With the recent publicity on brute force attacks aimed at WordPress blogs beefing up security should be on your mind!
There are plenty of things that you can do to ensure you tighten up your blog including an extra layer of security.
An additional layer can be added by using two factor authentication on your blog. According to Wikipedia:
“Two-factor authentication is often confused with other forms of authentication. Two-factor authentication requires the use of two of the three authentication factors. The factors are identified in the standards and regulations for access to U.S. Federal Government systems. These factors are:
Something the user knows (e.g., password, PIN, pattern);
Something the user has (e.g., ATM card, smart card); and
Something the user is (e.g., biometric characteristic, such as a fingerprint).”
For WordPress users a way of adding dual factor authentication is by using your mobile phone to confirm your identify as well as your username and password. If you use Pay Pal’s additional security features you may already be familiar with this double layer of security.
Duo Security Plugin
One plugin that you can use to add extra security is the Duo Security Plugin. The plugin is free from the WordPress repository but you will need to register for a personal account with Duo Security before installing the plugin.
No mobile phone?
No problem, you can also use a landline.
Duo offers a free plugin for up to 10 users, and business and enterprise accounts for those that require more than 10 users.
You can add the additional authentication for the following roles: Administrator (yes!) editor, author, contributor and subscriber.
After you have signed up with Duo, you need to activate your account by clicking the email that they send you. Then you need to create an integration (basically a fancy pants way of saying what you are trying to protect – in this case a Web SDK to protect a WordPress blog).
Give your integration a name that users will see when they authenticate eg WP Queen.
Once the integration is created you will be given details of your integration key, secret key and API Hostname
Google also has a product that adds another layer to your blog which is the Google authenticator. The plugin works on android, iphone and blackberries. Just like the previous plugin you can choose which user roles you enable the two factor authentication on. Naturally, your “administrator” account is the big one that you will wish to protect.
This plugin is a little trickier to set up compared to the Duo Security plugin. It requires you to ensure that your server and blog are providing accurate time information. The codes that the plugin generates for the double authentication are time based so it’s imperative that the phone you are using and the server where your web host is located is in sync. This is just a little too complex for me being in Australia and having hosting in the USA.
Authy Two Factor Authentication
I’ve been using Authy on my blog for quite a while now without any problems. Out of the plugins above it was the easiest to set up. No messing about syncing clocks and the like. I just signed up for a free Authy account and installed the plugin.
Toopher have produced a nice little plugin that is currently in beta. It will be interesting to see more user reviews of this plugin and how it develops in the future.
In order to use this free plugin from the repository you will need to buy a Shield Pass (costs about $10). Shield Pass differs from other plugins listed as it operates on a dynamically changing password. You can get a brief overview by watching the short video
Two Factor Auth
This plugin appears to be less feature rich than others listed. It requires you to still to use another app like Duo or Google Authenticator. In addition, if you use custom login pages you will need to switch to the standard default page.
The IM Login Dongle allows you to receive your passcode to login to your site via instant messenger. This is handy for those that don’t have or don’t like using mobile phones.
I have to put in a shout out to WordFence. Not only is it one of the best free security plugins in the repository (and better than most paid plugins being peddled in certain forums) but it also has two factor authentication. Now the two factor cell phone authentication is in the premium not free version but seriously with all this plugin offers it is worth the small investment.
Rublon WordPress Plugin
The Rublon plugin works on an “invisible two factor authentication”. Basically it requires you to create a Rublon account and use only a trusted device that you have to sign in to your WordPress blog.
Use Rublon to manage and define the devices you trust, such as your laptop, tablet and mobile phone. Rublon secured accounts will only be accessible from your Trusted Devices. The Rublon mobile app allows you to add or remove Trusted Devices at any time, anywhere you are.
Rublon is an additional security layer that verifies whether you are signing in from a Trusted Device. It works on top of any existing authentication process. This means that you still have to type your username and password or use a social login button to sign in, but it must be done on a Trusted Device in order to access your account. And if you want to sign in using a new device, simply confirm your identity using Rublon, and then add it to your Trusted Devices.
Clockwork Two Factor Authentication
I haven’t used the Clockwork two factor authenticator plugin but you should note that as well as needing a Clockwork account you will also need some credit to use it.