Implementing two factor authentication (2FA) is a highly effective way to secure your WordPress site by adding an extra layer of protection.
Securing your WordPress site using Two Factor Authentication (2FA) via your hosting provider involves leveraging any built-in security features they offer.
Table of Contents
Here’s a step-by-step guide to setting up 2FA using popular plugins:
What Is Two Factor Authentication?
2FA or two factor authentication, is an additional layer of security you can add to your WordPress login pages. With 2FA, attackers can’t hijack your WordPress site, even if they were to guess your password.
You log into WordPress as normal with your username and password and a code will be sent to your phone. Using the code, you enter the site.
We all are used to having a single-step authentication, that’s using a password. The stronger the password is, the fewer chances of it being hacked.
Even if you were to create a strong password and change it periodically, there is still the possibility of it being compromised.
Enter two-factor authentication!
Using Google Authenticator (two factor authentication) Plugin
- Install and Activate the Plugin
- Log in to your WordPress admin dashboard.
- Navigate to Plugins > Add New.
- Search for “Google Authenticator.”
- Click “Install Now” and then “Activate.”
- Configure the Plugin
- Go to Users > Your Profile (or Users > All Users to set it up for multiple users).
- Scroll down to the Google Authenticator section.
- Enable the checkbox labeled “Active.”
- Set Up Your Mobile App
- Download and install the Google Authenticator app on your smartphone (available on iOS and Android).
- In the Google Authenticator (two factor authentication) section of your WordPress profile, you will see a QR code.
- Open the Google Authenticator app on your phone.
- Tap the “+” button to add a new account, and choose “Scan a barcode.”
- Scan the QR code displayed in your WordPress profile.
- The app will now generate a six-digit code for your WordPress site.
- Configure Settings
- You can also set “Relaxed mode” if you want a longer time window for the codes to be valid.
- Optionally, set a description to identify this code in the app.
- Save Changes
- Click the “Update Profile” button at the bottom of the page to save your changes.
- Logging In
- After setup, when logging in, you will be prompted to enter the Google Authenticator code after your username and password.
Using Two Factor Authentication Plugin (by Two Factor Auth)
- Install and Activate the Plugin
- Log in to your WordPress admin dashboard.
- Navigate to Plugins > Add New.
- Search for “Two Factor Authentication.”
- Click “Install Now” and then “Activate.”
- Configure the Plugin
- Go to Settings > Two Factor Auth.
- Click on the “Settings” tab.
- Set Up Your Mobile App
- Download and install an authenticator app such as Google Authenticator, Authy, or Duo Mobile on your smartphone.
- In the Two Factor Auth settings, you will see a QR code.
- Open your authenticator app and add a new account by scanning the QR code.
- Configure User Roles
- You can enforce 2FA for specific user roles by checking the appropriate boxes.
- Save your settings by clicking the “Save Changes” button.
- User Setup
- Each user must set up their 2FA individually.
- Users can go to their profile page and follow the same process of scanning the QR code with their authenticator app.
- Logging In
- After setup, users will be prompted to enter the authentication code from their app in addition to their username and password when logging in.
Using Wordfence Security Plugin
- Install and Activate the Plugin
- Log in to your WordPress admin dashboard.
- Navigate to Plugins > Add New.
- Search for “Wordfence Security.”
- Click “Install Now” and then “Activate.”
- Configure 2FA in Wordfence
- Go to Wordfence > Login Security.
- Click on the “Two-Factor Authentication” tab.
- Set Up Your Mobile App
- Download and install an authenticator app such as Google Authenticator, Authy, or Duo Mobile on your smartphone.
- Scan the QR code displayed on the Wordfence settings page with your authenticator app.
- Configure User Roles
- Enable 2FA for desired user roles (administrators, editors, etc.).
- Save the settings.
- User Setup
- Users need to go to their profile page (Users > Your Profile) and configure their own 2FA settings by scanning the QR code and entering the generated code.
- Logging In
- After setup, users will be prompted to enter the authentication code from their app in addition to their username and password when logging in.
General Tips for Using 2FA
- Backup Codes: Ensure that users generate and securely store backup codes in case they lose access to their authenticator app.
- App Alternatives: Some plugins may offer alternatives like email or SMS codes. While these are less secure than an authenticator app, they can be used as a fallback.
- Enforce 2FA: Enforce 2FA for all users with elevated permissions, such as administrators and editors, to enhance security.
- User Education: Educate users about the importance of 2FA and provide them with instructions on how to set it up.
How to disable two factor authentication
You can disable two-factor authentication with a few clicks. This is useful if you want to switch to a new device, use a different authenticator application, or if you need to help another user who is unable to log in. Of course, always confirm that the user you are helping is really who they say they are!
If you need to disable two-factor authentication on your own account:
Log in to your site and go to the “Login Security” page
Press the “Deactivate” button.
If you need to disable two-factor authentication for another user:
Go to the WordPress “Users” page.
Hover over the user’s record and click the “2FA” link below their username.
This will take you to the “Login Security” page. Near the top of the page, you will see “Editing User: their_username”.
Press the “Deactivate” button.
By implementing 2FA, you significantly enhance the security of your WordPress site, protecting it from unauthorized access even if passwords are compromised.
