It’s a dangerous world out there, and it’s extra-dangerous to run the world’s most popular CMS.  It’s exposed to the Internet 24×7 and you can bet hackers are looking for ways into your WordPress 24×7 as well.

There are some things you can do in order to lock down your site, such as using some kind of WAF (Web Application Firewall) to limit logins to your wp-login.php to certain IPs only.  This works very well, but doesn’t scale well if you have a team of content writers….particularly if they’re digital nomads whose IPs are always changing.  You can make them use VPNs, of course.  But every person you add with elevated privileges is another person who may get keylogged, reuse a password, or otherwise provide a compromise pathway.

One excellent (and somewhat simpler) way you can improve security is to require two factor authentication (2FA) for logins.  I recently set that up for LEB and thought I’d share how easy it is to get going.

If you know what you’re doing, the whole thing takes maybe 2 minutes.  Some of our more ‘leet members could probably get it done in under 60 seconds.

Install the Plugin

We’ll be using this popular plugin:

It’s installed like any other plugin, but briefly:

• In your dashboard, select Plugins->Add Plugin on the left menu bar
• Search for “WP 2FA”
• Click “Install Now” on the plugin shown above
• Then click “Activate”

Enabling 2FA

Now you need to activate it on a user-by-user basis.  Go to the user in question and scroll down to this section:

Click “Configure 2FA”.  The process for setting it up is pretty straightforward if you’ve ever setup 2FA for anything in the past.  There are two options:

I highly recommend selecting “One-time code via 2FA app” and not considering email.  Codes mailed to your email are sent in plain text (because that’s how email works).  Also, if your email is compromised, your WordPress is as well.  The world is moving away from SMS- and email-delivered 2FA codes and you should as well.

You’ll need some kind of authenticator app (e.g., Google Authenticator) on your phone or other device.  Then just follow the instructions.

And don’t forget backup codes!  You’ll be given the option to generate now or later.  I always generate immediately and store in a safe place.  For me, that’s a 1Password Secure Note, but anywhere that’s safe and encrypted is a good choice.  Getting locked out of your WordPress and having to muck around on the server to disable the plugin, etc. would be unpleasant so take a few seconds to prevent this headache.

Authentication

After that, 2FA just works.  After the normal WordPress login, you’ll see this:

And it’s just that easy.  Stay safe!

raindog308

Raindog308 is a longtime LowEndTalk community administrator, technical writer, and self-described techno polymath. With deep roots in the *nix world, he has a passion for systems both modern and vintage, ranging from Unix, Perl, Python, and Golang to shell scripting and mainframe-era operating systems like MVS. He’s equally comfortable with relational database systems, having spent years working with Oracle, PostgreSQL, and MySQL.

As an avid user of LowEndBox providers, Raindog runs an empire of LEBs, from tiny boxes for VPNs, to mid-sized instances for application hosting, and heavyweight servers for data storage and complex databases. He brings both technical rigor and real-world experience to every piece he writes.

Beyond the command line, Raindog is a lover of German Shepherds, high-quality knives, target shooting, theology, tabletop RPGs, and hiking in deep, quiet forests.

His goal with every article is to help users, from beginners to seasoned sysadmins, get more value, performance, and enjoyment out of their infrastructure.

You can find him daily in the forums at LowEndTalk under the handle @raindog308.