WPLift is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission.

How to Add Two-Factor Authentication (2FA) in WordPress (2021)

Last Updated on June 18th, 2021

Published on July 10th, 2019

Tags: ,

Share This Article

Two-factor authentication WordPress (2FA) is easier to set up than you might think, and adding WordPress two-factor authentication to your website will improve its security. If you’re concerned about brute-force attacks and hacking, you should switch to 2FA right away.

Adding a two-factor authentication system to your WordPress setup is a must for security. Yes, it is possible if the bad guys have gotten their hands on your password. Two-factor authentication should be enabled in banking, shopping, email, and any other system that you consider critical. 

To set up two-factor authentication in a WordPress blog, there are several plugins available. When logging into the system, two-factor authentication adds an extra layer of security. 

What is a Two-Factor Authentication (2FA)?

Two-factor authentication (2FA), also known as two-step verification or dual-factor authentication, is a security method in which users verify their identity using two different authentication factors. 

This procedure is carried out to better protect the user’s credentials and the resources that the user has access to. Single-factor authentication (SFA), in which the user provides only one factor — typically a password or passcode — provides a lower level of security than two-factor authentication (TFA). Two-factor authentication requires a user to provide both a password and a second factor, usually a security token or a biometric factor like a fingerprint or facial scan.

Because knowing the victim’s password alone is not enough to pass the authentication check, two-factor authentication adds an extra layer of security to the authentication process, making it more difficult for attackers to gain access to a person’s devices or online accounts. 

Two-factor authentication has long been used to control access to sensitive systems and data. And online service providers are increasingly implementing 2FA to protect their users’ credentials from hackers who have stolen a password database or obtained user passwords through phishing campaigns.

Why Add Two-Factor Authentication in Your WordPress Site?

WordPress sites are vulnerable to a wide range of security threats. Brute-force or ‘dictionary’ attacks are among the most dangerous and common types, in which attackers use bots to repeatedly guess login credentials until they find the right combination.

They can infect your website with malware if they steal or correctly guess your password. Therefore, it is highly recommended that you use strong passwords that include complex combinations of letters, special characters, and numbers. However, if you want to take your WordPress login page security a step further, we recommend using two-factor authentication (2FA). Even if your password is stolen, someone will need to enter a security code from your phone to gain access.

In order for an unwanted intruder to gain access to your WordPress site’s login page, they’d need to know your login credentials and have access to your phone or email inbox. This additional layer of protection can help deter cybercriminals. 

Article Continues Below

Two-factor authentication can also help protect your customers’ sensitive data, boosting trust and loyalty. Furthermore, using a mobile app and plugin, you can quickly and easily integrate it into your WordPress site.

In WordPress, there are two ways to set up two-factor authentication: 

  1. SMS Verification – the verification code is sent to you via text message. 
  2. Google Authenticator App – as a fallback, you can receive the verification code via an app.

How to Add Two-Factor Authentication in WordPress via SMS?

This method adds two-factor authentication to your WordPress login page. When you enter your WordPress username and password, you will be prompted to enter a code that will be sent to your phone via text message.

The first step is to download and install the plugin. Let’s say you want to enable Two-Factor Authentication, which allows you to customize SMS verification in various ways.

The second plugin, Two-Factor SMS, works as a complement to the first. Both of the plugins should be installed and activated.

To activate SMS authentication, follow these steps: 

  1. You must go to ‘Users’ > Your Profile page after activating the plugins. Then, scroll down to the Two Factor Options section and select it. 
  1. Select the SMS (Twilio) option from the drop-down menu. Also, click the round button to make it your primary method of verification. 
  2. Scroll down to the Twilio section after that. You must enter your Twilio account information here.
  3. If you already have a Twilio account, go to your Twilio dashboard and click the Get Started button. 

Visit their website if you don’t have an account and select the Sign Up option from the drop-down menu. You will be asked for your usual personal information on the signup page. 

  1. It will take you to the wizard to set up. To get your first Twilio number, go to this page and click the ‘Get your first Twilio number’ button. 
  2. It will then provide you with a phone number in the United States. 
  3. Save the number and then select it using the ‘Choose this Number’ button. 
  4. Exit the wizard and go to the Geo Permissions page under Settings. Here, you can select the countries to which you want to send an SMS. You, on the other hand, are using this service for your own benefit. So, pick a country where you live and visit frequently. 
  5. Copy your Account SID and Auth Token from the Twilio console dashboard.
  6. Return to your WordPress profile page and fill in the Twilio account information. 
  7. Then, in the ‘Receiver Phone Number’ section, enter your phone number and click ‘Update Profile.’ 

You’ll need to enter a unique code sent to your mobile device the next time you log in to WordPress.

How to Add Two-Factor Authentication in WordPress with Google Authenticator

  1. The first thing you need to do is install the Google Authenticator app on your phone.
  2. Let’s return to your WordPress dashboard now. We’ll come back to the Google Authenticator app once we’ve completed the WordPress setup.
  3. Let’s install and activate the Google Authenticator plugin for WordPress.
  4. In the WordPress menu, click on Users » Your Profile. You will see Google Authenticator Settings there.

Active – If you check this box, your blog will now use Google Authenticator (tick this box when you’re finished with the setup). 

Relaxed Mode – Your Google Authenticator code expires every minute by default. When you use the relaxed mode, you can use a single code for up to 4 minutes. Unless you type very slowly, we don’t recommend turning this on. You should be able to complete the code in under a minute because it is only 6 characters long.

Article Continues Below

Description and Secret Key – These are self-explanatory options. In the Google Authenticator app, the description will serve as your account name. If you don’t want to use the QR code, you’ll need the secret key. Note that you cannot use spaces in your description when using an iPhone. If you add spaces, the QR code may not work, and you’ll have to manually enter the information into the app using the key. 

Enable App Password – This is only required if your blog uses XML-RPC (remote publishing). This can be either the WordPress iOS app or the Windows Live Writer app. Remember that enabling this will reduce your overall login security, but if you enjoy using remote publishing, go ahead and enable it.

  1. Let’s return to our iPhone’s Google Authenticator app now that we’ve configured the WordPress part. To add a new account, click the + icon next to the Google Authenticator app icon.
  2. You’ll be asked to scan the QR code or enter the key provided. You can get both of these from your website’s Google Authenticator settings. 
  3. If your description doesn’t have any spaces, scan the barcode. To see the QR code, go to WordPress and click the Show QR code button.
  4. When you log in, a two-step verification field will appear, asking for your Google Authenticator code.

How to Add Two-Factor Authentication in WordPress Using Plugins

Google Authenticator – Two Factor Authentication by miniOrange

The Google Authenticator – Two Factor Authentication (2FA) / Multi-Factor Authentication (MFA) plugin ensures that your WordPress website is completely secure. The plugin is free, simple, and quick to install. Making use of two-factor authentification ensures that no one else can access your WordPress website when you’re logging in. You can also configure the plugin for any TOTP-based Authentication Method to provide an additional layer of security (multi-factor authentication). miniOrange also supports one-time passwords (OTP) via SMS and email during the login and registration process.

Price

  • $5/user
  • $1/100 transaction with email, SMS, and OTP verification

Steps to Add Google Authenticator – Two Factor Authentication by miniOrange to WordPress 

  • Install and activate Google Authenticator – Two Factor Authentication by miniOrange
  • Register with miniOrange 
  • After you’ve submitted your information, miniOrange will send you an OTP (One Time Password) to verify your email address, which you’ll need to enter on the next screen. This is what your email will look like:
  • Simply copy and paste that code into your WordPress dashboard’s Enter OTP box.
  • Next, you can choose from various pricing options. Unless you need something like WooCommerce two-factor authentication, you can choose the free plan. To do so, go to the top right and click the Ok, Got It button.
  • Set up your security questions by clicking on the notification prompt that the plugin displays. Enter all three questions and answers and then click Save.
  • Choose login settings. You can customize a few key details on the Login Settings tab, such as enabling two-factor authentication for specific user roles in the premium version (unfortunately, this feature isn’t available on the free version).

You’ll find the Select Login Screen Options if you scroll down a little further. To begin, decide how you want users to log in by choosing between two options: 

  1. Log in with your password and the two-factor authentication code – To log in, you’ll need to enter both your password and the two-factor authentication code. 
  2. Login with only the 2nd Factor – all you need is your username and the 2nd Factor (not recommended as it will no longer be two-factor authentication). 

You can choose whether or not to enable the “Remember Device” option if you select password + 2nd Factor, which is recommended.

  • Configure your two-factor authentication method(s).

Go to miniOrange

Unloq

As many of you already know, this plugin acts as a security shield for your WordPress websites and defends user accounts against phishing, password reuse, keylogging, and other types of attacks. 

On the other hand, hackers have never given up on new ways to attack us, as we’ve previously stated. As a result, the UNLOQ.io team has never stopped improving their products! The team has spent the entire summer working on the new version, with the goal of providing a safe environment for bloggers, small businesses, and organizations.

Price

  • Free trial – up to 100 people
  • 100+ people – Starts at $19.00 per month

Steps How to Add Unloq in WordPress

  • Go to the Settings tab to set up the two-factor authentication (2FA) flow. You can also customize the push notification and login request messages:
Unloq manage application
  • Stick with 2FA all the way and let the plugin handle the entire login process. Then, select all three plugin options: push notifications, TOTP, and email:
  • To use the 2FA plugin, you must first install the authentication mobile app, which you can secure with a pin, a pin OR fingerprint, or a pin AND a fingerprint. Basically, you must first “log in” to the app before you can approve or deny a login request.

Go to Unloq

Article Continues Below

Duo Two-Factor Authentication

To protect against account takeover and data theft, Duo Security offers two-factor authentication as a service. In just a few minutes, you can add Duo Two-Factor Authentication to your WordPress website using the Duo plugin! 

Duo’s authentication service adds a second layer of security to your WordPress accounts, rather than relying solely on a password, which can be phished or guessed. Duo allows your administrators or users to verify their identities using something they already own, such as a smartphone or a hardware token, resulting in strong authentication and increased account security.

Duo is simple to set up and operate. There is no need to install any additional hardware or software with Duo; simply sign up for the service and install the plugin. Then, without having to set up user accounts, directory synchronization, servers, or hardware, you can choose which user roles you want to enable two-factor authentication for—admins, editors, authors, contributors, and/or subscribers.

Price

  • Duo Free-Free
  • Duo MFA-$3/user/month
  • Duo Access-$6/user/month
  • Duo Beyond-$9/user/month

Steps to Add Duo Two-Factor Authentication

  • Setting up Duo account

The first step is to sign up for a free account with Duo Security. To create an account, you must use your current phone number.

  • Once you’ve set up the Duo account you’ll automatically be redirected to the admin panel.
  • If you’re starting from scratch, go to your account and select Integrations > New Integration from the left menu. Then, under Integration Type, choose WordPress. 
  • The Integration Name can be anything you want; in this tutorial, we’ll use “My WP Site.” 
  • Select the Create Integration option.
  • We’ll now copy and paste the secret keys into our WordPress site to establish the connection between our WordPress site and Duo Security.
  • Go to WP Dashboard > Settings > Duo Two-Factor to do so. This page contains the necessary settings. Copy and paste the keys from the Duo Security admin interface into the appropriate fields. The connection is established after you click Save Changes. Your site now has two-factor authentication enabled.
  • Each WordPress user should have an authentication method.

To do so, you must first log out of the WP Dashboard and then log back in. After logging in, you should see something similar to this:

  • Add an Android device to your Duo Security Account.
  • Select your Device.
  • Now install Duo mobile on your device.
  • Click the Key icon in the Duo Mobile app on your device to launch the barcode scanner. Scanning the barcode on the screen will turn your tablet or phone into an authentication device. Then click Continue.
  • This confirmation indicates that the user ‘john’ has an Android device in his account as a recognized or enrolled device.
  • Everything is in place now. Keep your phone/tablet close by and enter your password to proceed to stage one. You’ve arrived at the Two-Factor Authentication point.
  • As a login method, you have the option of using Duo Push or Passcode. Click login if you’ve chosen Duo Push. Your Android/iOS device should display a notification.
  • Select Approve from the Duo Mobile app. You should see something like this right away:

You’ve completed the second stage of the two-factor authentication process and can now access the WordPress Dashboard. Congratulations on your achievement! 

Go to Duo Two-Factor Authentication

Wrapping Up!

One of the most effective ways to prevent unauthorized access is to enable two-factor authentication. It’s a great way to keep your security up to date. Although logging into your WordPress site takes a little longer, the extra effort is rewarded with peace of mind. 

The plugins we’ve looked at in this post are incredibly easy to set up and configure using the available WordPress plugins, as described in the tutorial. We strongly advise you to read this article and try your hand at implementing it; it’s well worth your time!

A team of WordPress experts that love to test out new WordPress related software, WordPress plugins and WordPress themes.