How to setup two-factor authentication in WordPress

WordPress websites are amongst the most attacked websites on the internet. Once you bring your website online, it will be under attack by hackers and they will try to crack the user and password. WordPress is susceptible to a myriad if attacks as well, but for now I will only demonstrate how to protect your user credentials. The use of user and password puts your website at tremendous risk. To mitigate that vulnerability you must setup two-factor authentication.

The most effective and secure two factor authentication method is the use of a security key. TOTP key fobs and text messages (SMS) are phishable, thus hacker can obtain the One Time Password (OTP) rendering them useless.

There are two models I have used and work great.

Steps to install & configure Two-factor authentication using a yubikey

1. Download and install the plugin called two-factor within your Wordpress site.
2. Go to the user you want to enable two-factor authentication.
3. Go to the bottom of the page, click on “Register key”.
4. Insert the yubikey and tap on the yubikey.
5. Enable and set to primary the FIDO U2F Security Keys. (I have registered 2 yubikeys, perhaps you can add more).
6. Click on “update profile” to save the settings.
7. Enable backup verification code. This is in case you lose your yubikey and you have a way to authenticate. Store these in a keepass database.
8. Copy & Paste the codes to keepass or the password manager of your preference.
9. Logout of WordPress.
10. Log back into WordPress

Find more great tutorials at https://www.smartcloudcomputing.net