Protect Your WordPress Sites From Phishing By Using U2F?

Phishing is one of the most crucial threats that your website can undergo. It can steal your data, password, in fact your entire account. You might unintentionally land on a phishing site through a mistypes URL. However, with U2F, you can thoroughly protect WordPress sites from phishing.

Created by the combined efforts of Yubico and Google, U2F is basically an authorized protocol that ensures the privacy and security of your website. U2F is the abbreviation of Universal Second Factor whose sole purpose is to guard your WordPress site from any type of phishing.

In case of availing of U2F, there is no requirement for client software or drivers, which is undeniably the best part. All you need is registration on a device that supports the online service of this protocol. In the recent scenario, the FIDO Alliance hosts U2F.

While talking about the mechanism of the protocol, it is essential to mention that U2F is mainly the physical USB keys that are somewhat similar to the flash drives. Unless your account is plugged in with these USB keys, you cannot access it. It is actually a 2-Factor Authentication.

Traits of the U2F security keys


After configuring the physical USB keys, you have to plug these keys into your system followed by a click on a button. Chiefly, these USB security keys hold up two essential commands the registration and the authentication. Later, both these commands are delivered to the web pages in the forms of the API browsers.

In the case of the first command, the USB keys that you are using produce a new asymmetric pair of keys and at the same time and give back the public key. Following this, the server connects the user account and the security keys with that returned public key.

On the other hand, in terms of the authentication, the USB keys at first will detect your presence by testing the existence of the USB stick the moment you log-in to your account. Once your physical presence is verified the protocol allows the private key to unlock the account. This way the U2F security keys protect WordPress sites from phishing

Why U2F is important?

As mentioned earlier, U2F works as a protective shield before your account. It secures all the sensitive data of your website from several types of cyberattacks such as malware attacks, session hijacking, phishing, etc. As per the statistical studies, approximately 97% of small to big websites become the prey of phishing. Therefore, if you are thinking that you are enough capable to handle your account and prevent it from getting phished, you are probably wrong.

When you avail of the U2F keys like YubiKey, no imitator can steal your data as the keys only work on the officially registered account. You might feel that the landing website is real, but the protocol will never get fooled.

It will detect the authenticity of the website and alert you about it. Thus, in order to protect WordPress sites from phishing, using U2F is inevitable. This 2-factor authentication halts the attack of phishing and secures your website from being taken over.

These master keys offer dedicated service and protection against any man-in-the-middle attacks and phishing. Thus, if your website handles extremely confidential data and information, using U2F security keys is the ultimate solution. Nevertheless, ordinary websites do not really necessitate the YubiKey.

How to use U2F in Your WordPress?

If you have read the article up till now, you must be aware of the importance of using U2F to protect WordPress sites from phishing. Now, the whole concern might be on how to embed it. Well, the process is extremely easy and for your convenience, the procedure is enlisted step by step.

  • At first, you have to visit Users and locate your Profile Page
  • Then, keep scrolling down and you will find some latest attributes including the 2-factor options under the account management area
  • After that, make sure to enable the FIDO U2F and set it as primary and keep scrolling again to reach the Security Keys option. Upon finding it click on the button labeled Register New Key button
  • Once you plug-in the keys choose to tap on the circle button and update the profile

However, to handle these steps smoothly you will require a registration on Google. Besides, you will have to login-in to WordPress as an administrator. Lastly, you will also need HTTPS connection, and a suitable browser that supports U2F,

How U2F is better than OTP and mobile applications?

U2F is undoubtedly helpful in case of maintaining the privacy and security of your account. However sometimes it might create a little inconvenience. For instance, suppose you have forgotten to bring the USP keys, you cannot unlock your account without bringing the keys back.

In such cases, you would get the thoughts of using OTPs over the 2-factor authentication. But, there are several drawbacks to OTPs as well.

OTPs or One Time Passwords are actually brief numeric codes that are sent through text messages. With OTPs, one can suffer from these following inconveniences

  • OTPs could hardly protect your website from any man-in-the-middle attacks or phishing, in other words, they are extremely risky
  • The codes that are sent using text messages can be interrupted without much effort
  • Moreover, while using OTPs, you have to use a specific dongle for a particular website/password

Thus, it can be said, OTPs might seem convenient, but if you take a clear insight into it, they are not able to protect your site wholly like the U2F. It does allow the users to have mild security, but not as strong as the U2F. One can easily reach to your OTP by accessing your message account and email and steal your clients, data, and even your account.

Thus the choice is completely upon you whether you want to deal with a minor inconvenience or allow your account to engage in the threat.

Well, there is nothing wrong to use the 2FA tools on your mobile. In fact the security system is tremendously great as well. But if you are talking about inconveniences, then you must know that the 2FA mobile tools have their drawbacks too.

There might be no massive technical issues, but you can hardly reach to the platform when your phone’s battery is dead or there is hardly any service. All these things are not really a big issue in case using U2F security. It is handy, does not require any smartphone, and moreover, these physical USB keys are water-proof.

However, no one can expect such advanced-level security to protect WordPress sites from phishing in free of cost. So, you will require investing a little on these keys. The cost of these keys depends on its versions and user range.

Now, probably, you are conscious that if your agency involves several high profile administrators and clients, your company might need the security keys to protect the important and inestimable assets of your agency. In a case study on U2F, it is reported that agencies using the physical USB keys are under 0 phishing zone.

Besides, those agencies also relished enhanced employee efficiency at an affordable expense. In point of fact, the advantages of the U2F protocol are proportional to the usage of these keys by the clients or the employees.

About Sonnal S Sinha

Sonnal S SinhaSonnal S Sinha shares exciting WordPress themes, plugins and other WordPress related news for our viewers. He also posts selected WordPress developers interviews from time to time.