WordPress Two Factor Authentication Core Files post talks about security and two factor implementation for your website.
Last Updated: May 16, 2017
WordPress are going in the right direction. They have decided to implement better security into the core file system. This will help fight brute force login attempts and stolen passwords. This new security feature will be implemented in February of 2016 during the 4.5 release cycle. (This release date has now changed)
You might also be interested in reading the following tutorial Google Authenticator Security WordPress.
What does this means for many of you running WordPress? You won’t have to install a Two Factor plugin any more if you had one installed unless you prefer and like the plugin you are using. It also means that it will be extremely challenging for hackers to brute force attack into your website.
The images below are taken using the following versions WordPress 4.3.1 and 4.4 Alpha. This plugin has been tested with WordPress 4.7.4 and it works.
Note: This plugin is in Dev Mode Status. So please don’t install in a live site unless you know what you are doing. Check the following changelog URL two-factor/commits/master.
Plugin To Install:
WordPress Two Factor Authentication Core Files Steps
Step 1 ) The following image shows you the standard WordPress profile before you activate the plugin.
Step 2 ) Once you activate the plugin you will see the following settings.
- Email – Authentication codes will be sent to your email address.
- Time Based One-Time Password (Google Authenticator) – View Options ?
- FIDO Universal 2nd Factor (U2F) – Requires an HTTPS connection. Configure your security keys in the “Security Keys” section below.
- Backup Verification Codes (Single Use) 0 unused codes remaining. (Click on Generate Verification Codes button)
- Dummy Method
Step 3 ) The following image Application Passwords allows you create new Application Password Names. This is a great feature to add. It allows you to keep track and only allow certain smartphones, tablets or other mobile devices access to your website.
In the example below I added kogan name as my smartphone device. This generated a password uBaC jGlg UqZ4 dCZ4.
You can keep track for all your devices through the following fields.
- Last Used
- Last IP
Step 4 ) The following image Security Keys allows you to generate security keys if you selected this option in Step 2 ) above.
Note: U2F requires an HTTPS connection. You won’t be able to add new security keys over HTTP.
You can see how much security this new feature will add to WordPress once it is implemented. I know all of you will be very happy once it is out.
I will be updating this tutorial from time to time so keep coming back for the latest updates.
If you have a questions send me an e-mail or leave a comment.