How to add two-factor authentication in WordPress

Why add two-factor authentication to WordPress?

Protecting a WordPress WebsiteProtection from password theftOne of the easiest ways to do this is to add two-factor authentication (2FA). With this setup, a password and secondary code (from an app, email, or text message) are required to log in to your website. That way, even if someone steals your password, they'll still need to enter the security code from your phone to gain access.

What is an authenticator application?

There are several ways to set up a two-step login in WordPress. However, the safest and easiest way is to use the Authenticator app. The Authenticator app is a smartphone app that generates temporary one-time passwords for the accounts you keep in it. Basically, the app and your server use a key to encrypt the information and generate a one-time code that can be used as a second layer of protection.

There are many free apps available:

• Google Authenticator: One of the most popular apps, but if you lose your phone, there's no way to restore your account unless you create a backup copy ahead of time.
• Authy: Easy to use and free app that allows you to save your accounts in an encrypted format on the cloud. If you lose your phone, simply enter your master password to recover all your accounts.
• LastPassrespond in singing1Password: These password managers come with their own version of Authenticator, which allows you to recover keys better than Google Authenticator.

How to Add Two Factor Authentication to WordPress (Free Method)

Method 1: Add two-factor authentication with WP 2FA

This method is easy to use and recommended for all users. It is flexible and allows you to enforce two-factor authentication for all users.

1、Install and activate WP 2FA plugin

First, you need to install and activate the WP 2FA - Two Factor Authentication plugin.

Upon activation, the WPA 2FA Setup Wizard will start automatically. Alternatively, you can access the Users " Your Profile page and scroll down to the WP 2FA Settings section. Clicking the Configure Two Factor Authentication (2FA) button will launch the setup wizard.

2、Configure WP 2FA plugin

1. Start configuring the plugin: click "Let's get started.!" Button.
2. Select authentication method: There are two options:
   • Use the one-time code generated by the 2FA application of your choice (recommended)
   • One Time Code emailed to you We recommend selecting the authentication via 2FA application (TOTP) method as it is more secure and reliable. Once selected, click the Continue Setup button.

3. Selection of Alternative 2FA Methods: If the primary 2FA method fails (e.g., if the user loses the phone), you will be asked which alternative 2FA method you want the user to use. In the free plan, only the Backup Code method is available. Once selected, click "Continue setting"Button.

4. Enforcement 2FA: It is possible to force a two-step login for some or all users. We recommend enforcing 2FA for all users on the site. select the "All Users" option and click the "Continue Setup" button.
5. Excluding specific users: You can exclude some users from being forced to use 2FA. enter the username or user role of these team members and click the Continue Setup button when you are done.
6. create a grace period: Determines how long the user needs to start using 2FA. you can ask them to start immediately or give them a grace period (e.g., 3 days). After making your selections, click the Finish All button to exit the Setup Wizard.

3. Configuring 2FA for your own user account

Will see."Installation completed" screen, which contains a congratulations message. You will also see a button that allows you to set up 2FA for your user account. click "Configure 2FA now" button to start the setup wizard.

1. Select 2FA Method: Select the option "Obtain code once through the 2FA application" and click the Next button.

2. Scanning the QR code: The plugin displays a QR code and a text code. Use the Authenticator app to scan the QR code or manually enter the text code into the app.
3. Verify one-time password: In the plugin's setup wizard, click the "I'm ready" button to continue. Enter the code from the mobile application into the Authentication Code field before it expires and click the Authenticate and Save button.
4. Generate backup code: Generate and save a list of backup codes in case you are unable to use your phone. After saving, click the "I'm ready, close wizard" button to exit the Setup Wizard.

4. Use two-factor authentication when logging in

The next time a user logs in, they will see anotificationsThe fact that they areTwo-factor authentication needs to be set up, and the deadline at the end of the grace period. When they log in after setting up two-step authentication, the system asks for a code or alternate code from the authenticator application.

Method 2: Add two-factor authentication using the Two-Factor plug-in

If you only want to set up 2FA for your account, this is a quick and easy way to do it.

Installation and activation of the Two-Factor plug-in

First, you need to install and activate Two-Factor Plug-ins.

Once activated, visit the Users " Profile page and scroll down to the Two-factor Options section.

Configuring the Two-Factor plug-in

1. Select the two-factor login option: The plug-in allows you to use email, authenticator applications and FIDO U2F security key methods.

2. Scanning the QR code: Scan the QR code on the screen with an authenticator app like Google Authenticator, Authy or LastPass Authenticator. After scanning the QR code, the app will show you the verification code, which needs to be entered into the plugin options and then click "submit (a report etc)"Button.
3. Save Settings: Click on "Updating personal data" button to save the settings.

Now, every time you log in to a WordPress site, you are asked to log in by entering a verification code generated by the app on your phone.

Frequently Asked Questions

1. How do I log in with 2FA if I don't have access to my cell phone?

If you are using an authenticator application with a cloud backup option (e.g., Authy), you can add the authenticator to theInstall the application on your laptop, which allows access to the verification code even if you don't have a cell phone. Many validator apps also allow for the generation of backup codes that can be used as one-time passwords when a cell phone is unavailable.

2. How do I log in without an authenticator application?

If you can't access your phone, laptop or backup code, you can only log in by disabling the 2FA plugin. Disable all WordPress plugins. Once all plugins are deactivated, this will alsoDisable the two-factor authentication plug-inYou will be able to log in to the WordPress website. Once logged in, reactivate the plugin and reset the two-factor authentication settings.

3. Do I need to password protect my WordPress admin folder?

Website security works best when you have multiple layers of security measures in place to protect your website, starting with the basics like using HTTPS and secure WordPress hosting. Two-factor authentication secures your WordPress login, but you can make it even more secure by password-protecting your WordPress admin directory. This means that users won't be able to access your login page unless they first enter their username and password.

reach a verdict

Adding two-factor authentication to WordPress is an important step in improving the security of your website. By using the WP 2FA maybe Two-Factor plugin that makes it easy to set up 2FA for your WordPress site and user accounts.While two-factor authentication doesn't completely protect against all types of attacks, it significantly reduces the risk of brute force attacks and password theft.