How To Protect WordPress Sites From Phishing Using U2F?

See in this article tips on how to protect your WordPress sites from phishing using U2F authentication, making them fully protected

By Claudio Pires
Updated on June 1, 2023
How To Protect WordPress Sites From Phishing Using U2F?

U2F is an authentication standard that lets users securely access their online accounts instantly with a security key and makes your site fully protected from phishing – no drivers or client software needed. You register a physical device with the online service that supports the protocol. See in this article tips on how to protect your WordPress sites from phishing using U2F authentication, making them fully protected.

U2F security keys are physical USB keys that look like a flash drive. You can only access your account by tapping the key while it’s plugged in. As an end user, it feels like a dedicated device for 2-Factor Authentication. Instead of using your phone and the Authenticator app, you carry around a physical key.

How to Protect WordPress Sites Phishing

Using U2F Authentication & Its Benefits

U2F Security Keys protect your sites’ WordPress from various hacks and attacks: session hijacking, man-in-the-middle, malware attacks, and, most notably, phishing (a site or email that mimics a legitimate account to trick you into sharing your credentials).

Think you would never fall victim to a phishing attempt. Think you’re too bright for that? According to this report, ninety-seven percent of consumers could not identify phishing emails correctly. Ninety-seven percent?

With a Physical key, like the YubiKey, a copycat login screen can’t take your login information because it only works on registered sites. The authentication will fail on fake sites. This mitigates phishing attacks’ increasing volume and sophistication and stops account takeovers.

U2F Security Keys Functionalities

Once you set up your Security Key, you only need to plug it into your computer (or tap the phone!) and press a button.

For this post, I don’t want to get lost in the technical details, but at a high level, Security Keys support two commands which are provided to web pages as browser APIs:

Registration – Your Security Key generates a fresh asymmetric key pair and returns the public key. The server associates this public key with your physical key and user account. Authentication – When you go to log in, your Security Key will test for the USB stick and your physical presence. After verification, the private key unlocks your account.

U2F and WordPress Sites Protect

I wasn’t ready to attack manual setup because this was an experiment, and I am not super technical. I searched for a free plugin option on  The search ended pretty fast. There are currently few options or information for WordPress, so I went with the most popular free option, Two-Factor.

Armed with my brand new key and the plugin, I thought, “This shouldn’t be too hard.” So, how do you use U2F and physical protect keys with WordPress?

  • Go to Users -> your Profile page.
  • Scroll down. You will see some new features. Under account management, there should be Two-factor options available now.
  • Enable FIDO U2F and set it as primary.
  • Scroll down to Security Keys and press the Register New Key button.
  • Plug in your FIDO U2F security key and tap the circle button.
  • Wait for the page to refresh and click Update Profile.

So here is my “noobs guide” to U2F setup for WordPress:

  1. Once you have your key, the first step is to register with Google.
  2. To setup U2F on WordPress, you must be logged in as an administrator.
  3. Use a browser with U2F support.
  4. U2F requires an HTTPS connection.
  5. You can’t add new security keys over HTTP.

How Much Is That?

While it’s fairly easy to implement, there were some drawbacks.

This level of security is not free, and providing security keys to everyone that needs access to your site could be costly – especially for large teams. Keys vary in price from $20 to $50. Plus, it would be best to keep a backup key for each user in case their key is lost, damaged, or stolen. If you run a team of 10, that would require 20 keys. Cha-ching.

If the cost is not prohibitive, the next challenge is that security keys are still not widely adopted. While usage has increased, setting-up security keys for other systems can be painful and lengthy. The good news is that things are improving, and setting up security keys on Google, Facebook, or Twitter is fairly straightforward.


Another thing to consider for teams or development agencies is management. Keys create a more complicated employee and client onboarding process. It also means finding a point person for setup and recovery. Hello middle managers.

Probably the most obvious hurdle, you can’t access your site without the security key. This is good for your site’s security but could be bad for convenience. You just arrived at work and realized you left your key at home. You can’t call somebody to dictate a one-time password – because there is no spoon password! This could mean a few more hours of driving, negating all the extra seconds you have “stolen away” by using U2F over OTP in a single day.

Lastly, Handing out security keys to your WordPress clients could be a problem. So, why not just roll with One-Time Passcodes (OTP) or 2FA on my phone? These are valid options, but there are some disadvantages.

U2F vs. OTP’s

One-Time Passcodes (OTP) are short numeric codes for one-time use and are sent via text messages or generated on a separate physical device. While they are more secure than ordinary passwords, OTPs aren’t perfect:

  • They are vulnerable to phishing and man-in-the-middle attacks
  • You have to carry around a dongle per each website/password
  • SMS messages can be intercepted

In short, it’s not a 100% protection plan. While it offers another layer of security, if someone phishes access to your email or messages account, they can still gain access to your (or your clients) WordPress back-end with an OTP code.

2FA vs. Mobile Devices

You might be asking this question if you’re using a 2FA app on your smartphone like Google Authenticator. Short answer: nothing is wrong with 2FA; it offers a great layer of security if set up properly. This can be made stronger with things like disabling the OTP option – less convenient but more secure.

2FA is more flexible, but leaving recovery options in the name of convenience may leave you with a false sense of security.

Benefits of U2F security keys over Smartphones: Protecting application logic from malware is difficult on a general-purpose computing platform. A phone might not be reachable when the battery runs off, or there is no service. Unlike most Smartphones, YubiKeys are water resistant and will allow you to kiss in the rain.

Physical Security Keys

For most WordPress users, Defenders 2FA with Google Authenticator on your phone is more than enough. Dedicated security keys offer dedicated protection against phishing and man-in-the-middle attacks. They are arguably faster and easier to use once you set them up and get used to them, but let’s face it, ordinary Joe probably doesn’t need a YubiKey.

Conclusion About Protect WordPress Sites U2F

That said, if you’re running an agency with multiple administrators on high-profile client sites, it may be time to consider physical keys for your team.

Google’s own U2F case study showed that on top of becoming a “no-phishing zone,” they also noticed accelerated employee productivity, reduced support compared to phone authentication, and even lower cost of ownership.

The benefits of the physical keys multiply with the number of employees/clients using keys and the number of daily sessions each user commences. We hope this article with tips on how to protect your WordPress sites from phishing using U2F authentication, making them fully insulated, has helped you!

Claudio Pires

Claudio Pires is the co-founder of Visualmodo, a renowned company in web development and design. With over 15 years of experience, Claudio has honed his skills in content creation, web development support, and senior web designer. A trilingual expert fluent in English, Portuguese, and Spanish, he brings a global perspective to his work. Beyond his professional endeavors, Claudio is an active YouTuber, sharing his insights and expertise with a broader audience. Based in Brazil, Claudio continues to push the boundaries of web design and digital content, making him a pivotal figure in the industry.