Resources     Blog  

  1. Home
  2. WordPress Tutorials
  3. How to Include Two Factor Authentication for WordPress

How to Include Two Factor Authentication for WordPress

Two-factor authentication is a security method for website logins. It doesn’t replace a password or passphrase, it’s used along with them as an additional layer of verification. You’ve probably seen and used two-factor authentication (also known as 2FA). If your bank or other site sends you a code via text that you need to use to log in, that’s 2FA.

Text messages aren’t the only way to use two-factor authentication. Email confirmation can also be used. But it isn’t a very secure form of protection, since email passwords can also be compromised.

There are technically advanced biometric methods, like using fingerprints or the irises of your eyes. Those kinds of technologies are expensive and aren’t readily available for small website owners.

Finally, there are app-based 2FA methods. Easy to implement and use, they’re the perfect solution for most of us. So that’s what we’re going to talk about in this tutorial.

It’s certainly possible to set up your own text or SMS-based two-factor authentication, and it’s not overly complicated. But the services that provide the SMS part of the equation add a cost to the messages. Unless your 2FA usage covers hundreds, or thousands, of logins daily, it’s easier (and cheaper!) to use an app-based method.

In a minute, we’ll talk about how to set up WordPress two-factor auth, making your blog or website more secure.

Like It or Not, Passwords Rule Our Lives

If you’re old enough to remember life before the internet, you probably remember having a single password: your ATM PIN. That’s all you had to memorize to get through life. A short string of numbers.

Things have changed very quickly, of course, and now our lives seem to revolve around passwords. And since most application developers don’t understand the superior security of passphrases, we’re saddled with ever more complex password requirements.

And here’s the biggest irony of all: most passwords aren’t compromised by “cracking,” they’re stolen out of insecure website databases. Meaning the hacker doesn’t get your password by targeting you, they get it by targeting the websites you use.

So you can use secure web hosting, and you can use the world’s most complex passwords or passphrases, but they can still be lifted from a database. So what good are they?

Two-Factor Authentication to the Rescue (Kind Of)

How does two-factor authentication lessen the problem of password insecurity or theft?

It increases security by adding your phone (or email) to the login process. You supply your username and password as usual, but then you have to enter a 2FA code. The code is sent to or generated by your phone.

Now if someone has your username and password, they can’t log in to your account unless they also have your phone.

Which is the solution, but also a problem if you lose your phone. 2FA can’t protect you if someone else has your phone, so a phone thief could get into 2FA-protected accounts. And a lost or damaged phone will keep you out of 2FA-protected accounts.

So two-factor authentication isn’t foolproof, but it’s a very effective step to take for everyday security—that, and not letting your phone out of your sight.

There are a few good plugins for WordPress two-factor authentication. We’ll install the simplest of the bunch, 2FAS Light. It works in tandem with Google Authenticator, which is available for Android and iPhone.

Not a Google fan? It also works with other mobile applications like Microsoft Authenticator, Authy, Free OTP, 2STP, OTP Auth. Any authenticator that generates tokens can be used. “Token” is just another word for the six-digit code the authenticators use.

Installing the 2FAS Light Plugin

Log in to your WordPress admin panel.

In the left column navigation, mouse over the “Plugins” link and click the “Add New” link.

mouse over the "Plugins" link and click the "Add New" link

In the “Search plugins…” box, enter, “2FAS Light.”

search for the WordPress 2FAS Light plugin

When you find the plugin, click the “Install Now” button.

click to install the WordPress 2FAS Light plugin

Now the plugin is installed, but it has to be activated before you can use it.

Click the “Activate” button.

click to activate the WordPress 2FAS Light plugin

That’s all there is to it.

Configuring and Using 2FAS Light

Now you have to pair your WordPress site and your phone. But that’s easier than it sounds.

In the left column navigation, click the “2FAS Light” link.

click the "2FAS Light" link

The first thing the plugin will tell you to do is download an authenticator app. I mentioned (and recommend) the Google authenticator, but any of the listed apps will do the job.

download an authenticator app

Move on to step 2, which generates a QR code that your authenticator app can read.

Open the authenticator app on your phone and choose to add a site. I would screenshot the Google Authenticator steps for you, but the Android security policy won’t allow for screenshots of Authenticator. That’s good!

Now in WordPress, click the “Show QR Code” button.

click the "Show QR Code" button

That will generate the code.

qr code

Now with the authenticator app on your phone, capture the QR code shown in WordPress. That should add your blog to the app, and it will start generating codes right away.

That takes us to step 3. Here you’ll enter the six-digit code generated by the authenticator app.

The codes change every 60 seconds, and if you enter an expired code it will fail. If the authentication app timer is counting down the last few seconds, wait for a new code to be generated.

enter six-digit code from auth app

Then click the “Add device” button.

click the "Add device" button

That’s it, two-factor authentication is enabled.

2FA enabled

The standard WordPress username and password login remains, but after you enter those, there’s a new step.

WordPress 2FA token request

Just enter a code from your authenticator app, and you’ll be in.

That’s it. You’ve set up 2FA in WordPress. It’s about the best investment of time you could make where the security of your WordPress site is concerned.

Turning Off Two-Factor Authentication

You can disable two-factor authentication by clicking the “Turn off two-factor authentication” toggle.

click to disable 2FA

Forcing a User to Re-Authenticate on Next Login

If you checked “Remember device” when entering your auth code, you’ll see an entry in the “Trusted devices” section.

trusted devices

You can click the “Remove” link to force authentication on the next login.

What Happens if You Uninstall the 2FAS Light Plugin

If you uninstall the plugin, your WordPress login will revert to username/password only. If you choose to re-install the plugin later, you’ll have to pair the phone with the plugin again.

The Truth Is, Two-Factor Authentication Is a Bit of a Pain to Use

Yes, it’s less convenient than a username and password alone. You need your phone nearby to log into 2FA sites. You have to get your timing down to avoid entering expired codes.

But every time I feel like 2FA is slowing me down, I remember what it’s doing for me. That it would frustrate and defeat anyone trying to gain access to my accounts. When I consider that, I no longer feel inconvenienced. I just feel protected.

Is it perfect?

Well, if you aren’t in the habit of losing or destroying your phone, it is kind of perfect. 😉 In any event, it’s the most perfect (free) solution available to most of us. And that makes it worth using.

Are you annoyed by using two-factor authentication? Do you feel your website administration is safer with 2FA in place?

I’d love to hear from you. Let me know in the comments.

Author: Michael Phillips

Michael Phillips is a web hosting industry veteran, helping people make the most of their web presence since 1995.

Was this article helpful?

Related Articles

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.