Adding two-factor authentication to WordPress is, in my opinion, a crucial – yet often overlooked – component to having effective website security. In this tutorial, I show you how easy it is to get two-factor authentication configured and working on your WordPress site in as little as 5 minutes. Take 5 minutes and give yourself some additional peace-of-mind that your website is secure.
This article is part of a series on WordPress security. Be sure to check out additional articles in the series for additional valuable information.
Before We Begin
A few things to mention before we get into this tutorial.
First, screenshots in this tutorial have been marked with red squares to make the important areas on the screen easier to locate.
Second, before you begin this tutorial, be sure you have a two-factor authentication (2FA) app installed – likely on your smartphone or tablet. Popular two-factor authentication apps include Google Authenticator, Authy, Lastpass, and Microsoft Authenticator amongst others.
Install The WP 2FA Plugin
Let’s get started by installing the WP 2FA WordPress plugin.
From the WordPress dashboard, on the left go to Plugins and choose Add New. From the Add Plugins page, find the search box and type in WP 2FA. The plugin we’re using should be the 1st result – WP 2FA by WP White Security. Click the Install Now button and after it finishes click Activate.
WP 2FA Setup Wizard
As soon as you click to activate, the WP 2FA setup wizard should begin to help you configure the plugin. Begin the wizard by clicking the blue Let’s Get Started button.
The first question you’re presented with is which two-factor authentication methods will you allow for your website users. Your options are “One-time code via 2FA App (TOTP)” or “One-time code via email (HOTP)”.
My personal suggestion is to only allow the first option that uses 2FA via an app. All it would take for someone to get complete control over your website is for them to gain access to your email account. Once someone has access to your email, they would be able to request a new password from WordPress through the forgot password form. Having the option for two-factor authentication to use your email would allow our would-be attcker to bypass this security measure as well.
With that said, you get to decide how you want your two-factor authentication configured. Make your selection(s) and click the blue Continue Setup button.
The next question from the wizard is whether you want to enforce two-factor authentication for only some users or all users. My answer to this is definitely to make this a requirement of all users. I don’t believe in leaving any potential openings for someone who wants to gain unauthorized access to a website – no matter how unprivileged the account might be.
Once you’ve made your selection, click CONTINUE SETUP.
Next – do you want to exclude any users or roles from two-factor authentication? I think I made my point on the last question.
Click Continue Setup.
Next, how long of a grace period should users have to configure their two-factor authentication? There are arguments that could be made for either option here. Forcing users to setup 2FA on their next login make sense from a security perspective, however, unless you know for 100% certain that your users have 2FA apps already this could cause someone some small headache.
Make the decision here that’s best for you and click All Done.
Congratulations, you’re almost there! Click Configure 2FA Now.
Add Your WordPress Site To Your 2FA App
WP 2FA now wants you to scan the QR code presented using your two-factor authentication app to add your WordPress site’s 2FA to the app. Once you’ve done this, click the blue I’m Ready button.
Verify Your 2FA App
Now, WP 2FA wants to verify that the app is configured properly for your site by having you enter the current authentication code given to you by your 2FA app for the website. Once you’ve entered your code, click VALIDATE & SAVE CONFIGURATION.
Download Backup Codes
One last step as part of the actual setup process is that you’re given the option of whether or not you want to download backup codes or generate them later. Backup codes are for use in a situation like as if your phone is not working or stolen and you need to get access to your website. It’s generally a good idea to have backup codes for these kind of situations, however, be sure you store them somewhere secure that you won’t lose them and that they won’t be accessed by someone else.
To download backup codes, click the Generate List of Backup Codes button.
Your basic WP 2FA setup is now complete. There are some additional policies and settings available from the plugin. I’ll go over the additional policies as there’s a few there worth mentioning. The additional settings are something I’ll allow you to explore on your own.
Additional 2FA Policies
From the WordPress dashboard, you should see WP 2FA in your left hand navigation. Once clicked you should land on the 2FA Policies page. If you scroll down you’ll find all of the additional settings I’m going to mention here.
The first additional setting I’ll point out is the option to denote a page on your website to redirect users to after they’ve setup 2FA for their account. If you feel like creating a page for this purpose, go ahead and do so and put the slug for the page in the box provided.
Next, there’s an option for whether you want a page on the frontend of your website to allow users to change their 2FA settings. My personal opinion on this is NO. Make the decision that’s best for your website and users.
Lastly, there’s an option to hide the REMOVE 2FA BUTTON from user profile pages entirely. This is something I personally think is the best option. You can decide however you feel is best.
If you’ve made any changes from on this page, click the blue Save Changes button.
Your WordPress website is now more secure from potential hackers / password crackers with two-factor authentication configured for your website. Consider checking out my articles on Enforcing Strong Passwords in WordPress and Protecting WordPress Logins & Forms With hCaptcha for additional easy-to-implement tools for protecting your website.
If you found this article helpful or have any questions, I encourage you to please share this article with others and/or leave a comment below. Additionally, you can find me on Mastodon at @[email protected]. Thanks for reading and I hope you visit again soon!