. Once we are done, this login process will also require your MFA code each time you sign in.
Step 2: Install the MFA plugin
Now that you are signed into the WordPress backend, go to Plugins > Add New on the left-hand menu. Type “2FA” in the search box and hit the Enter key. The free MFA plugin by miniOrange will come up in the search results. Click on the Install button to install the plugin. Once the installation is complete, that button will change to say Activate. Click Activate to activate the plugin.
You will notice that the left-hand menu now contains an item named miniOrange 2-Factor. Click on that menu item to enter the configuration section for the plugin.
A dialogue window will display asking you if you want to use 2-Factor + Website Security or Just 2-Factor Authentication. For now we are only going to use their MFA functionality, so we will pick Just 2-Factor Authentication and then click Continue.
While there are several different authentication methods you can use, we are going to use Google Authenticator. It is super easy to use and has apps for both iOS and Android devices. Click Configure for Google Authenticator.
You will be required to create a free account with miniOrange. Simply enter your email address and a password and click the Create Account button. If you already have an account, click the Already have an account? link and log in with your credentials.
This is where we get to the meat of the process. Below is a screenshot of all the steps, but I will walk you through each one with screenshots along the way.
Step 1 is to install the Authenticator App on your phone. Pull out your phone, go to the applicable app store, and search for Google Authenticator and install the app.
Step 2 is to choose an account name. You can use the Google Authenticator app to provide MFA functionality on an unlimited number of systems, so choose a name that will properly identify this website for you in the Google Authenticator app. In this example, I called it website. Once you change the account name, you must click the Save App Name button and wait for the page to refresh.
Step 3 is to add this website to your Google Authenticator app. You do this by clicking the plus sign in the top right corner of the app on your phone.
When you do this, an option will display at the bottom of your phone asking you if you want to Scan barcode or Manual entry. Select Scan barcode.
This will bring up your camera and will allow you to scan the QR code on the screen. Hold your camera up to the QR code on the screen and scan it. Once the QR code scans it will automatically add the entry to your Google Authenticator app. It will look something like this:
Now that you have everything set up, you need to verify it’s working correctly and then save these settings. Enter the current code from the authenticator app and click Verify and Save.
See it in action
Now it’s time to test it out in the wild. Log out of WordPress, which will take you back to the login page. Log in with your username and password and now you’ll notice there is a 2nd step which asks you to enter your MFA code. Similar to what we did above when we clicked Verify and Save, enter the current code form the authenticator app and click Validate. As long as you entered the code correctly and it did not time out, you will be logged into the WordPress backend. You’re done!
Need More Website Security Tips?
Start with our free Triple Threat Website Scanner and get tips on improving your site’s speed, security, and SEO.