Protect your blog with 2FA for WordPress

Many experts liken cyber security to an onion: in order to truly protect yourself, you must use multiple layers of protection. This is true whether we’re talking about your bank’s online portal, your password keeper … or your WordPress dashboard.

We’ve discussed ways to keep your site secure in the past. Today we want to take a look at an additional layer you can add: two-factor authentication.

What is two-factor authentication?

At its core, two-factor authentication (2FA) requires a user to prove they are who they say they are twice, using two different mechanisms (or “factors”): something you know and something you have. Single-factor authentication usually involves a username and password. 2FA requires you to have something in your possession—in addition to the password you know—to prove you are who you say you are. Without that second factor, a compromised password is not very useful.

In the beginning, 2FA relied on small physical devices (similar to a USB key) that generated a new code every 30 seconds. A user would enter the current code as the second step of their login process. Those devices are still in use. But nowadays websites or apps will often send a one-time code to another trusted device (such as a cell phone or email address). The user then enters that code to establish the current device / network as trusted as well.

Is 2FA for WordPress really necessary?

Unfortunately, 2FA is becoming increasingly important everywhere. Which means, yes, you should have it on your WordPress dashboard as well. Just like other sites, WordPress blogs experience a variety of hacks. There are many ways to protect your blog, including renaming your WordPress login page and using strong passwords. But even with these precautions, a determined hacker could access your site. 2FA for WordPress provides an additional layer of protection so even if your login page and password are compromised, you can rest assured your site is secure.

What’s the best way to set up 2FA for WordPress?

WordPress doesn’t offer built-in two-factor authentication, but (unsurprisingly!) there are many plugins to choose from. Our team doesn’t yet have a strong opinion on the “best” plugin, but we often recommend Two Factor Authentication from the authors of UpdraftPlus (which is one of our preferred plugins).

But…how will Agathon access my site if it has 2FA enabled?

Ah, this is a great question! Can you imagine if we had to pass phone codes across five states and six timezones? Thankfully, 1Password—the password management tool Agathon uses—offers a built-in authenticator tool that will allow us to login while still using 2FA.


No single precaution will provide 100% protection for your site. But by taking a layered approach, you can reduce the likelihood a hacker will be able to get in. Our free security checklist will help you walk through the things you can do to protect your site.

Mandi Ehman

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.