Internet hackers are everywhere, so you should always make sure your site is protected by the most recent WordPress security best practices.

Using automated programs to try and guess the correct username and password of a WordPress site administrator is one of the most popular tactics used by hackers.

This technique is known as a “brute force assault.”

If the hacker is successful in correctly guessing the password and accessing your website, they may infect it with malware.

Learning how to integrate two-factor authentication with WordPress is one of those best practices that can help to increase the security of your website.

This guarantees effective protection for your WordPress site and all users who have signed up.

In this post, I’ll show you how to utilize any of two WordPress plugins to add 2-factor authentication to your WordPress site for some or all of your users.

What is 2-factor authentication?

Two-factor authentication (2FA), also known as two-step verification or dual-factor authentication, is an identity and access management security method that requires users to supply two distinct authentication factors in order to verify their identities before they are granted access to a restricted platform, in this case, the backend of your WordPress website.

It works by demanding a user to provide a password as the first factor and a one-time passcode as a second factor that is time-sensitive and expires in a few seconds to prevent unauthorized access to a site.

By doing this, even if a hacker successfully guesses your password, they will still need to enter a second security code from an authentication application on your phone in order to access the website’s backend.

This makes it considerably more difficult for hackers to access a website’s backend.

Hence, it offers site owners the ability to keep an eye on and defend their websites.

When compared to single-factor authentication (SFA), which requires only one factor from the user, 2FA offers a better level of security.

Authentication app

Authenticator apps generate one-time passcodes (OTP), which are usually six numbers that refresh every 30 seconds.

This means that if a hacker miraculously obtains the six numbers, it will no longer work for them after 30 seconds.

Once you’ve configured the authentication, you must open the application each time you wish to access your website and copy the code into the secure login area on your WordPress site.

Authentication apps
Authentication apps

These apps simply generate authentication tokens and don’t require an internet connection to function.

They don’t have access to your login information or accounts and don’t communicate in any way with your website.

Any of the well-known authentication apps listed below can be used as they all offer secure OTP generation.

With the exception of Google Authenticator, these applications offer account backup, recovery, and increased app security by requiring a PIN or biometric verification to launch the app in order to access the codes.

In the event that you misplace your mobile device, account recovery enables you to regain all of your registered accounts.

1. 2FAS

  • You can create encrypted cloud backups of your registered accounts.
  • It provides account code recovery that is only accessible through the 2FAS application
  • It adds an extra degree of security by requiring a PIN or biometric authentication to access codes.

2. Microsoft Authenticator

  • You can create cloud backups of your registered accounts.
  • It provides account code backup and recovery
  • It adds an extra degree of security by requiring a PIN or biometric authentication to access codes.
  • As an added feature, it can function as a password autofill/saver app on your mobile phone.

3. LastPass Authenticator

  • You can create backups of your registered accounts in your LastPass vault
  • You need to install the LastPass password manager to back up your registered account
  • It adds an extra degree of security by requiring a PIN or biometric authentication to access codes.

4. Google Authenticator

  • It lacks online backup for your account codes
  • You can only import or export your account codes to and from the application from one phone to another.

2FA using the ‘WP 2FA’ plugin

This method is easier and recommended for all users.

It is flexible and allows you to enforce two-factor authentication for all users.

If you run a multi-user WordPress website such as a membership site, then the plugin also allows you to enable or enforce two-factor authentication for all users on your site.

1. Install and activate the WP 2FA – Two-factor Authentication plugin.

Screenshot of WP 2FA in the WP plugin directory
Screenshot of WP 2FA in the WP plugin directory

2. A setup wizard will be displayed to help you configure the plugin.

If you do not see the setup wizard, navigate to Users on the left-side menu of your WordPress dashboard and edit your profile.

Scroll down to the WP 2FA Settings section and click on the Configure Two-factor authentication (2FA) button to launch the setup wizard.

Click on Let’s get started!

Screenshot of WP 2FA setup wizard
Screenshot of WP 2FA setup wizard

3. Choose your authentication methods.

I recommend you leave the 2 options ticked.

  • One-time code via a 2FA application
  • One-time code via email
Screenshot of WP 2FA - authentication methods
Screenshot of WP 2FA – authentication methods

4. Next, force your site users to configure their profiles with 2FA.

You can force all or some of your site users.

You can also choose specific usernames and/or user roles.

Screenshot of WP 2FA - enforce users
Screenshot of WP 2FA – enforce users

5. If you choose to force all users initially, here, you can exclude some users via their usernames or roles.

Screenshot of WP 2FA - exclude users
Screenshot of WP 2FA – exclude users

6. You can choose how long users have, in hours/days, to set up 2FA on their accounts before they lose access to the site.

Screenshot of WP 2FA - Grace period
Screenshot of WP 2FA – Grace period

7. The wizard configuration is now complete, click on Configure 2FA now to proceed to authenticate your profile with the authentication application on your phone.

Screenshot of WP 2FA - Wizard Setup complete
Screenshot of WP 2FA – Wizard Setup complete

8. Choose …with your app and click NEXT STEP.

Screenshot of 2FA - setup authentication
Screenshot of 2FA – setup authentication

9. Scan the displayed QR code with your authentication app.

Screenshot of 2FA - Scan QR code
Screenshot of 2FA – Scan QR code

10. Input the code from your app in the space provided to authenticate the code with your site.

Click VALIDATE & SAVE afterwards.

Screenshot of 2FA - Input code
Screenshot of 2FA – Input code

11. Backup codes are useful if you lose access to your mobile phone or cannot for whatever reason access your authentication application.

Click on GENERATE LIST OF BACKUP CODES.

Screenshot of 2FA - Authentication complete
Screenshot of 2FA – Authentication complete

12. COPY or PRINT the codes and keep them in a safe place.

Screenshot of 2FA - Backup codes
Screenshot of 2FA – Backup codes

13. Now, every time you try to log in to your site, you will be required to provide a code from your authentication app.

Screenshot of 2FA - Login Page
Screenshot of 2FA – Login Page

2FA using the ‘Two Factor’ plugin

This method is a little less flexible as it does not allow you to enforce two-factor login for all users.

Each user will have to set it up on their own and can disable it from their profile.

1. Install and activate the Two Factor plugin.

Screenshot of Two Factor plugin in WordPress directory
Screenshot of Two Factor plugin in WordPress directory

2. Upon activation, navigate to Users on the left-side menu of your WordPress dashboard.

Screenshot of Two Factor - Navigate to users
Screenshot of Two Factor – Navigate to users

3. Hover over your profile to Edit it.

 

Screenshot of Two Factor - Edit User
Screenshot of Two Factor – Edit User

4. On your profile page, scroll down to the Two-Factor options.

Screenshot of Two Factor settings
Screenshot of Two Factor settings

From here, you can choose your authentication methods, the plugin allows you to use any of the following

  • Email
  • Authenticator app: scan the barcode using any authentication application and input the code displayed in the app in the space provided.
  • FIDO U2F Security Keys
  • Backup verification codes

Choose the Time-based One-Time Password (TOTP) along with your other preferred methods, and set it as the Primary method.

5. Click on the Submit button, the plugin will then set the secret key.

Click on the Update Profile button to save your settings.

Screenshot of Two Factor - setup completed
Screenshot of Two Factor – setup completed

You will now be required to provide the authentication code provided by the app on your phone each time you log in to your WordPress website.