I just wanted to write a quick follow up to the blog I wrote last week about a few plugins I was using for WordPress security in light of the global WordPress brute force attacks taking place . The good news is the Wordfence plugin does a great job blocking people trying to login to my site. The bad news is either the Stealth Login Page plugin doesn’t work or some how people are easily guessing my question and answer phrase to get to my login page, which seems hard to believe. I’m thinking there must be some other way to by pass it.
Because of this, I first removed the Stealth Login page and installed AskApache Password Protect. This requires you to create a separate user account and utilizes .htaccess to secure wp-admin and wp-login.php. When you attempt to login to the WordPress admin page, you are prompted by your web browser for one login. Then if you enter that properly, you are prompted for the normal WordPress login. There are other security features to the AskApache plugin, but I quickly broke my site trying them out, so I won’t touch on them.
This seemed to be a good option until I saw a post from Matt Hartley on Google+ mentioning a two factor authentication option for WordPress. That plugin is put out by Duo Security and it sends you an SMS text after you login for the second phase of authentication to your WordPress blog. You can configure it to remember your computer for a specific period of time, so you won’t have to do this every time you login.
The plugin was fairly simple to setup, and so far it seems to work great. The service is free for up to 10 users. If you want to set it up, you can find instructions here.