So, I really wanted to add two factor auth for my WordPress sites since I’ve seen a lot of login attempts by unauthorized bots lately.
But I couldn’t find one without some dependency to an account on some external service!
So I made it myself.
You can find it here: Two Factor Auth for WordPress
The Log in page with the added button.
When the button is clicked, a new field shows up.
Why you need this
Users can have common or weak passwords that lets hackers/bots brute-force your WordPress site and gain access to your files and place malware there. Just like happend not that long ago: Article on TechCrunch
If all sites would have used this plugin, this would never happend. It doesn’t matter how weak your users passwords are, no one can gain access to your WordPress site without already having access to the user accounts phones or email inbox as well.
How Does It Work
This plugin uses the industry standard algorithm TOTP for creating One Time Codes.
A OTC is valid for a certain time and after that a new code has to be entered.
You can now choose to use third party apps like Google Authenticator which is available for most mobile platforms. You can really use any
third party app that supports TOTP. Or, as before, you can choose to get your One Time Codes by email.
Since you have to enter a secret code to third party apps, email is the default way of delivering One Time Codes. Your
users will have to activate delivery by third party apps themselves.
Easy To Use
Just install this plugin and you’re all set. There’s really nothing more to it.
If you want to use a third party app, goto Users -> Two Factor Auth and activate it and set up your app.
A bit more work to get logged in, but a whole lot more secure!
Is this really Two Factor Auth?
Well, it depends on how you define ”Something the user has” The principle as getting a text message to your phone and getting an email is the same, with the exception that you can get access to a mail account from anywhere but you have to actually have the physical phone to read a text message. Having to have physical access to something is, of course, even more secure. It also makes it more difficult for users to register, verify phone numer, change phone number etc.
Since version 3.0 you can have real two factor auth if you activate the Third Party Apps delivery type.
XMLRPC users will not be affected, this is just for the login to admin pages.
Notice that right now the ”Remember me” cookie overrides this which means that you will still be auto logged in if you click that checkbox.
Just download it from the link above, or search for Two Factor Auth in the plugin menu in WordPress and install it. Please check that you get the right one, with Oskar Hane as the Author/Developer.
So, check it out and let me know what you think.
I just released an update of the plugin. Read about version 4 of Two Factor Auth for WordPress >>