In my latest blog post for Kanuka Digital, I share highlights from my trip to WordCamp Europe 2023 in Athens. We were thrilled to be shortlisted for the EU WooExpert Innovator Award, recognising our work in building out more complex WooCommerce solutions. When not attending talks or networking, I explored Athens’ historic sites, including a walking tour of the Acropolis and Acropolis Museum. Athens is a city full of beauty and history, and I’d highly recommend exploring its ancient sites if you ever get the opportunity.
Over the years, the need for increased security has become more apparent. The internet has become a place where personal information is shared and stored. This makes it vulnerable to hackers and other malicious users who want to gain access to your data.
We’ll look at what 2FA is, how it can be implemented in WordPress and make the onboarding process for your users as seamless as possible.
What is two-factor authentication (2FA)?
Two-factor authentication (2FA) adds an extra security layer to online accounts. Without this extra layer of protection, your account is vulnerable even if you use a strong password.
2FA is a method of confirming your identity by requiring a second form of identification after entering your username and password. This means even if someone gets your password, they still need more information before being able to successfully log in.
It should not be considered a substitute for strong passwords. Rather, it’s an additional layer of security by requiring something you have in addition to your username and password.
The downside is that it adds an extra step to the login process. It may be confusing if you’re not used to it and it can be frustrating for many people, who see this additional step as inconvenient or an unnecessary addition.
Many online services offer 2FA as an opt-in feature, which means that many users do not activate it. Knowing the benefits it can provide, what steps can we take to make 2FA more accessible and easier to use?
Methods for generating one-time passwords
Time-based one-time passwords (TOTP)
2FA is often associated with TOTP, the short-lived numeric codes that change every 30 seconds, and must be reentered when expired.
When you enable TOTP on an account, a secret key is created which is used to generate the one-time passwords. You can use an authenticator app or a physical token. The onboarding process usually involves scanning a QR code—saving you from having to type out your secret key. Popular authenticator apps include Google Authenticator and Authy. Password managers like 1Password can also store your secret key and generate one-time passwords for you when needed.
To prevent locking yourself out, a series of backup codes are usually issued. The backup codes can be used in case you lose access to your authenticator app or physical token.
If you’re starting to switch off—I don’t blame you! It’s too much for some professionals to handle, let alone the average person. For the technically inclined, this all becomes second nature. You get used to logging in by entering a username and password, followed by a one-time password.
Implementing 2FA across an organisation can be a challenging and time-consuming process. Documentation, training and even handholding for people who need it. Some may be uncomfortable using their personal smartphones for work purposes. Which authenticator app is best? What happens if you loose access to the phone? How do you transfer the secret keys to a new device? Where should the backup codes be stored?
Email/SMS codes
Another way to set up 2FA is by using email or SMS text message codes. They are easy to understand, implement and use.
After you enter your username and password, a code is sent to your email or mobile phone. You then enter this code, which is valid for a short period of time.
If your email account or phone number is compromised, an attacker might be able to get hold of your 2FA codes. But while the codes are not foolproof, they are still more secure than passwords alone.
Two-Factor WordPress plugin
The Two-Factor WordPress plugin adds 2FA to WordPress. It is built as a standalone feature plugin which may be merged into WordPress core in the future, but for now lives as its own plugin.
The plugin is open source, built and maintained by a team of volunteers including core contributors and members of the WordPress Security Team.
The plugin is available from the WordPress.org plugin repository. It supports several types of 2FA including TOTP and email codes.
Handy code snippet which enables email-based 2FA for all administrator users
With Two-Factor, 2FA is not enabled by default; it relies on users going through the initial setup process and the assumption that they will choose to keep 2FA enabled. When new users are created, 2FA must be made part of the onboarding process or the benefit of 2FA will be lost.
This snippet checks whether any methods have been enabled by the user, and—if not—enables email-based 2FA. This provides a good level of protection without requiring any action on the part of the user.
The code currently runs for administrators and editors, roles that have elevated permissions. However, it can be adjusted to include other user roles as well.
We’ve developed this further at Kanuka Digital. We rolled out the snippet to our clients’ sites via an mu-plugin. With a few modifications for our workflow across environments—local, staging and production.
We run MailHog on our local and staging environments—a tool that stops us from sending outbound emails by mistake. We’ve disabled email-based 2FA on our local and staging environments to make the lives of our developers easier. It saves time by eliminating the need to check MailHog for 2FA tokens.
Conclusion
Whether you’re a small business owner, large corporation, or simply someone concerned about online security, protecting your data has become increasingly important.
2FA is an important step in securing your online accounts, and it’s one that you should be taking if you haven’t already. Adding 2FA to all of your online accounts is a good way to stay safe online and keep hackers out.
As a WordPress developer, the Two-Factor plugin is an excellent way to add 2FA security to your WordPress site and make it more secure. Enabling email-based 2FA by default for users with elevated permissions is relatively simple, without introducing the complexity of TOTP management to your end-users.
I hope this article has given you a better idea of how to set up 2FA for your WordPress site. If you have any questions, feel free to get in touch.
An iconic style instantly familiar to web designers and developers around since the days of dial-up. The famfamfam Silk icon set was a staple of web design back in the mid 2000s. I can’t help but look back at them with fond memories (and maybe a little bit of nostalgia).
They were a familiar sight on websites and web applications across the web. Alongside other trends at the time, rounded corners, gradients, and drop shadows. Sprinkle in a few Silk icons and you were on to a winner.
The Silk icon set was created by Mark James, a web developer based in Birmingham, UK. The icon set was updated numerous times, growing to a collection of 1000 icons.
At just 16-by-16 pixels, these icons were created with as few pixels as possible to conserve space and bandwidth. At the time, screens were smaller and had lower resolutions, many people still connected via dial-up, so file sizes needed to be kept small in order for sites to load quickly.
Distributed under a permissive Creative Commons license, they became a go-to resource for many designers and developers looking for icons that were simple, memorable and attractive.
Today, we’re more accustomed to seeing flat, smooth vector lines. While Silk icons are no longer as ubiquitous as they once were—iconography remains a powerful tool for designers: a visual language able to tell stories and convey complex ideas.
WordPress themes define your website’s look and feel. One of the best things about using WordPress is that you can take advantage of a huge number of ready-made themes. In this article we’ll cover what to look for when choosing a theme and how you can modify an off-the-shelf theme using child themes.
WooCommerce is the most popular eCommerce platform for WordPress, and it offers a powerful set of features that can help you build an online store quickly and easily. It supports a wide range of payment gateways, shipping methods, taxes, currencies, and languages. Plus, there are thousands of plugins that add even more features to your store.
Recent Comments