It’s a scary world out there, and lots of people would love to get their hands on your precious WordPress login credentials.
That’s why, according to Wordfence’s survey of people who knew how hackers got into their sites, brute force attacks and password issues accounted for about ~20% of the hacked sites.
Two-factor authentication is one way to absolutely lock down your login page. This is the same security mechanism used by banks and other security-conscious organizations, and I’m going to show you how to add WordPress two-factor authentication functionality to your WordPress site for free.
How Does WordPress Two-Factor Authentication Work?
You’ve probably already encountered two-factor authentication in your life, so I won’t go too deep here.
Basically, two-factor authentication adds an extra layer of security to your login process by requiring users to enter an extra code generated by text or a smartphone app when they go to log in.
The idea is that logging in requires both something you know (your password) as well as something you physically hold in your possession (typically a phone – either by text or app, though you can also use hardware keys).
So, after you implement the WordPress two-factor authentication tutorial that I’ll lay out in this post, here’s how your WordPress login process will work:
First, you’ll go to your regular login page and log in like you usually would by entering your username and password:
However, after you enter your username and password, you aren’t into the WordPress admin dashboard quite yet.
Instead, the next screen will prompt you to enter a code (you have a few different options for how/where this code is generated). You’ll only be able to access your WordPress dashboard after entering this code:
If you enter an incorrect code, it will boot you back to the initial log in screen and you’ll need to repeat the process:
Simple, right? Here’s how to set up WordPress two-factor authentication at your site.
The Best WordPress Two-Factor Authentication Plugin
While there are several quality WordPress two-factor authentication plugins, I like the creatively named Two Factor Authentication plugin, which is available for free at WordPress.org.
Here’s why I like it. It…
- Comes from the same developers of the popular UpdraftPlus backup plugin, so it’s not a fly-by-night operation.
- Supports TOTP + HOTP protocols, which lets you use smartphone apps like Google Authenticator, Authy, etc. This is more secure than text message while also being the most accessible method because pretty much everyone has a smartphone nowadays.
- Lets you enable two-factor on a user role or individual user basis. With the premium version, you can even force certain types of users to use two-factor authentication.
- Lets you set up trusted devices, so that you only need to enter a two-factor code if you try to log in from a new device. This is a little more convenient. This is a premium feature, though.
One thing to note is that this plugin does not support FIDO/Universal 2nd Factor (U2F). This is the protocol used by physical hardware security keys like YubiKey or Google Titan.
If you specifically want to use FIDO, another good option to check out is the free Two-Factor WordPress plugin, also available at WordPress.org.
How to Add Two-Factor Authentication to WordPress
To get started, install and activate the free Two Factor Authentication plugin that I detailed above.
Then, here’s how to go about setting it up…
1. Set Up Sitewide Basics
To get started, go to Settings → Two Factor Authentication. Here, you can choose which user roles have the option to use two-factor authentication.
With the free version of the plugin, it’s just that – an option. That is, enabling it for a user role does not force them to use two-factor, it only enables the two-factor settings for them. If you want to force certain user roles to use two-factor, you’ll need the premium version of the plugin:
Further down, you can choose whether to require two-factor for XMLRPC requests. Requiring it is more secure, but it might also break access to the app using XMLRPC because most of them do not support two-factor.
2. Get Two-Factor Code for Your Account
Once you’ve set up the sitewide settings, go to the new Two Factor Auth area in your WordPress dashboard to configure two-factor authentication for your own WordPress account.
Here, you’ll see a QR code, as well as a private key. Keep this page handy because you’ll need it in the next step:
3. Download Smartphone App and Scan QR Code
Now, you’ll need to hop over to your smartphone and download an app. You can use any app that supports the TOTP protocol. Good options are:
- Google Authenticator app
Personally, I use Google Authenticator as it comes from Google and gets the job done.
If you use Google Authenticator, all you need to do is click the plus icon in the top-right corner and select Scan barcode. Then, scan the barcode in your WordPress dashboard (the one that you saw in Step 2).
Once you scan the barcode, you should see a new option in the app for your site’s domain name, along with a six-digit code.
4. Activate Two-Factor Authentication
To finish things out, make sure that the six-digit code you see in your smartphone app matches the Current one-time password that you see in your WordPress dashboard. This code will change every ~15 seconds or so, so make sure you’re looking at the most recent version.
If they match, go ahead and Enable two-factor authentication in your WordPress dashboard and save your changes:
Now, to test things, you can log out of your WordPress dashboard and then try to log in again.
Once you enter your username and password, you should be prompted to also enter your two-factor code:
With the free version of the plugin, each user at your site will need to manually complete steps 2-4 to activate two-factor authentication for their accounts.
Again, with the premium version, you can force people to activate two-factor authentication, and also get access to other helpful features.
What If I Lose My Phone and Lock Myself Out of WordPress?
As long as you have access to your WordPress site’s server via FTP or cPanel File Manager, it’s impossible to lock yourself out of WordPress with two-factor authentication.
If you lose the ability to access your two-factor code, you can connect to your WordPress server and rename the folder for the Two Factor Authentication plugin. This will deactivate the plugin and let you log in again. Our guide on being locked out of WordPress has more details.
This is also something important to remember:
You need to keep your hosting/FTP credentials locked down as well – otherwise people can bypass your WordPress two-factor authentication setup (or just generally attack your site in lots of other malicious ways once they have access to your server).
In addition to this manual method, the premium version of the plugin also lets you download one-time use backup codes that you (or other users) can use in case of an emergency.
Set Up WordPress Two-Factor Authentication Today!
With WordPress two-factor authentication, you can rest easy knowing that your WordPress login page is safe and secure.
Have any questions about how to set things up? Ask away in the comments and we’ll try to help!