How to enable two-factor Authentication in WordPress (2 Easy Way)

two-factor Authentication

If you’re like most WordPress site owners, you want to do everything possible to keep your site safe from hackers. One way to do that is by enabling two-factor authentication.

This security measure requires something you know (your password) and something you have (a code generated by an app on your phone, for example).

In this blog post, we will show you how to enable two-factor authentication on your WordPress site.

WordPress is the most popular content management system in the world. As of March 2017, 43% of all websites were built on WordPress which owns 62% of the Market share according to W3tech.

How to enable two-factor Authentication in WordPress (2 Easy Way) 32

This makes WordPress a big target for hackers. While there is no such thing as a 100% secure website, you can take steps to make your WordPress site more secure. One of those steps is enabling two-factor authentication.

What is Two-Factor Authentication?

Two-Factor Authentication

Two-factor authentication is an extra layer of security that can be added to your WordPress login. It requires you to have two things before you can log in:

  • Something you know (your password)
  • Something you have (a code generated by an app on your phone)

With two-factor authentication enabled, even if someone knows your password, they won’t be able to log in to your WordPress site unless they also have the code.

Why use Two-Factor Authentication In WordPress?

How to enable two-factor Authentication in WordPress (2 Easy Way) 33

There are two main reasons to use two-factor authentication on your WordPress site:

  • To protect your site from brute force attacks.
  • To make it more difficult for someone to hack into your account, even if they have your password.

As any website owner knows, security is essential. Not only do you need to protect your site from malware and hackers, but you also need to safeguard your visitors’ information.

However, many website owners are unaware of how their site was compromised. In a recent survey conducted by WordFence, 61.5% of respondents said they didn’t know how the attacker gained access to their website.

How to enable two-factor Authentication in WordPress (2 Easy Way) 34

That’s not all they also said 25% of hackers took their site offline after they hack their website.

How to enable two-factor Authentication in WordPress (2 Easy Way) 35

This is an alarming statistic, as it means that many site owners are in the dark about how to prevent future attacks.

There are a number of ways that attackers can gain access to a website, including SQL injection and brute force attacks. However, the most common way is through security vulnerabilities in WordPress plugins and themes.

Therefore, it is important to keep your WordPress installation up to date, and to carefully vet any plugins or themes before installing them on your site. By taking these simple steps, you can help to keep your site safe from attackers.

What are Different Two-Factor Authentication Methods?

There are several different methods you can use for two-factor authentication. The most popular ones are:

  • SMS (text message)
  • Google Authenticator app
  • Email Authentication Code
  • Backup Codes
  • Security Keys

There’s much more that we will cover in this detailed guide on how to enable two-factor authentication in WordPress.

How to Enable Two-Factor Authentication in WordPress?

Fortunately, there are a few plugins you can use to add two-factor authentication to WordPress. In this section, we’ll show you how to set up two-factor authentication on your WordPress site using two popular WordPress plugins i.e. WP 2FA – Two-factor authentication for WordPress and Two-Factor.

#1 Two-Factor by Plugin Contributors

How to enable two-factor Authentication in WordPress (2 Easy Way) 36

Two-Factor is a popular two-factor authentication plugin for WordPress. It’s a completely free plugin. It offers four ways to provide two-factor authentication as follows;

  • Email: Authentication codes will be sent to your admin email.
  • Time-Based One-Time Password (TOTP): scan the QR code or manually enter the key.
  • FIDO U2F Security Keys: Requires an HTTPS connection. Configure your security keys in the “Security Keys” section on your profile page.
  • Backup Verification Codes (Single Use): Generate verification codes and use it while logging into your account.

To set up Two-Factor, follow these steps:

Install and activate the Two-Factor plugin.

Upon activation, you need to visit the User’s» Your Profile page.

How to enable two-factor Authentication in WordPress (2 Easy Way) 37

On your profile page, you’ll notice the new “Two-Step Authentication” section just below your account information.

How to enable two-factor Authentication in WordPress (2 Easy Way) 38

First, you need to select an authentication method from the dropdown menu. As we mentioned above, the plugin offers four different ways to provide two-factor authentication.

Authenticate using Email

If you select this option, the plugin will send a one-time passcode (OTP) to your admin email address every time you try to log in.

How to enable two-factor Authentication in WordPress (2 Easy Way) 39

You need to enter the OTP on the login page to complete the login process.

TOTP Authentication

If you select this option, then you need to use an authenticator app like Authy or Google Authenticator on your smartphone.

How to enable two-factor Authentication in WordPress (2 Easy Way) 40

Scan the QR code or manually enter the key into your authenticator app. Once done, you’ll start seeing a six-digit code in your app that changes every 30 seconds.

Now submit the final key to the above and click “submit” and now you will see option as;

How to enable two-factor Authentication in WordPress (2 Easy Way) 41

You need to enter this code on the login screen whenever prompted.

How to enable two-factor Authentication in WordPress (2 Easy Way) 42

FIDO U2F Security Keys

If you’re using a security key like YubiKey, then select this option. You need to connect to your WordPress site using an SSL certificate.

Configure your security keys in the “Security Keys” section on your profile page. Once done, you’ll be able to use your security key to log in.

How to enable two-factor Authentication in WordPress (2 Easy Way) 43

Backup Verification Codes (Single Use)

This is the most secure way of two-factor authentication as it doesn’t require an internet connection or a smartphone.

With this method, you need to generate verification codes and use them while logging into your account. The codes are single-use and valid for 30 seconds only.

You can generate these codes from the “Generate verification Codes” section on your profile page.

How to enable two-factor Authentication in WordPress (2 Easy Way) 44

Once you generated, you need to download it using “download codes” to your device in order to use 2FA next time using this method;

How to enable two-factor Authentication in WordPress (2 Easy Way) 45

You’ll be taken to the WordPress login page where you need to enter your username and password as usual. After that, you’ll be prompted to provide the two-factor authentication code.

Enter the code and you’ll be logged into your WordPress site successfully.

We hope this section helped you learn how to add two-factor authentication in WordPress.

#2  WP 2FA – Two-factor authentication for WordPress

WP Two-factor authentication is a great way to add an extra layer of security to your WordPress site. WP 2FA Offers 3 Free ways to authenticate users in WordPress;

  • One-time code via 2FA App (TOTP): Supported 2FA apps Including Google Authenticator, Authy etc.
  • One-time code via email (HOTP): Authenticated Code will be sent to your email.
  • Backup Codes: Backup codes are a backup option for logging in to the website if the primary two-factor authentication method is inaccessible.

Premium Options to Authenticate users;

  • 2FA login with push notification
  • 2FA login with SMS, WhatsApp & incoming call
  • One-click 2FA login

First, you need to install and activate the WP Two-factor authentication plugin.

Upon activation (or you can use the setup wizard after activation), you need to visit the WP2FA Option on the left sidebar inside your admin area.

How to enable two-factor Authentication in WordPress (2 Easy Way) 46

Go to the 2FA Policies option and select your desired (free) option to authenticate users on your website. i.e. Either TOTP or HOTP;

How to enable two-factor Authentication in WordPress (2 Easy Way) 47

If you’re using the HOTP method then you can also set the default email (of users) or the user has an option to specify email for authentication themselves.

How to enable two-factor Authentication in WordPress (2 Easy Way) 48

There’s also a secondary method which is Backup codes which can be used if none of the primary methods i.e. TOTP or HOTP works;

How to enable two-factor Authentication in WordPress (2 Easy Way) 49

Setup TOTP Using Google Authenticator

If you’re using TOTP then you need to use an authenticator app like Google Authenticator, Authy, etc on your smartphone.

How to enable two-factor Authentication in WordPress (2 Easy Way) 50

Scan the QR code or manually enter the key into your authenticator app. Once done, you’ll start seeing a six-digit code in your app that changes every 30 seconds.

You need to enter this code on the login screen whenever prompted.

Enforce Two-Factor Authentication to All or Specific Users

Once you’ve configured everything, the next step is to enforce two-factor authentication on your WordPress site.

You can do it by selecting “All user” on the same tab or you also have an option to select a custom userbase to enable two-factor Authentication in WordPress;

How to enable two-factor Authentication in WordPress (2 Easy Way) 51

You can choose on the basis of username or roles i.e. Administrator, Contributer, Subscriber, Editor etc.

How to enable two-factor Authentication in WordPress (2 Easy Way) 52

Excludes Two-Factor Authentication On the Basis of Role or Username

The plugin also provides an option to exclude two-factor authentication for a specific user or role.

You can do it by going to the “Exclude” option and then select the users or roles from which you want to remove two-factor authentication;

How to enable two-factor Authentication in WordPress (2 Easy Way) 53

After that, click on the “Save Changes” button to store your settings.

That’s, all in this way you can exclude users on the basis of roles or usernames to use two-factor authentication in WordPress.

Grace Period to Configure 2FA or Get Blocked

The plugin also allows you to set a grace period for users to configure two-factor authentication or else they will be locked out from the website.

You can find this option by going to the “2FA Policies” tab and then scrolling down a bit, there you will see an option to set the grace period;

How to enable two-factor Authentication in WordPress (2 Easy Way) 54

After that, click on the “Save Changes” button to save your settings.

Redirect users after 2FA setup

After a user has configured two-factor authentication, you can also redirect them to any custom URL.

For example, you can redirect them to the WordPress dashboard or any other custom URL.

You can find this option by going to “WP Two Factor” -> “2FA Policies” and then scroll down to the “Redirect User After Setup” section;

How to enable two-factor Authentication in WordPress (2 Easy Way) 55

After that, click on the “Save Changes” button to store your settings.

Redirect User to Custom Profile Pages

The plugin also allows you to redirect users to custom profile pages. This is important for Whitelabel Membership WordPress sites that may have frontend user profiles.

You can find this option by going to “WP Two Factor” -> “2FA Policies” and then scroll down a bit, there you will see an option for “Redirect To”;

How to enable two-factor Authentication in WordPress (2 Easy Way) 56

After that, click on the “Save Changes” button to store your settings.

Allow user to disable 2FA

The plugin also allows users to disable two-factor authentication from their user profile page.

You can find this option by going to “WP Two Factor” -> “2FA Polices” and checking the “Hide the Remove 2FA button on user profile pages” button;

How to enable two-factor Authentication in WordPress (2 Easy Way) 57

After that, click on the “Save Changes” button to store your settings.

E-mail Settings and Templates

The plugin also allows you to send emails to users after they’ve configured two-factor authentication.

You can find this option by going to “WP Two Factor” -> “Settings” -> “E-mail Settings and Templates”;

How to enable two-factor Authentication in WordPress (2 Easy Way) 58

Now you can configure following email templates;

  • Login code email
  • User account locked email
  • User account unlocked email

With the available template tags;

  • {site_url} : Your website URL
  • {site_name} : Your website Name
  • {grace_period} : Grace period for your users
  • {user_login_name} : Login UserName
  • {user_first_name} : First Name
  • {user_last_name} : Last Name
  • {user_display_name} : Display name
  • {login_code} : Codes for verification via HOTP
  • {user_ip_address} : User’s IP address

You can design all emails as you want using the WordPress editor itself, add links, Images or embed videos inside the email.

Change The Default Text

Change the default text For The WordPress 2FA Login Page

The plugin also allows you to change the text for the WordPress login page.

You can find this option by going to “WP Two Factor” -> “Settings” -> “Whitelabeling”;

How to enable two-factor Authentication in WordPress (2 Easy Way) 59

You have two options to edit;

  • 2FA code page text
  • Backup code page text

Here you can choose and write the default text when the user uses 2FA.

After that, click on the “Save Changes” button to store your settings.

More Resources;

Conclusion

We hope this tutorial helped you learn how to enable two-factor authentication in WordPress. If you have any questions or suggestions, feel free to leave a comment below. Thanks for reading!

Frequently Asked Questions

We hope this tutorial helped you configure your WordPress security but in-case if you have some questions, do find the list of questions we have collected as frequently asked questions below;

How do I turn off two-factor authentication in WordPress?

If you want to turn off two-factor authentication in WordPress, you can find this option by going to “WP Two Factor” -> “2FA Policies” -> “Enforce 2FA on”.

You will see an option for “Do not enforce on any users”, check it and it will stop enforcing for everybody.

How do you implement two-factor authentication in Java?

You can implement two-factor authentication in Java using the Google Authenticator library. The library is open-source and available on Github.

How do I add OTP verification to my WordPress site?

You can add OTP verification to your WordPress site using the WP OTP Verification plugin. The plugin is available for free on the WordPress repository.

In this case, you have to choose an SMS Service provider like Twilio to integrate into the app.

Go to Twilio.com and Signup for an account.

How to enable two-factor Authentication in WordPress (2 Easy Way) 60

Upgrade your account by topup for at least 20$ and you will get your API keys by going to view the product on left;

How to enable two-factor Authentication in WordPress (2 Easy Way) 61

choose the “Messaging” option and here you will find your API keys;

How to enable two-factor Authentication in WordPress (2 Easy Way) 62

now open WP2FA or WP OTP verification plugin and go to the settings and paste the above plugin details.

What method does the WordPress REST API use for authentication?

The WordPress REST API uses the JSON Web Token Authentication method for authentication.

This method is more secure than the Basic Authentication method and is recommended for use with the WordPress REST API.

By Raman

Welcome to my SEO Community. My name is raman and i am co-owner of kwebby.com, Here you will find latest tricks and tips of SEO, Free tools etc. I love to share my knowledge as the internet is meant for sharing. Letme know if you have any queries i will love to resolve that.