Multi-factor authentication, or MFA, adds a second layer of security to your website. It requires an authorized user to not only enter their password, but also a second piece of information only they have access to. An account protected by MFA is virtually impossible to compromise. Even if an attacker somehow discovers your username and password, they still can’t log in.
One way MFA works is to send a code to your smartphone when logging into your website. The two-step login would be completed successfully only after entering the code sent to you via text message over SMS, voice call or mobile app. The verification codes are uniquely crafted for you at the moment you need them. They vary in lengths of 6 or 8 digits, can only be used once and will expire if not used within a specific timeframe, usually 30 seconds.
Since sending SMS messages costs money, is not very secure and is prone to delivery issues, this method of MFA is being phased out in favor of authenticator apps that provide a more secure function at no cost. Examples include Google Authenticator, Authy, FreeOTP, 1Password and Microsoft Authenticator, which you install on your smartphone.
Authenticator apps can be used in conjunction with WordPress security plugins such as Wordfence. While it is critically important to protect your site’s admin accounts, there are other user roles with capabilities you don’t want to hand over to an attacker. Wordfence allows you to enable MFA for any user role.
For convenience, you can whitelist your own static IP address so you never have to go through the MFA process to access the backend of your website.
Login security has become increasingly important. With the constant threat of massive botnet attacks and the very real possibility of data breaches, adding MFA to your existing security tools will provide an extra layer of protection that will keep your website safe.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.