How to Keep WordPress Locked Down with Duo Security

Mike Stenger

Aug. 08, 2013
2 min read

WordPress blogs are one of many targets for hackers, and with so many people making simple mistakes, it becomes clear why. There are many ways of protecting your blog, and we’ve outlined five mistakes you might be making. While using a stronger password or keeping your plugins and theme updated tend to be common advice, you can take additional measures. In fact, you can ensure that absolutely no one, even if they were to get your password, will ever be able to access your blog.

Two-factor authentication is a wonderful thing, and was first used in the workplace to protect sensitive data. Nowadays, companies like Google or Microsoft offer the functionality, and all that’s required is a mobile phone. How it works is when you go to login someplace, and have two-factor authentication enabled, you are required to enter a special pin. For example, Google has its “Authenticator” app which you fire up to see the special pin, or you can opt to receive a text message or phone call instead. A special pin isn’t always required, and Twitter recently implemented its own solution which involves approving a trusted device.

Thanks to the help of Duo Security, you can bring this same functionality to your WordPress blog. With Duo, you can approve or deny logins with the tap of a button, or use a special pin delivered through the app or via SMS. Once you’ve installed and activated the plugin, click on its “Settings” from the plugin page. Before you can start benefiting from Duo Security, you have to setup an account on the appropriate website which is listed on the settings page.

While Duo does offer a free trial on its paid plans, it has a free “Personal” plan which supports up to 10 users, plenty for the average WordPress user. Once you’ve signed up, make sure you activate your account via email. From there, you’ll create a password, and add your phone number. Duo Security verifies your identity via phone either by calling or sending you a text message with a special pin. Now that your identity is verified, it’s time to setup your blog.

After verifying your identity, you should have been redirected to a page that says “New Integration.” Where it says “Integration type,” click on the box and scroll down to the bottom to select “WordPress.” Next to “Integration name,” add whatever name you’d like, and then hit “Create Integration.”

This is where you receive the integration key, secret key and API hostname that needs entered on the plugin’s settings page via your blog. Simply copy and paste over the appropriate details, and then click “Save Changes.” Once you’ve saved changes, switch back over to the Duo Security website, and under “Integrations” on the left hand side, select “Users”.

On the top right, click the green button that says “New user,” and once you’ve created a username, click “Add user.” Scroll down to where it says “Add phone,” and add your phone number. Next to “Type” select “Mobile,” and next to “Platform” select your appropriate mobile operating system. Once you’re finished, click “Save Changes” and under your phone number in large text, you should now see a link that says “Activate Duo Mobile.”

Click the activation link, select the button that says “Generate Duo Mobile Activation Code,” and then “Send Instructions by SMS.” The installation instructions will help you to download and install the appropriate app while the activation instructions are what you use to successfully add your account to the app. Duo Security works on all major mobile operating systems such as Android, iOS, BlackBerry and Windows Phone.

Once your account has been added to the app by clicking the link in the activation SMS, your blog is ready to benefit from two-factor authentication! To test it, log out of WordPress, and sign in as you normally would. Now, you’re met with the Duo Security prompt.

I recommend logging in by way of “Duo Push.” With Duo Push selected, click the blue login button. Your phone will then get an alert about a login request, and all you have to do to accept is click the Duo Push button within the mobile app, and then click the green “Approve” button. In a matter of seconds, you’ll automatically be logged into your blog.