How to set up two factor authentication (2FA) on your WordPress site?

Author - Vic Lobins

Posted By Vic Lobins Lead Back End Developer

Date posted 15th Mar 2021

Category WordPress


What is Two Factor Authentication (2FA or TFA)?

Two factor authentication (2FA) is an additional layer of security for your WordPress website. It is the term used to describe the process of requiring the user to verify their identity using two unique identifying “factors” to have access to the website. The first factor is the password associated with the username and the second factor is the code set by the two factor authentication plugin.

The users are used to the conventional authentication systems which require them to provide a username and a password to gain access. 2FA increases the security of the site by adding an extra step to the process and requiring the user to verify themselves using a different method.

One of the safest and recommended methods is using a One-Time Password (OTP).

OTP is generated periodically and is delivered to the user through a method that only they have access to.

These methods include but are not limited to Email, Authentication App, Security Keys, SMS, and others.

How to protect your WordPress website using Two Factor Authentication?

Below is a guide on how to add 2FA to your website using a two factor authentication plugin and an authentication app.

Step one: installing the two factor authentication plugin

There are plenty of 2FA plugins available on the WordPress plugin directory. We are going to use the Wordfence Login Security plugin for this guide. 

The simplest way to install the plugin is using the WordPress Dashboard following these steps:

After logging in as an Administrator.

  1. Go to Plugins > Add New
  2. Type Wordfence Login Security in the search box
  3. Click “Install Now” next to the plugin
  4. Once the installation is complete, click on Activate

Step two: downloading the authentication app

As with the authentication plugin, there are many options for authentication apps. We will be using the Microsoft Authenticator app for IOS and Android as it is more reliable according to our experience than the other options available. 

  1. Install and open the app
  2. Click on Add Account
  3. Select Other as the type of account
  4. Allow the app to access the device camera to scan the TFA QR code and move to the next step

Step three: enabling Two Factor Authentication

  1. Go to your user profile on your website’s dashboard [Users > Profile]
  2. Scroll down to the Wordfence Login Security section and click “Activate 2FA”
  3. Scan the QR code with the Microsoft Authenticator app
  4. Enter the code from the authenticator app in the input field
  5. Click Activate
  6. You’ll be prompted to download a recovery code
  7. Click Download and keep the file safe for recovery if you lost access to the app.

You have now successfully set up two factor authentication for your account.

The next time you log in you’ll be prompted to enter the 2FA one time password/code which changes every 30 seconds and can be accessed through the authentication app.

How to recover your account if you lost access to the authenticator app?

If you lost your phone or lost access to the app you won’t be able to login to the website.

Luckily there is a way to disable two factor authentication on the website. All you have to do is disable the plugin by following these steps:

  1. Access your hosting server by using FTP, SSH, or using the c-panel file system.
  2. Navigate to the plugins folder on your server.
    Example path: /wp-content/plugins/
  3. Rename the Wordfence Login Security plugin folder name.
    wordfence-login-security  —>  wordfence-login-security-old
    This will disable the plugin as WordPress won’t be able to locate the plugin files.
  4. Login to the website normally and you won’t be prompted to enter the 2FA code.

Two factor authentication is an excellent way to improve the security of your WordPress website. Even if your login details were compromised and someone got access to your username and password, they won’t be able to log in without the 2FA code which is available only through the app.

Let's Talk

Do you have a web design and build project coming up that you would like to talk about?