How to Setup WordPress Two Factor Authentication
How to Setup WordPress Two Factor Authentication. Any online business dealing holding personal customer information needs to have verification mechanism to prevent unauthorized access.
Passwords are the most commonly used login authentication mechanism on the web for a long time. However, passwords do not provide enough security. Follow this article and we will explore why we need to Setup WordPress Two Factor Authentication.
What is WordPress
WordPress is an open source content management system (CMS) for building websites and blogs (anything from lifestyle blogs, professional portfolios to business websites, e commerce or mobile application).
The necessity of WordPress Two Factor Authentication
Nowadays, passwords are relatively easy to break in. Login with a username and a password is considered a single factor/ single-step authentication method. Two Factor authentication is simply adding an additional step, to strengthen the security of your logins, without just relying on the password (using a security key, your phone, etc.).
Furthermore, passwords need to be stored in a server for verification. Therefore, an attack, breach, or leak in the system will expose the passwords.
Two Factor Authentication (2FA) adds extra security layer and prevents potential attackers further. Implementing 2FA in WordPress is a straightforward process.
WordPress is the most widely used CMS platform in the world. It is worth having a look into how to install WordPress server. It’s very easy to set up 2FA for your WordPress website and the good news is that you can set it up for free.
2FA on wordpress.com and wordpress.org
There are two main ways to set up your WordPress website.
- Utilizing wordpress.com which is the hosted service platform provided by creators of WordPress. However, it has some limitations and comes with a paywall.
- Utilizing open-source wordpress.org platform. Here, you can download the core WordPress and use it with any hosting service provider you’d like.
Setting up 2FA with wordpress.com platform
It’s very easy to set up WordPress Two Factor Authentication with the wordpress.com platform as it comes with a built in 2FA system. It offers 2FA via mobile authenticator app or using a physical key.
Click on your profile icon to access the 2FA settings page in the WordPress.com platform.
Click on Security.
Open Two-Step Autentication
Now, open the Two-Step Authentication tab and click on Get Started.
Then, you’ll be prompted to provide your country and mobile number using any of two different authentication methods. You can either choose,
1. Verify via SMS
Once this method is selected, you’ll receive a text message with 7 digit code. You’ll need to enter this number in the settings page and click Enable. After that, you’ll get the 2Fa code via SMS each time you try to log in.
2. Verify via an Authenticator app
This method will require you to install an Authenticator app on your mobile device. You can choose from Google authenticator, Microsoft authenticator, Twilio Authy, or something else.
Scan the provided QR code using the app. Then enter the 6 digit code provided by the app and proceed to the next step by clicking Enable.
*Important: You’ll be prompted to print/save backup codes and you shouldn’t skip on this step. These backup codes will come in handy when you are unable to use the mobile device or if anything goes wrong.
Finally, click All finished to complete the process.
Setting up 2FA with wordpress.org platform
In contrast to the hosted wordpress.com platform, the wordpress.org platform offers the freedom to use any service/plugin you’d like for setting up 2FA. You can choose from a number of available plugins to activate the WordPress Two Factor Authentication feature on your website.
Following are some of the popular plugins,
In this guide about How to Setup WordPress Two Factor Authentication we will use the popular Wordfence Login security plugin to activate Two-Factor Authentication on your WordPress website.
Install the Wordfence Login security plugin and activate it.
Once the plugin is activated, you’ll get a new admin menu entry named Login Security.
Then you can start setting up 2FA on the plugin page. Wordfence supports Authenticator apps that support TOTP, such as Google Authenticator, FreeOTP, and Authy. You can find all the supported apps here.
Set up your 2FA
- Install your preferred app on your mobile device, and open it.
- Scan the QR code using the app. You can enter the provided text code in the app if your authenticator app doesn’t support scanning QR codes.
- The app will show a code after scanning the QR code (or after providing the text code). Enter that code in the input box at the bottom-right and click Activate.
- You will be provided with five backup codes that can be used in case you lost/are unable to access the mobile device with the app. Click download and store the downloaded file in a secure location.
* A code generated through the app will be valid only for a limited time. A new code will be generated once it is expired. So, you have to use the generated code within its valid time period.
Configure Additional Settings
The Settings tab allows you to further set up how the Wordfence Login security plugin should be applied sitewide.
This plugin enables you to force users to use 2FA, or select for which user account types you’d need to activate 2FA (Ex: only for administrator accounts).
Additionally, it provides a grace time period for any account that site admin activated 2FA to properly set up 2FA by the account owner. The account owner must set up 2FA on his/her account before that date, or else they’ll lose access to their accounts.
Furthermore, there’s an option to enable remembering the 2FA code for 30 days. A user will only have to enter the 2FA code once in 30 days when this option is enabled. However, it is not recommended to enable this option.
You’ll also be provided with an option to apply 2FA for XML-RPC to harden its access security and this option is recommended to apply. However, it’s recommended to completely disable XML-RPC if you don’t utilize it.
Wordfence Login security enables admin users to utilize Google Recaptcha (v3) for login and registration pages. On top of that, it provides the ability to whitelist IP addresses to skip the prompt for 2FA.
At the bottom of the page, admin users can activate Woocommerce support if needed. They also have the option to remove Wordfence Login security data on plugin deactivation. However, admin users will have to go through each process of the plugin set up again upon plugin reactivation if this option is enabled.
Deactivate WordPress Two Factor Authentication for an account
You may need to deactivate 2FA for some reason. It can be done either using the Login security page or by editing the profile page for each user.
Simply click Deactivate under the Wordfence 2FA Active section as shown below.
Verify WordPress Two Factor Authentication is working properly
It’s always a good practice to verify if the plugin works as intended for functionality like 2FA.
Log out from your account and try to log in back. It’ll ask for your username and password (as usual). Yet, you’ll be prompted to provide the 2FA code in the next step if everything works fine.
Enter the 6 digit code provided by your authenticator app and you’ll be redirected to your WordPress dashboard.
Great! We have learned how to Setup WordPress Two Factor Authentication.
How to Setup WordPress Two Factor Authentication Conclusion
It’s essential to have WordPress Two Factor Authentication enabled on your website. It provides extra layer of security and peace of mind. Another security feature is to enable WordPress SSO. To protect your WordPress site use strong and unique passwords and implement two-factor authentication.
Stolen, reused and weak passwords remain a leading cause of security breaches. Still, companies often rely on passwords as the only login mechanism even with the emerging threat against user accounts, privacy, and access management. However, the awareness of the public is growing quickly, increasing the demand for better login security. It will force everyone to adapt to better login mechanisms in the near future.
