WordPress.org is one of the more common self-hosted content management systems used nowadays, managing everything from company websites and intranets, to ecommerce platforms, blogs, community forums and subscription-based sites. Despite its adaptability and success, one of the most common and weakest points of attack against WordPress remains its login function. By default, the login URLs remain the same and set no limits on the number of login attempts, leaving it open to brute force attacks.
Put together the growing strength of password crackers, botnet attacks and weak enterprise authentication measures (such as default usernames and weak passwords), and you end up with a disaster waiting to happen. Of course no matter how secure you think your installation might be, you should awlays have a regular data backup policy in place, and that includes having a backup of your backup in a separate location.
Over the last year or two, there have been an increasing number of websites, such as Twitter and Google that have provided the option to add two-factor authentication. While the 'something the user has' part of two-factor authentication can be anything - including a hardware token device (used by many banks) - the most commonly used tool is a person's mobile phone.
While it used to be a cumbersome process to add two-factor security to other applications, companies like Duo have made this a great deal simpler. Systems administrators can now increase information security by adding two-factor authentication for server access (SSH and remote Unix logins), VPNs and of course WordPress sites. Enabling this layer of security for the latter is what will be demonstrated below. Note that the free version of Duo is for 1-10 users only. There are paid plans for those requiring additional security on a larger scale:
You will receive an email activation link. Once you click on this you will be taken to a new form requesting a name, password and the phone that you want to associate with your Duo account.
When logging in for the first time with the Duo plugin activated, users will be asked to link their phone to the WordPress username being used to log in. The Two-Factor authentication screen will now appear every time you successfully enter your username and password.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.