Two-Factor Authentication (2FA) adds an extra layer of security to your WordPress website by requiring a code from your mobile device in addition to your password. There are several plugins you can use to add it to WordPress
In this tutorial, we’ll be using the Wordfence Security plugin, which includes a built-in Two-Factor Authentication feature.
What is Two-Factor Authentication in WordPress?
Simply put, 2FA is an extra layer of security that is used to make sure that anyone trying to gain access to online accounts is actually who they claim to be. It works in conjunction with smartphones, and a user has to verify at least one trusted phone number to enroll in 2FA.
Apple iOS and Google Android have apps that support two-factor authentication (2FA). This means that it enables the phone itself to serve as the physical device to satisfy the authentication portion. It works by asking users to enter a six-digit number.
Right after a user enters a name and a password, they will immediately be asked for another piece of information to verify that they are who they say they are. The second factor could be any of the following:
- PIN Number
- Passwords
- Secret Questions
- Something You Have (credit card, smartphone, hardware token)
- Finger Print
- Iris Scan
- Voice Print
The last three are more advanced but can be set up when needed if you have a device that supports them.
Set Up Two-Factor Authentication in WordPress
Wordfence is one of the best security plugins for WordPress. It protects against most threats that a WordPress site will run into and has a 2FA feature built directly into it. This tutorial is focused exclusively on setting up 2FA.
If you need assistance setting up Wordfence, please refer to our Wordfence setup guide.
Step 1: Install the Wordfence Security Plugin
Start by accessing your WordPress Dashboard. Once there, click on Plugins and select the Add Plugin option.
Use the search box to search for WordFence Security.
Locate the Wordfence Security plugin. Click on the “Install Now” button and activate it for use.
Step 2: Access Wordfence Login Security Settings
If this is your first time installing Wordfence, you’ll need to go through the installation process. Wordfence offers a robust free version, so be sure to sign up. Once you have obtained your license number, the plugin will be fully functional.
Locate the newly added Wordfence option on your WordPress Dashboard. Select the Login Security option.
Step 3: Configure Two-Factor Authentication
Here, you should see a large QR code. You’ll need to scan it to connect with an Authenticator app on your smartphone. There are several that you can use, like the Google Authenticator app.
After scanning, your authenticator app will display a 6-digit code. Enter that code into the Wordfence Login Security settings to complete setup.
You’ll be prompted to download recovery codes. This will ensure that if you lose your mobile device, you can use these codes to log in. Keep them somewhere safe and protected.
Step 4: Test and Verify
Log out of your WordPress website and then log back in. After entering your username and password, you’ll be prompted to enter the 6-digit authentication code from your app.
If the login works, then Wordfence Two-Factor Authentication is successfully configured.
You Can Set Up Two-Factor Authentication For Much More Than Just WordPress
Google Authenticator is not just for 2FA in WordPress. You can also use it for all of your 2FA needs.
For instance, you can secure your Nintendo account by adding an authenticator token to it, and wouldn’t you know, Google Authenticator is an option. In fact, it is the most popular authenticator app on the market.
This is also a necessary step on some financial websites. For instance, if you buy or sell cryptocurrency on Coinbase, you must use an authenticator once your account reaches a certain value.
It dramatically improves security, so it makes perfect sense.
So remember, if you need an authentication app, most sites support this one.
What Happens If I Lose My Phone?
One of the biggest fears when setting up 2FA in WordPress, or anywhere else, is that you may lose the device with your authenticator app.
There are safeguards in place that allow you to get access to the Authenticator app on a new device through Google. However, this could take several days and will require you to prove your identity.
This can leave you locked out of any account until the process is complete.
The good news is that if someone actually stole your phone, those codes are useless without the sign-in information.
One strategy that you should consider is to set up Google Authenticator on an old phone. Let’s face it, if you regularly get new phones, you might have a box full of them at this point.
Take one of them and set the phone up as a backup on Google Authenticator.
This would allow you to get immediate access to your account info and take the appropriate steps. It’s also a great use for old phones.
Improve WordPress Security with Two-Factor Authentication Today
Adding Two-Factor Authentication is one of the simplest and most effective ways to protect your WordPress website from unauthorized access. Wordfence Security makes it easy to enable 2FA alongside its other powerful security tools.
Setting up two-factor authentication in WordPress is actually not a difficult task at all. You simply need to know the tool to use and how to use it.
What other tools have you used to get two-factor authentication working on your site? Have you found that using this is more of a hassle?