WordPress Site Security: What Can You Do About It?

WordPress Site Two-Factor Authentication
Want WordPress Site Security? Enable Two-Factor Authentication on WordPress Site?

How you are protecting your website from Hackers ? Security issues using WordPress!! Headache?? Don’t be nervous, here’s easy two-factor authentication to make your WordPress Website Safe & Secure.

More and more sites are using two-factor or multi-factor authentication to ramp up security. I mean, Google wants my cell phone number to confirm my identity before I can log into Gmail. And it’s a good idea. I mean, do you see how often hacking stories hit the mainstream news? Security (or the lack thereof) is a real problem and while you may not be able to prevent a big security breach like the one that happened at The Home Depot recently, you can do your part as an individual to protect your information and your site.

What is Two Factor Authentication?

As its name suggests, two factor authentication is a process that requires two sets of authentication before you’re logged into a site. Many big name sites currently make use of it in one way or another. I already mentioned Google, but sites like Twitter, Facebook, and Amazon use it, too.

What is  WordPress Two-Factor Authentication?

Passwords are the de-facto standard for logging in on the web, but they’re relatively easy to break. Even if you make good passwords and change them regularly, they need to be stored wherever you’re logging in, and a server breach can leak them. There are three ways to identify a person, things they are, things they have, and things they know.

Logging in with a password is single-step authentication. It relies only on something you know. Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. In practice, however, current two-step implementations still rely on a password you know, but use your Phone or another device to authenticate with something you have.

A WordPress user can increase their website’s security by installing a plugin, which gives them the two-factor authentication feature. There are several plugins widely available and can be found in the plugin tab on the WordPress Dashboard. On installing a plugin, a user needs to activate it and follow the instructions that are prompted. It’s an easy procedure offering a better chance at security.

However, there are several other kinds of two factor authentication on the market. For instance, you might be required to input a specific personal identification number (PIN) along with the username and password. Or you might need to confirm a specific visual pattern before being granted access. Many banks use this form of authentication.

A fob is another popular choice for confirming identity before sign-ons. The fob (that you can easily attach to your keychain) displays a random series of numbers that you are then required to input into a text field on the site before you’re allowed to login.

While two factor authentication might feel like a new thing, rest assured it’s not. When you pay with a credit card, you often have to show your ID to the person behind the checkout counter. Or you have to input your zip code. Or if shopping online, you need to input the security code from the back of your card. So you see, it’s nothing new. But the application to website logins is sort of a new thing and that’s why more and more people have started asking about it.

Why Do You Need Two-Factor Authentication?

As I mentioned in my opening paragraphs, two factor authentication adds another layer of security in a world where hacking has become commonplace. In short, you need it because you need to protect your personal information and your site from malicious people out there. And they are out there.

Brute force attacks occur constantly and unless you have your site secured properly, odds are good that a hacker will one day break through your defenses and steal your info, upload malware, or perform a whole host of other malicious acts.

Two factor authentication makes hacking your site harder. And unless you’re running a high-profile site, most hackers and bots are going to give up after a time when they can’t break in right away.

You want an even shorter answer, Right?

Anything you can do to make hacking your site harder is worth doing.

A lot of people are reluctant to jump on the two factor bandwagon, however. Because in the process of improving site security, it makes the login process more complicated and more time-consuming. Arguably, it doesn’t take that much longer but there is a definite time factor involved here. You can always opt for the “stay logged in” option to reduce the number of times you have to go through the double authentication process in a given week, too, if it’s a major concern for you.

How To Enable Two-Factor Authentication on WordPress Site?

You have several options for plugins that make setting up two factor authentication a snap. You can use DuoClefWordfenceOpenIDAuthyGoogle Authenticator & Many More. In this article we're going to tell you about Google Authenticator for your WordPress Site.

WordPress Two-Factor Authentication with Google Authenticator

To set up two step authentication via an authenticator application on your device, you’ll need to start in a desktop browser.

First, go to your Two-Step Authentication settings page at WordPress.com. Or, you can reach Settings by clicking on your Gravatar image from the WordPress.com home page:

Next, click the “Security” link in the navigation on the left-hand side of the screen:

Then, click on Two-Step Authentication and then Get Started.

Here you’ll be prompted to select your country and to provide your mobile phone number (without country code and spaces or dashes). After doing so, click Verify Via App.

Next, scan the QR code presented with your authenticator app. A six-digit number will appear in the authenticator app. Enter it in the blank provided and click Enable.

Lastly, you’ll be prompted to print backup codes. Don’t skip this step, as it’ll be your only way to log back into your account without staff assistance should your device go missing!

If your web browser is set to block pop-up windows, you may need to temporarily disable this feature as it will prevent the window with your backup codes from opening.

Click All Finished.

At this point, your site is enabled for two-step authentication. A follow-up step allows you to confirm that your backup codes work by entering one of the printed codes.

Setup with SMS Codes

If you’re unable to set up two step authentication using an authenticator app, you can also set it up to work via SMS messages. To do so, set up your phone number as described above, but then click Verify via SMS.

Within a few moments, you should receive a text message that includes a 7-digit number. Enter this number in the blank provided and click Enable. From this point forward, you can print and verify backup codes as documented above. Your account is now protected by two step authentication.

Logging In

The login process varies slightly from the usual process once you have two step authentication enabled. Regardless of whether you used the Google Authenticator method or the SMS method to enable two step authentication, you’ll start by logging in as usual with your username and password.

Next, you’ll be prompted to enter the verification code that was sent to your device.

If you’re using SMS for two step authentication, we’ll send you a text message with a six-digit number. If you set up two step authentication with the Google Authenticator app, open the Google Authenticator app on your device and provide the six-digit number listed for the account. Once you’ve entered the code, you’ll be logged in and ready to blog.

Backup Codes
We don’t want you to lose access to your WordPress.com account—you’ll still need to be able to log in if it’s is lost, stolen, you’re locked out for any reason, or your device needs to be wiped clean (which will delete Google Authenticator). To make sure you’re never locked out of your blog, you can generate a set of ten, one-time-use backup codes. We recommend that you print the backup codes out and keep them in a secure place like a wallet or document safe. (Don’t save them on your computer. They’d be accessible to anyone using your machine.) Generating backup codes is essential and must be done. If you ever need to use a backup code, just log in like you normally would, and when asked about the login code enter the backup code instead.

At the end of the setup process for Two Step Authorization, you’ll be given the option to generate backup codes:

Just click “Generate Backup Codes,” print the screen containing the codes—don’t save it—and then close the screen. If you lose your list of backups or it’s compromised, you can generate a new set of codes. For added security, this will disable any previously-generated codes.

Important: You can only generate the backup codes from a desktop browser. For example, Safari on iOS will not display the backup codes. Additionally, if your web browser is set to block pop-up windows, you will need to temporarily disable this feature as it will prevent the window with your backup codes from opening.

Application-Specific Passwords

There may be some apps that connect to your WordPress.com account that don’t yet fully support Two Step Authentication; the most common are the WordPress mobile apps or Jabber apps used to subscribe to WordPress.com blogs. For these apps, you can generate unique passwords for each application (e.g., you can have a different password on your phone and your tablet). You can then disable individual passwords and lock applications out of your account to prevent others from accessing your sites.

To generate application-specific passwords, head back to Two-Step Authentication and then down to “Application Passwords”:

Give the application a name—you’re the only one who will see this name, so call it whatever you’d like—and click “Generate Password.” WordPress.com will create a unique 16-character password that you can copy and paste the next time you log in to your account on that device. The application will remember this password, so you don’t need to.

Your Security page will maintain a list of all the applications for which you’ve generated passwords. If any of your devices are lost or stolen, or you simply wish to revoke access for a particular application, you can visit this page at any time and click “X” to disable the password and prevent the app from accessing your account:

Disabling Two Step Authentication

We don’t recommend disabling Two Step Authentication, as it’s much less secure, even if you believe your password is very strong. But if you insist, you can disable the feature by going to your Two-Step Authentication page.

The page will show that the feature is enabled, and you can click the Disable Two-Step Authentication button. This will prompt you to enter a code to confirm that you still have access to the device you originally used to set two step authentication up. If you’re using an authenticator app, open it and provide the code it lists. If you’re using SMS, you’ll be sent a code to use. (This code is different from the code you used to log in to your account. You can also use one of your backup codes for this step.)

Click Disable after entering the code and your account will no longer be protected by Two Step Authentication.

Moving to a New Device

If you are planning on switching to a new device, and you have enabled Two Step Authentication, you will want to take the following steps to avoid being accidentally locked out of your user account.

If you are using an authenticator app to generate verification codes:


  1. Print a set of backup codes for your user account by following the steps here. DO NOT SKIP THIS STEP.
  2. On your new device, install the authenticator app.
  3. Disable the Two Step Authentication link with your old device by following the steps here.
  4. Set up your user account to link to your new device by following the steps here.
  5. If you are prompted to enter your verification code, use a code from your list of backup codes. Backup codes are one-time use only.
  6. You can now uninstall the authenticator app from your old device.



If you are using the WordPress.com mobile app to manage and publish to your blog:


  • Create a new application-specific password by following the steps here.
  • Enter your new application password when using this app on your new device.


If you are using SMS to receive authentication codes, you will not need to update your settings unless you are also changing to a new phone number. In that case, you will want to set up a new recovery number prior to disconnecting your old SMS number by following the steps here.

If You Lose Your Device

If you lose your device, accidentally remove the authenticator app, or are otherwise locked out of your account, the only way to get back in to your account is by using a Backup Code.

To use a backup code, fill in your login details like you normally would. When asked about the login code enter the backup code instead. Remember: backup codes are only valid for one time each so be careful when using them.


EmoticonEmoticon