Security Blog
Security Blog
Posted By Gregory

Best WordPress Plugins for Two-Factor Authentication

Do you want to add yet another security level for your website and administrator accounts? Two-Factor Authentication mechanism allows you to use a mobile phone to verify yourself before you get inside your WordPress.


Google Authenticator

Duo Two-Factor Authentication

miniOrange

Clockwork SMS

Rublon

Authy

OpenID

Clef

Remembering your logins and passwords for every website can be a tough work to do. Even if you are storing all your passwords in a password manager, you won’t be able to secure it completely. For instance, the password can be stolen when you log in on unsecured connections, such as public Wi-Fi networks.

If you had some bad experiences regarding this, then you must understand the need of the best way to secure your logins and passwords for different accounts. This includes almost everything. You don’t want your email, social media, websites, and especially banking accounts to get hacked. It can destroy your online reputation, and you will end up facing huge problems.

In the same way, if you have multiple websites and you are always working online, then it is necessary for you to use something that will allow you to get things in shape. If you are managing a WordPress site for yourself or a client, you will have to find a way to secure it properly from the reach of hackers and other potential threats. So, it’s reasonable to have an additional, second protection layer for your admin accounts.

Two-factor authentication mechanism allows you to protect your WordPress account by using special authentication plugin. It will allow you to use your mobile phone to get inside the WordPress admin panel and even if your login and passwords are out in the open, no one will be able to crack into your website. Let’s have a better look at the best free and paid two-factor authentication WordPress plugins which can be used as alternatives to Clef.

Google Authenticator plugin

There is no doubt that the Google Authenticator is one of the most popular two-factor authentication plugins available today. But don’t be confused because Google Authenticator is actually a name of a mobile application and the plugin was named after it.

If you own a smartphone, the plugin will allow you to secure your WordPress website in the most convenient way possible. You can secure your website using the Google Authenticator mobile app for Android, iPhone, and Blackberry.

The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.

Plugin link: https://wordpress.org/plugins/google-authenticator/

  • Pros: Free plugin and free mobile application
  • Cons: You have to use Internet-connected smartphone and install mobile application, you have to manually configure the plugin for each user, lack of support
Google Authenticator for your WordPress blog must be configured per user base

Google Authenticator for your WordPress blog must be configured per user base on user profile page

How to use the Google Authenticator plugin

If you are ready to use Google Authenticator on your WordPress website, then all you have to do is to install and activate the plugin. You will see the plugin’s setting by going to User and then Your Profile. After reaching there, you will find an option to set a secret key or a QR code. After setting up the key or code, you will have to download the free Google Authentication app on your phone, and then you will have to enter the key or QR code. After entering the code or key, you will be able to link the app to your website.

After setting all this up, whenever you will log in, you will have to open your app, and you will have to enter the keyword provided within provided time. This way, you will be able to secure your website in the best way possible.

Duo Two-Factor Authentication plugin

Duo Two-Factor Authentication is another great plugin that you should check out. It will add extra verification layer to your WordPress by using multiple ways. You can use your smartphone to keep your website secured, and you will be the only one accessing your website using this powerful tool. All you have to do is to install Duo plugin and sign up for a free account on the Duo website: https://duo.com. Optional Duo mobile application works on Apple iOS, Google Android, BlackBerry, Palm, Windows Phone 7, Windows Mobile 8.1 and 10, and J2ME/Symbian.

The Duo service offers multiple ways for two-factor authentication on your WordPress:

  1. One-tap authentication using Duo’s mobile app (our fastest, easiest way to authenticate)
  2. One-time passcodes generated by Duo’s mobile app (works even with no cell coverage)
  3. One-time passcodes delivered to any SMS-enabled phone (works even with no cell coverage)
  4. Phone callback to any phone (mobile or landline!)
  5. One-time passcodes generated by an OATH-compliant hardware token (if you’re feeling all old school)

Plugin link: https://wordpress.org/plugins/duo-wordpress/

  • Pros: You can enable two-factor authentication for specific roles. Optional SMS messages for delivering verification codes. Free plugin, free mobile application.
  • Cons: Paid solution if you use the plugin for more than 10 users on your websites.
Duo Two-Factor Authentication plugin settings

Duo Two-Factor Authentication plugin settings

How to use the Duo Two-Factor Authentication plugin

First of all, you will have to install the plugin and activate it. Also, you will have to download the mobile app as well, obtain it here: https://duo.com/product/trusted-users/two-factor-authentication/duo-mobile. Then, you will have to create an account on Duo Security website so you can receive security keys. When you are logging into your website, you will be directed to another page for logging in. It will ask you to choose the right method for authentication. It will provide you multiple options to authenticate, and you can use the mobile app, one-time passcodes generated on the app, phone call back to any number, one-time passcodes via SMS, and one-time passcode generated by OATH-compliant hardware token. It is the best way to secure your website from all the potential threats. And, after selecting the desired method of authentication, you will be able to get into your website.

miniOrange – two-factor authentication plugin

With miniOrange Two-factor Authentication plugin, you can set the security for your website without going through any trouble. It is simple to set up, and it supports authentication through Google Authenticator.

Plugin link: https://wordpress.org/plugins/miniorange-2-factor-authentication/

  • Pros: Free plugin, multiple authentication methods, three mobile applications:  Authy, Google Authenticator, miniOrange Authenticator
  • Cons: Requires registration on miniOrange website, free version is available only for one user, lack of support for free version
Google Authenticator - Two Factor Authentication by miniOrange

Google Authenticator – Two Factor Authentication by miniOrange

How to use the plugin

It is easy to setup, and it will authenticate the users through SMS, push messages, device ID or a QR code. You need to install the plugin and activate it first. After that, you will require signing up and, then you will have to verify your email. You will find multiple options to choose from for authentication method. You can use QR authentication method and then scan the QR code from Mini Orange Authenticator app. It will provide you the best solution to secure your website in an easy way.

Two-Factor Authentication – Clockwork SMS plugin

Another easy to use tool for securing your website is Clockwork SMS. If you don’t have a smartphone and you want to secure your website in the best way possible, then you can use this plugin to make it possible. It offers two-factor authentication using SMS, so you can use any mobile phone.

Plugin link: https://wordpress.org/plugins/clockwork-two-factor-authentication/

  • Pros: Doesn’t require a smartphone, works without the Internet by using SMS messages to deliver verification codes.
  • Cons: Paid solution, the plugin is outdated (hasn’t been updated in over 2 years)

How to use the plugin

It is simple and easy to use. All you have to do is to install the plugin and then activate it. However, after activating the plugin, you will have to get an API key from the Clockwork site. After setting things up, you will have to move forward, and you can use it to secure your WordPress. And, you don’t necessarily need a smartphone to use this plugin. However, you will have to spend some cash to get messages delivered to your phone every time you are going to log in. It can be the best choice for all those who are looking to use it and for those who don’t have a smartphone but, it will cost some money.

Rublon plugin

Rublon is also one of the best two-factor authentication WordPress plugins, and it will provide you the best solution. It has its own dashboard that will allow you to configure it. However, you can only protect one user per account, and it will provide you multiple options in the dashboard.

Plugin link: https://wordpress.org/plugins/rublon/

  • Pros: Free plugin and free mobile application, user-friendly interface
  • Cons: Free for just one user on a website, no support for SMS verification
Rublon two-factor authentication plugin for WordPress

Rublon two-factor authentication plugin for WordPress

How to use the plugin

Setting up this plugin is also an easy task. First of all, you will have to register on the official site of the plugin, and then you will have to download an app as well. The app will be able to scan a barcode as well. After that, you will have to install and activate the plugin on your website. You will be able to find an option to set a device that you would like to use for authentication purposes. Once you have set the device, you will be able to use it properly. Now, when you are logging into your website, you will be able to use your phone, and you can scan and log in.

However, if you are looking to set up two-factor authentication for multiple users, then you will have to go premium with this plugin.

Authy plugin

Authy is another great plugin that you can use to secure your website with two-factor authentication. It is easier to setup, and you will be able to make things a lot easier for you. Let’s have a look at the process of setting this up on your WordPress website.

Plugin link: https://wordpress.org/plugins/authy-two-factor-authentication/

  • Pros: Easy to install, user-friendly interface, optional SMS based verification
  • Cons: Paid solution, you will have only 100 authentications per month for free, lack of support for the free version, to activate the service each user needs to submit their mobile phone number on Authy website.
Authy two factor authentication plugin has a user friendly interface

Authy two-factor authentication plugin has a user friendly interface

How to use the Authy plugin

If you have selected Authy as your two-factor authentication tool, then you will have to install the plugin and activate it on your WordPress site. Once you have done that, you will have to install the Authy app on your smartphone, and you will have to sign up for Authy account. After that, you will have to enter an API key from your account, and then you can check the settings and apply the roles for authentication.

After that, you will have to add the phone numbers of the users that you want to enable authentication for. It will send a specific code or token to your phone when you are attempting to log into your website. You can enter that specific token, and you will be able to log in successfully.

OpenID plugin

When it comes to using OpenID, then you should know that it is an easy way to come up with a better solution to secure your website. You will be able to login to your website with an OpenID. Which means, if you are using services like Google+, Yahoo, Flickr, WordPress.com, then you will be able to use this plugin.

Plugin link: https://wordpress.org/plugins/openid/

  • Pros: No mobile application needed
  • Cons: You have to have an account on any OpenID provider like Google+, Yahoo, Flickr, WordPress.com
The OpenID plugin allows users to authenticate to websites without using passwords

The OpenID plugin allows users to authenticate to websites without using passwords

How to use the plugin

Using OpenID is simple, and you don’t have to face any issues. You will need to install and activate the plugin. And, after that, you will have to go to Users. You will see the option named ‘Your OpenIDs’, and you need to check its settings. You will be able to add your OpenID accounts in that particular section, and it will allow you to use your social accounts with your website. It will allow you to make things easier and secure.

However, there is an issue when you are using this plugin. Even if you have set your IDs with your WordPress site, you will still be able to login to your site with username and password. So, if you are looking for high level of security, then it won’t be able to fit in.

What’s happened to Clef anyway?

Well, there is no doubt that the Clef was one of the best options when it comes to using two-factor authentication WordPress plugins. However, there is bad news for all the users who are currently using Clef plugin. If you are not aware, then you should know that the Clef plugin will stop working on June 6, 2017. Moreover, the plugin is not available to download anymore and no updates will be released. So, Clef is gone forever. It would have been a better option but, there are few other two-factor authentication plugins for WordPress that you can use. They are winding up their Clef product so; you can come up with other choices.

What’s the best alternative to Clef?

If you are looking to use the best two-factor authentication plugins, then you can always check out mentioned above Google Authenticator or Authy. These are actually the fine choices if you are currently using Clef plugin. If you have not used any of these plugins before, then you can use Two-factor, Google Authenticator, and Authy. You can also use Rublon and OpenID but, they have few disadvantages. You can always check out the free versions to see how it goes for you. You need to select the one that will allow you to secure your website and provide you the best and safe passage to log into your website.

What are drawbacks of using two-factor authentication plugins?

Although some of the reviewed plugins will increase your peace of mind, check all the following points before you decide to use two-factor authentication for your WordPress

  1. The main disadvantage is the necessity of using a mobile application that must be installed on a smartphone plus any Internet connection if you decide using a free plugin like Google Authenticator.
  2. The easiest way, without using a mobile application and an Interned-connected smartphone, requires some money to pay for outgoing SMS messages which will be delivered to mobile phones
  3. All the users of your website have to provide you their mobile phone numbers to get verification codes.
  4. If you lost the phone, you are unable to log in.
  5. None of the mentioned plugins are security plugins and don’t protect a website from brute-forcing user passwords via XML-RPC interface which is enabled in WordPress by default. So, you still need to use brute force protection like the WP Cerber plugin provides.

Last posts from WordPress security blog



I’m a self-employed developer who builds software products and services using WordPress for more that seven years. I enjoy partnering with others for interesting and challenging projects. If you’re interested in, feel free to contact me.

View Comments
There are currently no comments.