The first thing in securing WordPress is defining a strong password. What is a strong password? It is one not easily guessed. Not in a dictionary. Not containing obvious names. Create an alphanumeric phrase as your password. An example is $Rid1ng!Pw17ies##
The next phase is hardening your WordPress site with two-factor authentication. An example of two-factor authentication is your ATM card and pin. You have your ATM card and your ATM pin which allows you to get into your account and withdraw money and check balances.
You are providing two means of identification. Something you have and something you know.
Using two-factor authentication drastically increases your security and minimizes your risk. How? An attacker couldn’t log in with just a password. They would need another form of authentication in addition to the password.
This is where Duo Security comes in. They provide two-factor authentication for your WordPress login. By creating a free account, comes with up to 10 free users, you create an integration account for your WordPress site and install their plugin.
About Duo Security
Based out of Ann Arbor, Michigan, Duo Security provides hosted two-factor authentication for any business. Not only can you get two-factor authentication for a WordPress site, you can also get two-factor authentication for your VPN services, such as Cisco VPN. They also have a solution which ties two-factor authentication to remote desktop services.
Their service provides an intuitive web interface which eliminates the complexity of deploying traditional two-factor authentication systems. The company is lead by their CEO, Dug Song, and CTO, Jon Oberheide, Ph.D.
First step is to create a Duo Security account.
Provide the details of your company size, what you’re protecting, etc.
Fill out the basic information form.
The next step is to create a new integration. In this example, I will be integrating two-factor authentication into a WordPress site.
After creating the new integration, download the Duo Two-Factor Authentication plugin for your WordPress site.
In the Settings option for Duo Two-Factor Authentication, copy your Integration key, Secret key, and API hostname from the Duo Security dashboard which is displayed after creating your new integration on their site. Enable two-factor authentication for all the WordPress roles.
Continue with the installation by clicking on Start setup.
This setup is for the user you are logged in with. Select which device you will use for authenticating your login.
Type in the cell phone number and the type of phone.
Download the Duo Mobile app for your phone and then click on Continue.
Open the Duo Mobile app on your phone and tap on the plus sign to scan the barcode on your computer monitor. This will enroll your phone.
When you log into your WordPress site you will input your username and password and then be prompted to select your second authentication method. The Duo Push is a neat feature which makes authentication very simple.
When selecting Duo Push this is what you see on the iPhone. The username is displayed along with the IP address of where the login is originating. Very cool stuff!
Duo Security handles two-factor authentication for more than just WordPress sites. You can deploy this for your VPN clients, Microsoft OWA, Remote Desktop, and more. There’s no infrastructure required. It’s all taken care of. My favorite part is how simple it is to install and use. Getting the end user to support this should be a lot easier. With passwords being the weakest link in security, it’s time to help bolster that with two-factor authentication.
Are you using two-factor authentication? What do you think of hosted security?