Two-factor authentication – also known as 2FA – is an extra layer of security used when logging into a website. Chances are you’ve used 2FA before. When accessing your bank account online, for example, after logging in with your username and password, you may have been asked additional questions or received a verification code via text. This is two-factor authentication.

By installing a 2FA plugin and ensuring all users activate two-factor auth, we can improve the security of our websites. Hackers and cybercriminals continue to use brute force attacks, but 2FA adds an additional protection barrier at no extra cost.

We recommend all of our clients install and use 2FA with WordPress.

How to enable 2FA on your website

We recommend and use a plugin called Two-Factor.

Once installed and activated, if you head to the Users screen, you’ll see it adds a column called Two-Factor. This allows you to see which users have Two-Factor enabled.

Screenshot of the users screen in WordPress
After the 2FA plugin is installed, a “Two-Factor” column is added to the Users screen

To set up 2FA, we need to go to our profile and scroll down to the “Two-Factor Options” section. It’ll look something like this:

WordPress user profile page show Two-Factor Options
Two-Factor Options on the Profile screen

The sections we are interested in are Email, Time Based One-Time Password and Backup Verification Codes. You can also use hardware security keys (FIDO U2F Security Keys) for additional security, but that’s outside the scope of this post.

Creating Backup Verification Codes

The first thing we recommend setting up are the Backup Verification Codes. These are important in case your 2FA method fails for whatever reason (for instance, you lose your phone). These backup codes will allow you to log in again.

Click the “Generate Verification Codes” button, and it’ll provide you ten unique codes. Save these somewhere secure – even print them out if you need to. Ensure you record these numbers before leaving the page as you won’t be able to access them again.

Setting up a Time Based One-Time Password

Once you have your backup verification codes, we recommend using Time Based One-Time Password (TOTP). TOTP requires an authentication app such as LastPass Authenticator, Google Authenticator or Authy. I use 1Password.

To setup TOTP, select the checkbox next to “Enabled” and then either use your phone to scan the QR code or manually enter the code. Your app will then give you an authentication code. Enter it in the box and click submit.

That’s it – next time you sign in, after entering your username/password, you will be asked for the Authentication Code provided by your authentication app.

Setting up email

If you’ve created your Backup Verification Codes and your TOTP, you can skip this step. If you are unable to set up TOTP, you can use email. While it’s not as secure as using TOTP, it’s better than using nothing.

To use email, select the “Enabled” checkbox next to email and then click Update Profile at the bottom of that screen.

Now, the next time you log in, you’ll be sent an email confirming your unique authorisation code.

Written by Marc Jenkins

Marc has been building websites of all shapes and sizes for well over a decade. He specialises in building bespoke WordPress sites.

Got a project in mind?

Get in touch