Beef Up Your Website Security with Multi-factor Authentication

As coronavirus spreads, so does hacking. Beef up the security of your website with multi-factor authentication. With any major crisis comes the risk that hackers will take advantage of business owners and their employees. One critical asset that pretty much every business must safeguard is its website. Whether it be a weak password or faulty plugins, there are a lot of ways in which a hacker can make their way into your website and wreak havoc on your business.

While it’s clear that we all need to stay on high alert for suspicious looking coronavirus scam emails, today we’re going to focus on website security and how to add an important layer of authentication to keep it protected. This extra layer is called Multi-Factor Authentication (MFA).

What is MFA?

MFA is a form of user authentication that requires multiple credentials to verify identity. Rather than simply asking you for your username and password, which can easily be compromised or guessed by hackers, MFA requires a second form of authentication. The most common form of authentication is a time-sensitive security code that is sent to you via email, text, or phone, or which is made available by using an app on your phone. All websites should be configured with MFA. While the technology sounds complex, implementation is not. If your website is built on WordPress, there are dozens of plugins available, free and paid, that can handle this for you.

How can I add MFA to my WordPress site?

Today I’m going to show you how to add MFA to your WordPress website. I’ll be using a free plugin called Google Authenticator – WordPress Two Factor Authentication (2FA) by miniOrange. This plugin is completely free and provides several different ways to configure MFA. In our example, we’ll be using the Google Authenticator app for iOS and Android, one of the most popular MFA apps on the market.

Step 1: Downloading, installing, and setting up the plugin

Log into your WordPress backend. For example, I’ll be installing MFA on our Onsharp website, so the URL will be https://www.onsharp.com/wp-admin. Sign in using your existing user credentials. Once we are done, this login process will also require your MFA code each time you sign in. 

WordPress login box example image

Step 2: Install the MFA plugin

Now that you are signed into the WordPress backend, go to Plugins > Add New on the left-hand menu. Type “2FA” in the search box and hit the Enter key. The free MFA plugin by miniOrange will come up in the search results. Click on the Install button to install the plugin. Once the installation is complete, that button will change to say Activate. Click Activate to activate the plugin.

2fa WordPress plugin search results with "Google Authenticator - WordPress Two Factor Authentication (2FA) plugin by miniOrange" highlighted with an overlaid arrow and text that says "install and activate"

 

You will notice that the left-hand menu now contains an item named miniOrange 2-Factor. Click on that menu item to enter the configuration section for the plugin.

small black square image with miniOrange logo and text that reads "miniOrange 2-Factor"

A dialogue window will display asking you if you want to use 2-Factor + Website Security or Just 2-Factor Authentication. For now we are only going to use their MFA functionality, so we will pick Just 2-Factor Authentication and then click Continue.

Dialogue window asking "What are you looking for?" with a teal box highlighting "2-Factor + Website Security" and white, unselected box with "Just 2-Factor Authentication"

While there are several different authentication methods you can use, we are going to use Google Authenticator. It is super easy to use and has apps for both iOS and Android devices. Click Configure for Google Authenticator.

Authentication methods with the "Google Authenticator" option highlighted with an arrow pointing to "configure"

You will be required to create a free account with miniOrange. Simply enter your email address and a password and click the Create Account button. If you already have an account, click the Already have an account? link and log in with your credentials.

Image example of the miniOrange registration form

This is where we get to the meat of the process. Below is a screenshot of all the steps, but I will walk you through each one with screenshots along the way.

Authenticator App setup steps with arrows and text boxes highlighting the steps to "Download the app", "Choose a name", "Scan the QR code", and "Verify it works"

Step 1 is to install the Authenticator App on your phone. Pull out your phone, go to the applicable app store, and search for Google Authenticator and install the app.

Step 2 is to choose an account name. You can use the Google Authenticator app to provide MFA functionality on an unlimited number of systems, so choose a name that will properly identify this website for you in the Google Authenticator app. In this example, I called it website. Once you change the account name, you must click the Save App Name button and wait for the page to refresh.

Step 3 is to add this website to your Google Authenticator app. You do this by clicking the plus sign in the top right corner of the app on your phone.

Top portion of a Google Authenticator app screenshot with an arrow pointing to a plus sign

When you do this, an option will display at the bottom of your phone asking you if you want to Scan barcode or Manual entry. Select Scan barcode.

Bottom portion of a Google Authenticator app screen shot with an arrow pointing to "Scan barcode"

This will bring up your camera and will allow you to scan the QR code on the screen. Hold your camera up to the QR code on the screen and scan it. Once the QR code scans it will automatically add the entry to your Google Authenticator app. It will look something like this:

Google Authenticator security code example

You will notice that the name of the app is a the top, the MFA code is in big blue letters, and your email address is below that. Slight correction, I named mine “onsharp” and not “website” in case you’re wondering why mine does not say “website.” The little pie shaped symbol to the right is an indicator letting you know how much time you have left to enter that code before it changes. The Google Authenticator app changes the code every 30 seconds, ensuring that anyone who would get access to the code would only have a short amount of time to use it for authentication.

Now that you have everything set up, you need to verify it’s working correctly and then save these settings. Enter the current code from the authenticator app and click Verify and Save.

"Step-2: Verify and Safe" code submission box with arrows pointing to the entered security code and a "Verify and Save" button

See it in action

Now it’s time to test it out in the wild. Log out of WordPress, which will take you back to the login page. Log in with your username and password and now you’ll notice there is a 2nd step which asks you to enter your MFA code. Similar to what we did above when we clicked Verify and Save, enter the current code form the authenticator app and click Validate. As long as you entered the code correctly and it did not time out, you will be logged into the WordPress backend. You’re done!

"Validate OTP" box with instructions to "Please enter the one time passcode shown in the Authenticator app" and a "Validate" button

As you can see, setting up MFA on your WordPress site is very easy and it makes your site much more secure than using. 2-factor authentication is quickly becoming the norm across all cloud-based websites and applications. Don’t fall behind the curve and leave your website vulnerable to hackers.

Need More Website Security Tips?

Start with our free Triple Threat Website Scanner and get tips on improving your site’s speed, security, and SEO.

Tags :

Facebook
Twitter
LinkedIn

We're Here to Help

Search Our Resources

Recent Posts