Adding YubiKey 2FA to WordPress

A certain amount of paranoia is good for you! Even if you are using secure and unique passwords someone could get into to your systems if they would get hold of it. That’s why it is a good idea to protect your logins using a second factor, thus 2 factor authentication. First factor is something you know (password) and the second factor is something you have (token). In my case I am using a YubiKey (or a few actually) that generates a one time password (OTP). It is a small flat thing that can easily be carried around with your keys. To use it you plug it into a USB-port and press the “button” on it. Done.

I do not have any affiliation with Yubico but I have been a customer for many years. I currently have three different models of their keys. I use two of them as backups. This so that I still can login if I would loose one or it would stop working. I started to use YubiKey since they are easy to use and they are pretty cheap to buy.

A YubiKey in a computer about to be pressed
A YubiKey in a computer ready to be pressed. Image from

Since this blog is publicly available and can be viewed as part of my public face I wanted to make sure it is protected using 2 factor authentication. This how I did it. It will take approximately 5 minutes to setup so it is very easy.

  1. First of all you need to have a YubiKey (or two… or three). Head over to Yubico and buy one. Then come back here when they have arrived.
  2. Next thing is that you need to have a API Id and Secret. Go here and enter your email and use your key and you will get one.
  3. Install the yubikey-plugin WordPress-plugin by Adam Lyons.
  4. Go to your WordPress user and click in the Key ID 1 field, then press your YubiKey. The first 12 characters will be stored.
  5. Repeat step 4 for your other keys if you have more then one.
  6. Enable by marking the “Use Yubico Server” option.
  7. Finally go to Settings > YubiKey – enter your API id and Secret.
YubiKey user configuration
User configuration of YubiKey 2FA

Now 2FA is enabled. In addition to your username and password you will now also need to enter a YubiKey OTP to be able to login. Fill in the form in the order the fields show up since the end of the one time password will contain a line break that will automatically submit the form and log you in.

WordPress login with YubiKey OTP fields
The WordPress login will now prompt you for your OTP.

It is worth pointing out that using a 2FA is no silver bullet that will protect you from being hacked. It will only stop someone to login with your username and password if they do not have the YubiKey. There is a lot of other things that is important to keep your website safe.

Some if these things are. Make sure your software is updated, this means WordPress and all plugins as well as all server software. Delete WordPress plugins that is not being used. Make sure your theme is up to date. This is just a few things. Maybe there will be some posts about that in the future.