A website’s login page is like the door to your house: you don’t think it will actually be cracked, so you go with the average protection. That is, until one day you regret your decision. You can add more locks on your doors, and you can also add more verification layers to your authentication, hence two factor authentication, or 2FA.
WordPress is the most popular publishing platform, being used by bloggers, small and large businesses alike. Its popularity is partially given by its flexibility, allowing the use of third-party plugins and themes which provide infinite website possibilities. All is great up to this point, but this enormous flexibility also brings along huge vulnerabilities.
As I was mentioning the login page, that is the first gate to hacking a website. The traditional way of doing it is through passwords, but they have proven to be extremely weak and defenceless in the face of brute-force attacks, keylogging and phishing.
Password reuse is an “internal” vulnerability, as users tend to recycle passwords and use them for more than one online account (if you’re curious to see if your password was hacked, you can check haveibeenpwned.com).
Taking all these vulnerabilities into account, passwords are no longer recommended for safeguarding accounts and data, being replaced by two factor authentication (2FA) or multi-factor authentication (MFA).
These authentication mechanisms add a second or more layers of security, requiring the person attempting to login to confirm his identity with more than just a simple password.
Two factor authentication adoption by the general public is relatively slow, mostly caused by the perception that it takes more time and is difficult to use. This is why a smooth user experience is so important in eliminating reluctance to new technologies, and helping users see the global advantage of a more secure authentication mechanism.
Two factor authentication for WordPress
With user convenience in mind, the guys at UNLOQ have created an updated, more user-friendly version of their WordPress plugin.
Version 2.x of the two factor authentication plugin version brings new security features, along with full login page customisation options, in a natural user experience.
The greatest advantages that the plugin brings are:
- Fast and easy to install.
- Flexibility in setting an authentication mechanism, as login can be performed exclusively through their widget, use it as a second factor, or if it is the case, using passwords.
- The ability to disable the default WordPress login URL altogether, or use 2 different login paths: one using the plugin, and the other one using the WP classical login page using username & password.
- Full login page customisation, allowing you to set your brand’s colours and images and making other page customisation plugins obsolete.
How to add the UNLOQ 2FA plugin to WordPress
The version 2.x of the two factor authentication plugin is a major upgrade from the previous one, 1.x, allowing anybody to install and set it up in under 1 minute. In addition to this, everything is done from within the plugin, without requiring users to leave the WordPress dashboard to create an account and configure it.
Installing and setting up the plugin
Installation requires you to be the admin of that WP website, and be logged in as such. After searching for the plugin in the database, installing and activating it, you will be asked to insert your e-mail address. Keep in mind that you need to insert your admin e-mail address in order for the installation to be successful.
After inserting your admin e-mail address, you’ll receive an activation code via e-mail, which you will need to c/p at the next step.
That’s pretty much it. Installation is extremely simple for this plugin.
Here’s a video with the installation process:
To set up the two factor authentication (2FA) flow, you need to go to the Settings tab. You can also set custom messages for the push notification and login request:
A cool feature is that you can disable the default WordPress authentication URL (wp-admin), as it is insecure and doesn’t do anyone a favour. I’ll just keep the UNLOQ login URL (which can also be customised).
I’m going with 2fa all the way and just leave the plugin to handle the whole login mechanism. I have selected all the 3 options that the plugin has: push notifications, TOTP and email:
In the customise tab of the plugin, you can change the colours for the login widget, push notification buttons as well as the application colours. Also, you can upload custom logos and background images that will be displayed on the login page and in the mobile app:
I tested to see how it works with a custom background, so this is how it would look like:
Logging in with two factor authentication
In order to use the 2FA plugin you need to download the authentication mobile app, which you can protect with a PIN, PIN or Fingerprint or PIN and Fingerprint. Basically, before you can approve or deny a login request, you need to “login” in the app first:
For my site I have chosen to login with push notifications, so to login I need to Confirm the request I get on my phone:
It is not very often when a security plugin for WordPress makes users’ experience easier, and the this 2fa plugin has achieved that through all its security, customisation and usability features. This plugin combines into one, features that otherwise would require the installation of at least 3 different plugins. It is definitely worth testing by anyone looking to secure their or their client’s WP site.
The plugin is a keeper, and the team at UNLOQ have done a good job in upgrading their WordPress plugin. There’s also a detailed documentation of the plugin available here.