Two-factor authentication (2FA) :

If you aren’t security conscious, then you should probably see how one of Wired.com author’s digital life was destroyed. After reading that story, we have jumped on board with the 2-step authentication for our Google accounts and most other services that offers this feature.

Normally passwords can be cracked. If you are using the same password on numerous websites, a security leak on one puts your other accounts in danger. Often people are lazy, and they don’t change their passwords even after they get an email about security compromise on a major site.

Well, the 2-step verification is the solution just for that. Even if the hacker knows your WordPress username and password, they will not be able to access your site unless they have a time restrained random security code (provided by a token generator app like Authy or Google Authenticator).

Because your blog is directly connected with your mobile device, you will be the only person with access to retrieve the unique code for each login. The code expires in a short amount of time for security purposes.

Where it's used

Several providers that Skunkworks uses offer 2FA to secure your accounts. Some providers, make it required, others make it optional. These include:

DigitalOcean (Required/Default)
Cloudflare (Optional/Recommended)
GSuite (Optional/Recommended)
Wordpress (Optional/Recommended add-on) - Skunkworks currently enables this for our client websites by request only. Although we highly recommend it.

How to use 2FA with Wordpress

Like a handshake, it takes two sides to work. One side is you and your device(s), the other is your website. You will need an app on each end for 2FA to work.

1. Your App

You will need an App to handle your 2FA tokens. Several exist and most are free. Skunkworks recommends the app "Authy" over Google's "Google Authenticator" mobile app. This is because it's better protected against the loss or damage of a phone and because it can also work in sync with a desktop companion app which is very convenient.

For Android devices, the Authy, Google Authenticator, FreeOTP Authenticator, or Toopher apps are the most popular token generators.

For iOS devices, the Authy, Google Authenticator, FreeOTP Authenticator, or Toopher apps are the most popular token generators.

For Windows and Mac users, Authy for Desktop is available and works hand-in-hand as a companion to Authy on your Mobile device. There may be other Desktop Apps available but Skunkworks hasn't used them or tested them.

2. The Wordpress plugin

2FA is available as a paid upgrade option to the iTheme Security plugin but it's also available for free within the free version of the Wordfence security plugin which we recommend and have used before.

We've written this guide for enabling 2FA in Wordpress with Authy (which is the preferred setup).
We've also have this older guide for enabling 2FA in Wordpress with Google Authenticator which you can have a look at. But again, we strongly recommended Authy over Google Authenticator to protect you from lockouts in the event of a lost, damaged, or stolen phone.