Skip to content
Read more
Blog

2FA for WordPress websites

· TBST Digital · 3 min read

2FA is a pain in the arse. You were all thinking it, and I was as well. But it’s more of a pain when your site get’s hacked, so like almost all security, it’s one of things you just have to do to avoid pain in the future. Anyways – if you aren’t getting your.

2FA is a pain in the arse. You were all thinking it, and I was as well. But it’s more of a pain when your site get’s hacked, so like almost all security, it’s one of things you just have to do to avoid pain in the future.

Anyways – if you aren’t getting your web team to do it – then here’s a handy guide to doing it yourself.

Step 1: Choose a 2FA Plugin

While there are several plugins available for implementing 2FA on WordPress, some of the most popular and reliable ones include:

  1. Wordfence Security: Offers comprehensive security features, including 2FA.
  2. Google Authenticator – Two Factor Authentication (by Henrik Schack): Simple and effective.
  3. Two Factor Authentication (by David Anderson): Developed by the authors of the popular plugins like iThemes Security and WP Security Audit Log.
  4. Duo Two-Factor Authentication: Enterprise-level security features.
  5. Authy – Two Factor Authentication: User-friendly with multiple device support.

For this guide, we’ll use Wordfence Security due to its robust feature set and ease of use.

Step 2: Install and Activate the Wordfence Security Plugin

  1. Log in to Your WordPress Admin Dashboard
    • Navigate to https://yourwebsite.com/wp-admin and log in with your administrator credentials.
  2. Navigate to the Plugins Section
    • From the left-hand menu, click on Plugins > Add New.
  3. Search for Wordfence Security
    • In the search bar, type “Wordfence Security”.
    • Locate the plugin developed by Wordfence.
  4. Install the Plugin
    • Click the Install Now button next to the Wordfence Security plugin.
  5. Activate the Plugin
    • Once installed, the Install Now button will change to Activate. Click it to activate the plugin.

Step 3: Configure Wordfence Security

  1. Initial Setup
    • Upon activation, you might be prompted to start the setup wizard. Follow the on-screen instructions to configure basic settings.
  2. Access Wordfence Settings
    • From the left-hand menu, click on Wordfence > Login Security.
  3. Enable Two-Factor Authentication
    • In the Login Security section, look for the Two-Factor Authentication option.
    • Toggle the switch to Enable.
  4. Choose the Authentication Method
    • Wordfence offers several 2FA methods, including:
      • Email-Based Authentication: Sends a code to the user’s email.
      • Authentication App: Use apps like Google Authenticator, Authy, or Duo.
      • U2F/WebAuthn: Use hardware keys like YubiKey.
    • For most users, Authentication App is recommended for its balance of security and convenience.
  5. Set Up Authentication App
    • Download an Authenticator App: If you haven’t already, install an authenticator app on your smartphone. Popular options include:
      • Google Authenticator
      • Authy
      • Duo Mobile
    • Scan the QR Code:
      • In the Wordfence settings, click Enable next to the Authentication App option.
      • A QR code will appear. Open your authenticator app, choose to add a new account, and scan the QR code.
    • Enter the Verification Code:
      • After scanning, the authenticator app will generate a 6-digit code.
      • Enter this code into the Wordfence setup to verify the connection.
  6. Enforce 2FA for Users
    • Decide which user roles should be required to use 2FA. It’s recommended to enforce 2FA for all users with login access, especially administrators.
    • In the Login Security settings, under Two-Factor Authentication, specify the roles that must use 2FA.

Step 4: Enroll Users in 2FA

  1. User Login
    • Each user with a role that requires 2FA will need to set it up upon their next login.
  2. Prompt to Set Up 2FA
    • Upon logging in, users will be prompted to set up 2FA if they haven’t already.
    • They should follow the on-screen instructions to link their authenticator app.
  3. Backup Codes
    • Encourage users to generate and securely store backup codes. These codes can be used to access their accounts if they lose access to their authenticator device.

Step 5: Test the 2FA Setup

  1. Log Out of WordPress
    • Click on your profile picture in the top-right corner and select Log Out.
  2. Attempt to Log In Again
    • Navigate to your WordPress login page and enter your credentials.
  3. Enter the 2FA Code
    • After entering your username and password, you will be prompted to enter the 2FA code from your authenticator app.
  4. Successful Login
    • If everything is set up correctly, entering the correct 2FA code should grant you access to the dashboard.

Related articles

Common website patterns: Store locator

Requirements Description Once the store locator plugin is installed, it will nee...

Common website patterns: Filtering

Requirements Description Filtering is a way to help the user narrow down results...

Common website patterns: Sign up for newsletter Example workflow

Requirements Description A form is embedded or created on your website, asking u...

Found this useful?

Explore our tools and guides to put these ideas into practice.

Browse Tools