How to

How To Setup Two-Factor Authentication On WordPress

Everyone knows how bad the internet is. There are bad actors everywhere. Web developers understand this fact and this is why they are following best practices in WordPress security with Two-Factor Authentication. Among them is adding the much-needed two-factor authentication to WordPress.

The post will not be focusing on the fundamentals of Two-Factor Authentication (2FA). Those who have used social media platforms or online financial services after changing devices know what it is.

Hence, let’s get down to business.

Two-factor authentication is a serious business

WordPress experts recommend Two-Factor authentication for the following reasons.

  • Well-known 2FA plugins come from legitimate security companies that work with reputed companies.
  • They are reviewed in and timely updated.
  • They also offer multiple authentication options ranging from texts, and Google’s authenticator app to a lot more.
  • Features in some plugins are limited.

Read more: Slowloris (Computer Security) Ways to Stop the Slowloris Attack

Understanding a bit of two-factor authentication first

Two-factor authentication (2FA) is a multifactor authentication method. It requires users to know something (like a password) and also requires them to possess a mobile device as well.

They are a good way of protecting websites from common account breaches. These breaches are due to easily guessable or leaked passwords. Hence, 2FA options are integrated on all WordPress sites. The VIP platform also has them.

The two-factor authentication is a default requirement. Custom roles having the manage_options capability on the VIP platform require it too.

Enabling 2FA for a single user

Users having an existing admin account on WordPress websites can enable the two-factor authentication through the following steps:

  • Accessing the WordPress admin dashboard after logging in using a username and a password.
  • Going to the users’ option on the sidebar, and then going to the ‘Your Profile’ tab for viewing option settings.
  • Enabling the preferred method of authentication in the two-factor options section.
  • Users must click on the update profile button to save updated settings.

Is it wise to add two-factor authentication for certain user roles and capabilities?

It is wise to add 2FA for certain users, capabilities, and roles. Developers and site owners must use the wpcom_vip_is_two_factor_forced filter. This helps force two-factor authentication for certain capabilities and roles. The resulting code must be added to a file in the directory titled ‘Client mu Plugins.’

Read more: Remove Japanese Keyword Hack Attack On A Website

Enforcing two-factor authentication for every user present

Setting the wpcom_vip_is_two_factor_forced filter to __return_true for enforcing the 2FA for all users on a website. 

What to do when users get locked out due to 2FA on a WordPress site?

WordPress site owners have either an admin or super admin role. This can help them get other users back. If users got locked out due to 2FA they don’t need to worry. They can be brought back. But IT teams must confirm if users really got locked out.

Unfortunately, a lot of fake emails for account reset requests are made. They are part of phishing and ransomware attacks. A co

It is wise for IT teams and WordPress admins to confirm with users if they really got locked out of their accounts due to the 2FA.

Once the reason has been confirmed, here are some steps the admin or super admin can take:

  • Logging in for accessing WordPress admin.
  • Going to the users’ dashboard which can be accessed from the sidebar.
  • Accounts of locked out users can be found either by their password, username, or both.
  • Selecting the username of the locked-out user from the search results.
  • The ‘Two-factor options’ section of the user’s profile has two options and from that, only one needs to be done.
  • The first option is to deselect all available methods of 2FA. It will allow the locked-out user to log in without any additional code needed.
  • The other option is the enablement of backup verification codes. The admin/super admin can use the ‘Generate Verification Code’ button to make a one-time use code. Then the backup code can be sent to the user helping them log back in.

Once users have regained access to their account, it would be wise for them to make additional updates to the 2FA settings. This can help them prevent losing access in the future (and possibly eliminate the need to reset their phone number).

Printing backup codes is recommended. It helps prevent users’ accounts from getting locked out again.

Read more: Facebook Hack! Your Facebook page was “Liked” by Hackers

Which Two-Factor plugin on WordPress is the best one?

There are numerous 2FA plugins on WordPress. Some are worth the investment whereas some aren’t worth using. Let’s have a look at the worthwhile ones that are worth the investment:

  • WP2FA (WP White Security).
  • Two Factor Authentication (David Anderson).
  • Wordfence Login Security.
  • miniOrange Google Authenticator.


Choosing a solution for 2FA that works best is much better.

A website with power and large can work on WP 2FA plus. MiniOrange Google Authenticator also works. Both sites provide a wide array of authentication options, are easy to configure, and support numerous users.

Simple WordPress users can go with Wordfence. It is simple to use, free and concentrates its features on protecting the login function of WordPress sites.


Questions and Answers

Q: Why is the 2FA necessary?

A: Two-factor authentication is needed. It helps ensure logins and logouts from most portals and websites are original, authentic, legitimate, and safe. Any unauthorized activity is thus nipped in the bud.

Q: Is lack of 2FA dangerous?

A: The necessity of two-factor authentication lies in the fact that it helps unwanted intrusions stay at bay. It protects users, portals, and websites. Anything due to lack of 2FA results in a cyberattack and a lot of explanation.

Q: Does Google support 2FA?

A: Every major tech company is using 2FA at all costs. No company can ever survive without it. It is a good way of protecting websites and users. 

Q: Do WordPress sites require 2FA?

A: WordPress sites cannot thrive without 2FA. This is why they are protected. If anything ever goes wrong, 2FA can protect it and prevent it from going further wrong. It ensures users’ legitimacy with password protection and authentication via mobile devices.

Related Articles

Back to top button