Secure WordPress login with 2FA and keep out hackers

WordPress websites and blogs are under constant attack from malware, hackers and bots. There are many ways to secure WordPress login and 2FA, two factor authentication, is an essential tool.

Almost everyone who has a website knows that they are under attack. Those that do not, probably haven’t looked hard enough or with the right tools at what is happening on their site. Install a security plugin into WordPress and they usually tell you how many people are trying to log in. It is a lot!

Junk signups and user accounts are created, sometimes in such a large number that they become a problem just to delete. Hackers and bots try over and over again to log in to your website. If I had a penny for every time someone tried to sign in with the ‘admin’ user account, I would be pretty rich by now.

I doubt many people use ‘admin’ as a username on their website these days because it is well known that it should be avoided, but if you do, you should create a new admin user with an unusual name and strong password, then delete the ‘admin’ user. It makes your website or blog safer.

Website security issues

A lot of people worry about hackers and bots trying to gain access to their website or blog through the login page, but this is actually quite secure. Gaining entry to a website by guessing what login username and password is used is very difficult and many website hacks are through security flaws in plugins and themes.

There have been some serious security flaws in plugins that have allowed hackers to take over WordPress websites and there are really only two things you can do. One is to keep plugins updated and the other is to keep plugins to a minimum. Only install the bare minimum of plugins and keep them up to date.

Secure WordPress login with 2FA

Although hacking the WordPress login is hard, it is not impossible. The biggest security problem is people of course.

People often choose poor passwords that are easy to guess. People re-use passwords from elsewhere and if there is a security breach elsewhere, the password becomes known to hackers, and it can then be used to gain access to other sites and services that people use.

Cyber security illustration
Is your website getting unknown logins from around the world?

You, and anyone else that can log into your website like company employees, freelancers and so on, should use a unique, long and complex password that is not used anywhere else. It makes the WordPress login more secure, but not completely secure.

It is possible to go a step further and to secure WordPress login with 2FA, two-factor authentication. You have no doubt come across this elsewhere and after logging in to a website or online service with a username and password, you are then sent a code to your phone by text message or you have to open an authentication app to get a code or permit logging in.

2FA can be added to a WordPress website for you and any other users that can log in. It levels up the site security and it makes it extremely hard for non-authorised users, like hackers, to log in. 2FA is not perfect, but it is definitely a security improvement and sites are more secure with it than without it.

Some WordPress security plugins include 2FA, but it may be a paid extra that requires an annual subscription, perhaps $100 a year or more. That is an option of course, but there are also some great WordPress plugins that provide 2FA for free. Here are a few:

I will look a bit more closely at the last one as it is quite interesting.

Duo Two-Factor Authentication

Duo adds 2FA, two-factor authentication, to many things and WordPress websites is just one of the possibilities. Duo can be used to add 2FA to 1Password, Bitwarden, Box, Dropbox, Keeper Security, LastPass, Microsoft 365, OpenVPN, Salesforce, Slack, Zoom and many more business apps and services.

It is mainly aimed at companies and organizations and it supports large numbers of users, who can be managed through a web-based admin interface with tons of user management features. For companies it costs from $3 per user, but I will be using the free version of Duo to secure a WordPress website.

Duo is free for up to 10 users, which is great for solo bloggers, websites with small teams, and to small businesses. It will not cost anything to add 2FA security to your website (or any of the other supported apps), and make logging in much more secure. Keep out the hackers!

Set up Duo 2FA

Setting up Duo for secure WordPress login takes some time because it is a multistep process, so make sure you have half an hour free. You start at the website, which is best accessed on a computer, and you create a free account. Click the Free Trial button on the Duo website.

No payment and no financial details are required. Just an email address and a phone. If you don’t pay, your account is downgraded to a free one after a 30-day trial. This means that a few advanced features, which you might not miss anyway, will be disabled, but the basic 2FA functionality continues.

As you work through the step-by-step guided sign-up, account creation and setup process, you are asked to install the Duo Mobile app for iPhone or Android phone and provide your phone number. This is not the only way to authorize logins, including login to the admin interface at the Duo website itself, but it is the recommended method. Many people will be familiar with using their phone to authorize logins elsewhere.

Once you have created a Duo account, you can try logging out and logging back in. After entering your username and password, you click a button to send a push notification to your phone, send a text message or open the Duo Mobile app manually and get a code.

Push is easiest option and you will immediately see a notification on your phone stating that someone is trying to log in to your account, and do you want to allow it? Tap the big green tick button and you are logged into the website. No password and no numeric code is required. Just a button to allow or deny access.

Set up 2FA in WordPress

Now that you have a Duo account, you can add it to your website. In WordPress, click Plugins > Add New and enter Duo into the search box. Find Duo Two-Factor Authentication, click the Install Now button and then click Activate.

Secure WordPress login with Duo Two-Factor Authentication plugin
Find and install the Duo Two-Factor Authentication plugin for WordPress

Go to the Duo website and log in to your admin account on your computer.

Select Applications in the sidebar, find WordPress among the list of supported apps, and click the Protect button on the right. (There is a useful link to Documentation and it is useful to read this if you are unsure what to do.)

Protecting an app with Duo 2FA: Screenshot
At the Duo website, find WordPress in Applications

Choose to protect WordPress and you are provided with three items: Integration key, Secret key and API hostname. There is a Copy button next to each one.

In another browser tab, open WordPress > Settings > Duo Two Factor and there is space for those same three items. Use the Copy button to copy each item and paste it into the same box in WordPress. Use Cmd+V (Mac) or Ctrl+V (PC) to paste the keys.

Adding Duo 2FA security keys to WordPress: Screenshot
Copy the security keys from the Duo website to WordPress

There are checkboxes in the WordPress plugin to choose which user roles to apply it to. It is not necessary for subscribers because they don’t have permission to do much on a site anyway. It is probably a good idea to apply it to at least Author and above. These users have more capabilities, so you need to ensure only authorised people are logging in. Then click the Save Changes button at the bottom.

You can try it yourself. Log out and then go to The standard WordPress login form is displayed and you must enter your username and password. If the username and password are correct, and only then, a Duo form pops up and asks you to confirm your identity, which includes push, text message and passcode.

Push is best and a notification appears on your phone asking you to confirm login. Tap the green button and you are into WordPress.

A 2FA authentication phone notification from Duo: Screenshot
Someone tried to log in to your account. Was it you?

Even if someone somehow got your username and password, they do not have your phone and therefore cannot authorize login. Even if someone steals your phone, they will not be able to unlock it to open the Duo app to authorize login. 2FA makes it very difficult for anyone else to log in to your website.

It would also make it difficult for employees to share their login because a username and password is not sufficient. Logins must be approved by phone or other 2FA method.

What if you lose your phone?

The Duo app on your phone is the key to secure WordPress login. It notifies you when you, or someone else, enters your username and password to log in to your website. If it is you, you can approve it, but if it is someone else, you are alerted and can deny it. Then change your password!

The obvious problem is if you change your phone, break your phone or lose your phone. You cannot authorize login. Are you locked out of your website or blog?

Yes, but there is a way around Duo 2FA. If you log into your web hosting account, there is often a file manager that enables you to view and manage the files in your website. Alternatively, web hosts may provide FTP access to your website using software like Cyberduck or Filezilla. They are the web equivalent of Finder (Mac) and Explorer (PC) and you can browse the WordPress files.

Go to wp-content > plugins and rename the duo-wordpress folder to duo-wordpress.disabled. It stops the Duo 2FA plugin from working and you can log into your site as normal with a username and password. Rename the duo-wordpress.disabled folder back to duo-wordpress and it starts working again.

Provided you have access to your website files through your web hosting account or FTP, you can disable Duo 2FA in WordPress. Make sure you know how to do this before enabling it.

Final thoughts

I have barely scratched the surface of what Duo can do and there are a ton of features for organizations with multiple users that enable them to manage and control what users can do.

Every login is logged in detail, you can see and add users and devices, create groups of users, choose whether users can self-setup, brand the 2FA login screen, create a help desk for users, set the number of failed logins before lockout, automatically delete inactive users, allow users to restore accounts and more.

If you are a solo blogger or website with just a small number of users, Duo is free and you can simply ignore features you don’t need. Larger organizations need to pay per user, but it has useful management functions that enable you to control access to websites and other business applications and services.

Leave a Reply