25000 hack attempts? Time to Enable 2FA for my Wordpress Site!

Why Do I Need 2FA

At the time of writing, I’ve only been running my WordPress blog site for a few months. I haven’t written many blogs, and I don’t get that many visitors. But in that time – according to the free Jetpack plugin – I’ve had over 25000 brute force hack attempts!

Wow!

I follow good password practices. My WordPress site uses a complex password. I don’t use this password anywhere else. And I store the password in a password manager. But even so, it’s conceivable that one day someone might successfully brute force this password.

And that’s why I’m telling you: if you haven’t already, enable multi-factor authentication on EVERYTHING you care about!

What is MFA / 2FA?

Just as a reminder: what is multifactor authentication (MFA)? Simply put, it’s a way to verify (authenticate) who you are, by asking you for at least two pieces of information. Each piece of information must come from a different category of authentication information. Here are some categories:

• Something you know – like a password or pin.
• Something you have – like a time-based one top password (OTP) provided by an authentication app.
• Something you are – e.g. your fingerprint.

2-Factor Authentication (2FA) is a subset of MFA. A common way to perform 2FA is to ask you for a password, and – if you enter it correctly – to subsequently ask you for a code from an authentication app, like Google Authenticator, or Authy. With 2FA, if someone steals your password, they still can’t get access to your applications without also having an authorised device running an authenticator app. If a malicious actor does enter your password into a site with 2FA enabled, YOU will receive the authentication code request. And of course, you would say “No, this was not me!”

How to Enable 2FA on a WordPress Site?

I would recommend the WP 2FA plugin for WordPress. It’s free to use and a doddle to install. The whole thing takes just a couple of minutes.

From the WordPress Admin Console, select Plugins, then Add New. Then search for “wp 2fa”. Then, click on “Install Now”.

You can then configure the plugin, e.g. to use an Authenticator app, like Authy.

You can then go ahead and configure 2FA for your WordPress admin user.

From now on, you’ll be prompted for 2FA to login to your WordPress site: