I’m looking for a bit of guidance on setting up a two step authentication system in WordPress. I’ve looked at a few of the main plugins and they seem to fall in to two camps:
- Add an extra field to the login form
- Add another authentication cookie in addition to the standard WP cookie
I don’t really like the UI of an extra login field, and I don’t feel knowledgeable enough to setup a cookie based authentication system that is secure enough to be worth it. Is there third option I’m missing?
Note: I did see this similar post, but that consisted mainly of plugin recommendations, and I would like to write something myself if possible.
Update: Since my site will only have a handful of privileged users, I decided to add a query string argument that, when present, will cause the extra login field to be shown. This way, normal users don’t ever see the extra field, and I don’t have to worry about managing an extra authentication cookie.
Trust me, don’t DIY this. Cryptography is not for the faint of heart.
Use the Google Authenticator plugin. It’s awesome.
I’ve been thinking about a simple solution and here you have the few ideas that came to me:
Password protect wp-login.php. Two passwords, two steps.
Want to complicate things a bit ? Use a random password to protect wp-login.php and create another page where you go to set a temporary password. You could also send the temporary password by email to the server.
Or if you want the server to set the password and send it to you, you can try this: Create a file wp-login2.php that emails you the wp-login.php password. Make the script change the password to a random one after 5-10-15 minutes.
This is a really simple way and you don’t have to mess with the WP code or hooks. If you want to get into hooks, you can definitely make more complex authentication methods.