Get best of the week

Choose a plugin for two-factor authentication in Wordpress

image

Two-factor authentication significantly increases the level of site security, subject to other conditions (such as timely updating of the theme engine, plug-ins, application of safe programming practices, etc.).

Faced with the question of connecting Google Authenticator to a site on Wordpress, I did a little research on existing plugins and today I want to share the results of this work with you.

First of all, we denote the initial conditions:

  • Website on Wordpress version 5.3.2 (the most relevant at that time);
  • the engine is deployed in Multisite mode in conjunction with nginx;
  • I don’t want to pay money (well, as always).

Despite the abundance of plugins that are suitable for the task, only four of them were tested, which passed the test for compatibility with the installed version of Wordpress:


Inspection and Testing Results


Google Authenticator from miniOrange


image

Plugin page: wordpress.org/plugins/miniorange-2-factor-authentication

Announced features of the free version of the plugin for Google Authenticator from miniOrange:

  • two-factor authentication of one user;
  • Support for Google Authenticator, Authy, LastPass Authenticator, QR codes, PUSH notifications, Soft Token and questions;
  • preventing brute force attacks and blocking IP addresses;
  • monitoring login events;
  • multilingualism.

Key features of paid versions of the plugin for Google Authenticator miniOrange:

  • two-factor authentication of multiple users (payment by the number of users);
  • Support for additional OTP channels, for example, OTP over email, OTP over SMS (SMS services are purchased separately), email confirmation;
  • customization of login methods for various accounts;
  • Using security issues to restore access
  • multisite support;
  • redirecting users after login based on the user's role;
  • Trusted device management

After installing and activating the plugin, an incredible amount of settings and functions are offered to the site administrator. Here you can find everything from WAF to automatic scheduled database backups. Honestly, harvesters of this kind always frighten me, and practice shows that due to the abundance of functions, the depth of their implementation often leaves much to be desired.

Test results:

  • settings are set immediately for the entire network in multisite mode - only in paid versions;
  • the possibility of using two-factor authentication can be provided to one or several roles - only in paid versions;
  • «» β€” ;
  • graceful β€” ;
  • β€” ;
  • X β€” ;
  • IP-, β€” ;
  • XMLRPC β€” ;
  • ReCaptcha β€” ;
  • ReCaptcha ( ) β€” ;
  • Google Authenticator β€” .

Two Factor Authentication


image

Plugin page: wordpress.org/plugins/two-factor-authentication

Announced features of the free version of the Two Factor Authentication plugin:

  • applying two-factor authentication to a specific role of the site (can be enabled for administrators, but not enabled for subscribers);
  • the ability to disable the user;
  • multisite support.

Key features of the paid version of the Two Factor Authentication plugin:

  • the ability to force two-factor authentication to be enabled some time after creating an account (for example, for all administrator accounts older than a week);
  • site owners can specify trusted devices for which an additional authentication request will be executed once every few days, and not every time you log in to the system;
  • support for third-party login forms;
  • .

:

  • multisite β€” ;
  • β€” ;
  • «» β€” Premium ;
  • graceful β€” ;
  • β€” ;
  • 30 β€” Premium ;
  • IP-, β€” ;
  • XMLRPC β€” ;
  • in the settings window, you can enable Captcha and configure the threshold for its operation - there is no possibility;
  • Captcha can be run in test mode (without blocking users) - there is no possibility;
  • when connecting Google Authenticator it is proposed to download recovery codes - only in the Premium version.

Two-factor


image

Plugin page: wordpress.org/plugins/two-factor

The Two-Factor plugin from the Plugin Contributors team is an OpenSource plugin and offers the following options:

  • use email to send two-factor authentication codes;
  • backup codes;
  • Dummy method for testing purposes.

Test results:

  • I did not find the settings for the network or the site, all the settings found were located only in the user profile - this is bad;
  • - , β€” - ;
  • β€” email , , , email, , ;
  • , .

Wordfence Login Security


image

Plugin page: wordpress.org/plugins/wordfence-login-security

Wordfence Login Security is an isolated part of the comprehensive Wordfence Security plugin .

Wordfence Login Security provides the following features for free:

  • two-factor authentication using Google Authenticator, Authy, 1Password, FreeOTP;
  • enable OTP for any site role;
  • lack of restrictions of any kind;
  • Add Google Recaptha v3 for login and registration pages
  • protection against bots;
  • protection against password cracking and credential interception by blocking over large IP pools;
  • XMLRPC protection with two-factor authentication or disabling this functionality at all.

Given that this plugin is a simplified version of a complex commercial product, it is quite possible that it will satisfy not the simplest needs.

Test results:

  • settings are set immediately for the entire network in multisite mode - this is very good;
  • the possibility of using two-factor authentication can be provided to one or several roles - this is very good;
  • for the Administrators group, you can force two-factor authentication to be enabled - this is good (if you were allowed to do this for each group of users, it would be very good);
  • when you force it, you can set the graceful period and send notifications - this is very good;
  • forced inclusion for a specific user - not available (at least in the free version);
  • there is an option to enable trust in the device for 30 days - this is good;
  • you can specify a white list of IP addresses for which two-factor authentication will not be used - this is very good (it will make it easier for us to conduct automated security testing);
  • two-factor authentication for XMLRPC is included separately - this is good;
  • in the settings window, you can enable ReCaptcha and configure its threshold - this is good;
  • ReCaptcha can be run in test mode (without blocking users) - this is good;
  • when connecting Google Authenticator it is proposed to download recovery codes - this is good.

In multisite mode, the plugin worked correctly with all connected sites and with all users (registered on all sites / on one of the network sites).

findings


For a personal blog or a small single-site, in which there will be one or more users, the Two-Factor plugin from Plugin Contributors may well be suitable . This is a minimalistic solution that will allow you to get the main functionality without advertising and annoying requests to pay for a particular bun.

For multisite mode and to satisfy the desires to push authentication, and also not to pay money for it, the best choice, in my opinion, is the Wordfence Login Security plugin.

For the same multisite mode, if you want to push authentication and readiness to pay for the required functionality, the Two Factor Authentication plugin may well be suitable.

MiniOrange doesn’t raise any recommendations regarding Google Authenticator, because it didn’t work out specifically the two-factor authentication functionality and managing this functionality in the free version, and I am always very careful about this kind of harvester.

More articles:


All Articles