We recently carried out a WordPress security survey to look at the state of WordPress security in 2022. We had a great response, which has allowed us to get a good view into how WordPress administrators and website owners view and action WordPress security. While none of the results were too surprising, they do offer a lot of room for reflection and assessment. One major point we want to explore further is the 2FA adoption rate and how the community at large feels about it.
2FA – What’s the beef?
2FA has been gaining notoriety with many big businesses (think Google and Microsoft), institutions (think Cybersecurity & Infrastructure Security Agency), and regulators (think GDPR, PCI) mandating or recommending the use of 2FA. Yet, 2FA does not enjoy the adoption rates that one would expect. So what’s the issue?
There is no denying that WordPress security is important. 96% of survey respondents view it as very important, while only 4% consider it as somewhat important. Yet, only 64% of respondents use 2FA on their WordPress website.
This tells us that 36% of survey respondents either do not think that WordPress 2FA adds value or do not know enough about it to add it to their WordPress login processes.
An issue of security
Out of all the respondents who do not have 2FA installed, 37% of them do not use a firewall either. While this demographic only represents 14% of the total cohort, it is still considerable. Furthermore, 1.25% of respondents indicated that they do not know what 2FA is. If you are new to 2FA, read our 2FA beginners’ guide for an easy to follow explanation.
What is holding people back from implementing 2FA?
We received a few different responses as to why administrators are not implementing 2FA on their WordPress websites. These can be split into three distinct groups based on the primary reason:
The haters
It should come as no surprise that some people do not like 2FA. This can also be seen in forums where some people have even threatened to close all of their Google accounts over Google’s mandatory 2FA policy.
There are different reasons why some people do not like 2FA and are taking a stand against it. Many see it as cumbersome and can negatively impact the user experience. Others think that losing your phone means you’re locked out of your accounts forever, which obviously, is not true.
The concerned
Some of the administrators who choose not to implement 2FA are worried about their users and how it might affect their experience using the website. While this has some merit, it is important to remember that security always causes inconvenience. Whether wearing a seatbelt while traveling in a car to locking and unlocking the door every time you leave the house, securing ourselves and our property always adds an extra step.
This cohort tends to feel neutral about 2FA. They generally think it has some merit, but the potential downside is too much of an issue.
The laggers
The laggers are those who are not technologically savvy enough to appreciate the risks associated with not securing their WordPress website. This cohort might defer the implementation of 2FA to a later date – perhaps consoled by the thinking that their website will not be a target.
Why you should implement 2FA
There are a lot of misconceptions surrounding 2FA – as evidenced by the survey responses. In this next section, we will be separating the chaff from the wheat to get a better picture of what 2FA is and why you should implement it.
2FA ruins the user experience
There is no denying that 2FA adds an extra step to the login process. After a user enters their username and password, they need to enter a One Time Passcode, which typically they receive through their phone or email.
Even so, we are used to taking extra steps that ensure our security and accept it as part of our user experience. This is why hotel rooms still have doors (as cumbersome as they are), bank cards require a PIN, and why seatbelts are mandatory in most places. Opening and closing doors and wearing seatbelts is a small price to pay for the extra security we get – and it is something that we are used to.
WP 2FA also makes the user experience more flowing thanks to features such as Remember my device. Using this feature, administrators can set rules as to how often users need to enter 2FA based on elements such as cookies and IP addresses.
Users will not be able to log in if they lose their phone
2FA requires a secondary authentication method through an OTP. As explained in the previous section, this OTP is typically received through the phone or user’s email. While there is some merit to the lost phone scenario, 2FA has advanced considerably since its inception, making this a problem of the past.
WP2FA includes backup codes – which work like an emergency key should the primary method (such as the user’s phone) fail. These keys work independently of any phone or email address, making them the ultimate fail-safe mechanism. Furthermore, WP 2FA also offers a secondary 2FA authentication method. This feature allows you to give users the option to receive the code via different channels. As such, not only will they still be able to log in, but can do so without requesting help from support.
Nobody is going to hack my website
Most of us do not have a target painted on our backs. Yet, hackers often breach systems at random – especially those that present an easy target. This is done for various reasons – from target practice to installing malicious software or no reason other than they can – like taking candy from a baby.
This is why it’s important to remain vigilant. Equally, you must take the necessary WordPress security and hardening precautions and make your website a difficult target. You might not be targeted yourself, but hackers are very good at finding creative ways to nefariously use hacked websites – even if they have little value to them.
WordPress 2FA – a second lock that saves accounts
Whenever there is a big hack, such as the one that happened at Colonial Pipeline, investigators always arrive at the same conclusion – 2FA could have prevented the breach. While 2FA is not entirely foolproof, it is proving itself to be worth its weight in gold. Yes, some adjustments might need to be made. However, thanks to WP 2FA, these are as intrusive as opening and closing a door.
