Denver Broncos outside linebacker Von Miller and his defensive line had one mission in Super Bowl 50: shut down Cam Newton and annihilate his once mighty Carolina Panthers offense. And they succeeded, delivering blow after crushing blow to defeat the Panthers 24 to 10 and claim the Vince Lombardi Trophy (with Miller earning Super Bowl MVP).
The moral of that story: a strong defense wins.
You might ask yourself, what’s that got to do with managed WordPress hosting? Quite frankly, a lot.
When your business lives on the web, security is imperative. Security is your defensive line against a powerhouse offense. Your site is the end zone, and you have to protect it. And you want the best defense.
At WP Engine, we take the security of your sites seriously. And today, we want to help you beef up your defense with a new addition: two-factor authentication for our User Portal.
What is two-factor authentication?
Most simply put, two-factor authentication is a security method that requires you to enter a second factor beyond a password in order to gain access to your account. Here at WP Engine, we are using the Google Authenticator app, which will display a code on your mobile device that you must enter along with your password to log in and gain access to the WP Engine User Portal. That code changes every 30 seconds.
Ok, so why do I need two-factor authentication?
Two-factor authentication helps prevent bad actors from gaining access to your sites and potentially hurting your business. It’s a second line of defense to help keep the bad guys out and ensures that even if your password is compromised your account will remain secure as long as that second factor stays out of reach for an attacker. Think of your password as Von Miller (who racked up 2.5 sacks and two forced fumbles in Super Bowl 50) and two-factor authentication as linebacker Danny Trevathan (who recovered two key fumbles).
Two-factor authentication is an opt-in feature, meaning you only have to use it if you want to. But it’s free, and it adds an extra layer of protection; so why not?
It’s user level, so you’ll have to use it to access any and all accounts at WP Engine. And, unfortunately, customers who share a single user portal account across various users can’t use it.
Great, so how do I get started?
It’s easy. You’ll see the option to enable two-factor authentication in the account settings in the User Portal. From there, you’ll have to download the Google Authenticator app and use either the QR code shown in the User Portal or manually enter a code we provide to sync your phone with your system. NOTE: Please be sure to copy the recovery codes so you are able to unlock your account should you lose your phone. If you lose your phone and the recovery code, contact WP Engine support and we’ll walk you through what to do.
Once you’ve enabled two-factor authentication, you’ll also need to enter a six-digit number sourced from the app on your phone after you’ve entered your username and password. You will have the option to remember the second-factor login for 30 days on that device.
But what about WP-admin?
Right now, we’re offering two-factor authentication for our User Portal. However, there are some plugins available that integrate it into WP-admin. We recommend WP Google Authenticator and Clef Two-Factor Authentication.
It’s long been said that the best offense is a good defense. And that’s been proven time and time again. Bulk up your defense with two-factor authentication and protect your account, your sites, and your business.
Be sure to check out our Support Garage articles on how to enable two-factor authentication and how to use two-factor authentication recovery codes.
Eric Murphy is Director of Security for WP Engine.
Good to see WP Engine offering 2FA. I’ve been using Duo for 2FA with my WP sites and it works well. Is there any particular reason you recommend Clef?
Will this work with Authy?
Wooot wooot….! and two-factor Authentication activated. Thanks guys 😉
Nice! I look forward to Yubikey support somewhere down the line!
The “Google Authenticator” isn’t available on Windows Phone but WP users can get the “Authenticator” app (made by Microsoft) to accomplish the same thing. See this article for more details: http://www.digitalcitizen.life/are-you-looking-google-authenticator-app-windows-phone
Hello,
it will be really good to show an Icon of the 2FA Activate next to the users management page, so I can see who in my team has or hasn’t activated 2FA.
https://my.wpengine.com/accounts/%organization%/users
Also as the “Owner” of the organization I should be able to “Enforce” 2FA to all the users.
Great to see this. You need to get your Logo added to Authy so it’s not the generic one!
It would be better if you look into how financial institutions and some data providers implement their version of two-factor authentication. Instead of “option to remember the second-factor login for 30 days on that device” they approve the device based on two factor authentication. Once the device it approved it remains locked and each new device needs an approval before it can be used.
Two-factor authentication is a nice way of protecting resources from data thieves. It added an extra layer of protection. As you mentioned about WP Google authenticator. I implemented the solution and it works great for me. Thank you for the suggestion, Eric!