Sometimes things are just so simple they really bring together security and simplicity and the Google Authenticator Plugin is one of those benefits. With Google Authenticator you add an additional layer of One Time Passcode or (OTP) authentication to your WordPress admin login which adds an additional layer of protection against those who would attempt to log into your website without permission.
Now, once you add Google Authenticator Plugin to your WordPress blog you will add an OTP layer of authentication which cause the login form to require an additional token or passcode in order to pass login and access the WordPress dashboard.
You can download and install the Google Authenticator plugin for free and the Google Authenticator app for iOS and Android phones is also free. It does add some additional protection but only as a deterrent. However, the plugin itself raises some items that I found make the Incapsula Google Authenticator solution much better.
Incapsula gives you the option to set email or SMS (depending on your plan) as fail back in case someone doesn’t have access to Google Authenticator or you just want to offer other alternatives.
Also, I noticed with Google Authenticator WordPress plugin it doesn’t matter who has the Google Authenticator app installed, as long as they can get a passcode it will authenticate and authorize for that site. This means if the culprit knows your login and password to WordPress they just have to install Google Authenticator on their phone to get a code and gain access.
With Incapsula it requires you to authenticate a specific set of uses in the Incapsula cloud with Google Authenticator only allowing the valid email match first, before even allowing access to the WordPress login screen for additional security and putting the Google Authenticator login protection in the cloud and not directly on the WordPress login page which has an advantage.
Of course for simplicity and portability the Google Authenticator Plugin is a decent deterrent and will block most spam bots, and casual scanners who just blast default admin and passwords to see if they can compromise your login.