If You Have Not Enabled 2FA on WordPress Yet, Do It Now
The security benefits of using two-factor authentication (2FA) shouldn't be a mystery to anyone now. Even weaker forms of 2FA make compromising online accounts a lot more difficult for hackers, and thankfully, more and more people seem to be adopting the feature. There is, of course, a trade-off, and, as with many other mechanisms that make our online lives more secure, it comes in the form of usability. For many, providing additional information during the login process is simply too much work, which is why they use 2FA only for their most valuable accounts.
The owner of a simple WordPress blog, for example, might think that their website isn't really important enough to warrant 2FA. If you confront them about it, they might tell you that their website doesn't present a viable target for hackers. This is not true.
Why might hackers be interested in your WordPress website?
One of the best things about WordPress is that it has a centralized, easy-to-use dashboard through which you can control an entire website. The wide range of themes and plugins make the content management system extremely versatile, which is why close to 36% of all active websites in the world use it.
In other words, there are plenty of targets, and there are some factors that can make an attack relatively easy. For example, everyone who has ever worked with WordPress knows that the default URL for the dashboard is [the website's domain]/wp-admin/. There is a way of changing it, but most administrators don't bother with it, which means that usually, the only thing sitting between hackers and your WordPress dashboard is your password. It's often a weak barrier to break through, and if the attackers do it, they can cause a lot of damage.
If they don't like the content you put up for some reason, they can wipe your entire website, or they can deface it and use it for propaganda. The ability to modify the content also gives them the chance to host and distribute malware, which, even after you regain control and secure your WordPress installation, could have long-lasting effects on the website's SEO performance. If you have a database full of registered users, their personal data could also be compromised.
As you can see, there are plenty of arguments for protecting your WordPress dashboard with 2FA. Unfortunately, doing it is not as simple as you might think.
WordPress and 2FA
WordPress doesn't support 2FA out of the box. Despite the fact that the security mechanism has been around for a while now, and despite the obvious advantages it brings, the community still hasn't gotten around to implementing 2FA by default.
Fortunately, a number of third party plugins offer 2FA functionality, and because the core installation doesn't support it, you may as well take a look at the options and pick the one that suits your needs the most. Make sure you consider a few things, though.
Read reviews and check out the ratings of the different plugins. Before you install any of them, back up your website and make sure you know how the add-on works. Last but not least, don't forget that plugins are, essentially, lines of code that can (and often do) contain security bugs. Keeping them up-to-date and installing all the latest patches is extremely important.
If you haven't done so already, it might not be a bad idea to think about your WordPress website's overall security. As we mentioned already, hackers have more than a few reasons for attacking it, and the large number of hacking incidents we see every day shows that they rarely need a second invitation.