How to Add Two Factor Authentication in WordPress
Editorial Team
Do you want to know how to add WordPress Two Factor authentication? You’re in the right place!
Brute force attacks are the most common danger for WordPress login, where hackers use automated scripts that try to guess the right username and password.
Picture this: they keep trying a combination of different usernames and passwords, and they finally succeed. At last, your WordPress site is under their control.
You don’t want that, right?
As a WordPress website owner, it’s better to strengthen your login security in every possible way. This is where Two-factor authentication (2FA) comes into play. A powerful tool that provides an additional security layer to the login process. It facilitates both a verification code and login credentials for access.
In this article, we’ll walk you through setting up WordPress Two Factor Authentication using 2FA plugins.
Lets get started!
Table of Contents
What is WordPress Two Factor Authentication?
Two-factor authentication is a powerful security measure that can significantly enhance the protection of your WordPress websites.
In addition to login credentials, it lets you add an authentication code in the form of:
- PIN Number
- Passwords
- Secret Questions
- Finger Print
- Iris Scan
- Voice Print
… and more that is valid for a limited time to gain access to your site.
It turns down the possibility of a brute-force attack on your WordPress site.
What is an Authenticator App?
An Authenticator App is used for accomplishing two-factor authentication in WordPress. These apps are designed to generate time-based, one-time passcodes for use in Two-Factor Authentication (2FA) systems. These apps run on various devices, including smartphones and computers.
These apps enhance the security of online accounts by requiring users to provide a secondary code, in addition to their regular username and password, during the login process.
There are hundreds of authenticator apps available for free, including:
Here are 2 of the top picks:
- Google Authenticator: Google Authenticator helps you get the authentication code.
- Authy: Authy is another mobile application with two-factor authentication to protect online accounts.
Why Do You Need WordPress Two Factor Authentication?
Now that you know, Two-factor authentication significantly strengthens the security of your WordPress account by requiring two forms of authentication before granting access. It’s a simple yet powerful tool to protect your WordPress site and its content from unauthorized access.
Here are some key reasons you need 2FA for WordPress:
- Enhanced Security: Username and Passwords alone can be vulnerable to various attacks, like brute-force attacks. So, two-factor authentication adds an additional barrier, making it much harder for unauthorized users to gain access.
- Protection Against Stolen Credentials: Suppose hackers successfully brute force your password; they cannot authenticate themselves from the selected authentication app. As a result, they failed to get access to your site.
- Protecting Multiple Accounts: If you use the same or similar passwords for multiple accounts, 2FA can prevent an attacker who gains access to one account from easily compromising others.
Different Plugins to Add WordPress Two Factor Authentication
There are many WordPress two factor authentication plugins available that help you integrate authentication apps with WordPress.
- One-Time Codes
- Email Verification
- Google Authenticator
This article will show you how to use Two-Factor and WP 2FA on a customized login page designed with LoginPress.
Note: LoginPress is fully compatible with the Two-Factor, WP 2FA, and other 2FA WordPress plugin. So, the combo will help you get a customized and secure WordPress login page. So, make sure to install and activate LoginPress first.
1. Two-Factor
Two-Factor is one of the best free WordPress 2FA plugins that offer multiple 2FA for your account, including:
- Authentication via Email
- Time-based Time Password
- FIDO U2F Security Keys
- Backup Verification Codes (Single Use)
To set up Two-Factor, follow these steps:
Step 1. Install and Activate Two-Factor
First off, go to the left sidebar of your WordPress admin dashboard. Navigate to Plugins and click the Add New option.
Next, you’ll be on the Add Plugins screen. Search Two-Factor in the search box.
Find the plugin from the list, click the Install Now, and then the Activate button in succession.
Step 2. Configurations
All you need to do is go to the left sidebar of the WordPress admin dashboard, navigate to Users, and click the Profile option.
Now, scroll down a bit and find the Two-Factor Options section.
Now, choose an authentication method. It comes with two options, i.e., Email and Time-Based One-Time Password (TOTP).
1. Two-Factor Authentication via Email
If you prefer to enable Two-factor authentication via Email, you’ll need to provide a unique code sent to your added email address for login to your WordPress site.
This ensures only you can access your account, even if someone else has your password.
To set up two-factor authentication via email, checkbox Enabled and select the Primary option.
Once enabled, authentication codes will be sent to the associated Email address.
Now, you’ll be prompted to enter a verification code sent to you via the associated email address.
It’s important to remember that two-factor authentication via email is not foolproof. If your email account is compromised, the attacker could also access your online accounts.
To minimize this risk, it’s important to use a strong and unique password for your email account and enable additional security measures such as two-factor authentication for your email account as well.
2. Two-Factor Authentication via Time Based One-Time Password (TOTP)
You can also enable Two-factor authentication via Time Based One-Time Password (TOTP). TOTP is a type of two-factor authentication that generates a unique, time-limited code required to access your account.
To set up two-factor authentication via Time Based One-Time Password (TOTP), check the Enabled and select the Primary option.
Next, you’ll need to integrate your WordPress site with Google Authenticator. So, install the Google Authenticator app from the App Store on your smartphone.
Once you’ve installed the app, you’ll see more options. Scan a QR code and Enter a setup key in the Google Authenticator app.
Select Scan a QR code, and the Google Authenticator QR code scanner will open up. Now, scan the QR code you see in the Two-Facor WordPress interface.
Next, you’ll get a notification to ensure the Google Authenticator app has been connected to your site.
After you scan the QR code, you will see a 6-digit OTP code in the Google Authenticator app that is valid for only 30 seconds.
Enter this 6-digit OTP into Two-Facor’s Authentication Code field and click the Submit button.
Once you fill in the Authentication Code, you’ll see the notification, i.e., the Secret key is configured and registered, exactly where you saw the QR code.
Tick mark the Enabled and primary check boxes.
All done; now click on the Update Profile button.
Two-Factors has now merged with your WordPress website. Every time you try to log in, Google Authenticator will send an OTP to the Google Authenticator app on your mobile phone to verify it. You cannot log in without an authentication code.
3. Backup Verification Codes (Single Use)
Two-Factor has a backup verification codes option that creates 10 verification codes. You can save them and use them if the member needs a code to log in and cannot retrieve the other 2 options.
2. WP 2FA
WP 2FA is another powerful WordPress 2FA plugin. It enables you to add primary 2FA methods to your site’s login page, including:
- One-time code via 2FA App (TOTP)
- One-time code via email (HOTP)
To set up Two-Factor, follow these steps:
Step 1. Install and Activate WP 2FA
Go to the left sidebar of your WordPress admin dashboard > Plugins > Add New option.
Next, you’ll be on the Add Plugins screen. Search WP 2FA for WordPress in the search box.
Find the plugin from the list, click the Install Now, and then the Activate button in succession.
Step 2. Configuration
Now, you are ready to get it set for your login. Go to the left sidebar of the WordPress admin dashboard > WP 2FA > 2FA Policies.
On the next screen, you can see two actions to be selected, including:
- One-time code via 2FA App (TOTP)
- One-time code via email (HOTP)
Note: You can also allow users to specify their email address.
Next, you’re required to set a grace period for configuring 2FA. There are three different options for enforcing 2FA:
- All users
- Only for specific users and roles
- Do not enforce on any users
Note: Here, we are selecting the All users option.
Next, you can add a grace period to configure 2FA for your users. The users must configure 2FA within the set time, or they will be locked.
When you are done, click the Save Changes button.
Now, try to log in, and you’ll see that the WP 2FA is working fine on the customized login page.
3. Other WordPress 2FA Plugins
You can also go for any other WordPress 2FA plugin.
Note: If you’re confused about which WordPress 2FA plugin is best for you, see our detailed guide on the 7 Best WordPress 2FA Plugins in 2023.
How Does 2FA for WordPress Work?
Now that you’ve added 2FA to your WordPress site, you might wonder how it really works for your site after enabling it?
When you have successfully added 2FA to your site’s login page, you’ll be required to add your login credentials in the first place, i.e., Username or Email Address and password, to access the website.
Next, you’ll be required to provide the authentication code provided by the authentication app.
When done, you’ll find yourself logged in.
Two Factor Authentication FAQs
Are there any security risks associated with 2FA?
2FA enhances a WordPress site’s security, but it’s not vulnerable. If your second factor, i.e., mobile device, is compromised, it could lead to unauthorized access.
Are there any drawbacks to using Two-Factor Authentication?
One drawback of using Two-Factor Authentication is that it can make it more difficult to log in to your account, especially if you do not have your smartphone. Additionally, some users may find it inconvenient to go through an extra step to access their account.
Is Two-Factor Authentication enough to keep my WordPress site secure?
Two-factor authentication is, no doubt, an important security measure. But it should not be the only one you use to protect your WordPress site. You should also ensure your site is updated with the latest security patches and use strong passwords and other security measures to protect your site from potential attacks.
What happens if I lose access to my 2FA device?
If you lose access to your 2FA device, i.e., mobile phone, it’s important to have a backup code. Several WordPress 2FA plugins offer backup code features that you can use to regain access. Otherwise, you can contact your site administrator for assistance.
Final Thoughts
We are sure you’ll know how Two-Factor Authentication can help improve your WordPress site’s security and protect it from unauthorized access.
2FA is becoming increasingly popular as a security measure, particularly in online banking, social media, and other sensitive accounts. Traditional passwords can be compromised through various means, such as phishing attacks, keylogging, or brute force attacks. At the same time, 2FA requires an additional step for a successful login, making it much more difficult for hackers to access an account.
Thank you for reading this article. Don’t forget to share this article with others who might find this helpful too!
You may also want to check out our other useful articles about:
How far have we helped you implement 2FA on your WordPress site?
Let us know by leaving a comment below!
