Protecting WordPress With 2FA

What Is 2FA?

Two Factor Authentication (2FA), also known as muli-factor authentication introduces another layer of security above and beyond the traditional username and password model widely used to protect your online data.

Usually this is done using a token, USB fob or an app on your phone.

Why Is 2FA Better Than Regular Passwords?

With computing power increasing in power every year and the rise of botnets, millions of compromised home computers and IoT devices doing a hackers bidding, it is getting easier to brute-force guess a username and password.

Brute-force hacking is simply trying combinations of usernames and passwords millions of times over per minute to gain access to a system; usually a website you own or your bank accounts etc.

Hackers can increase their chances by using social engineering to guess your username (email, first+last name) and by using a database of commonly used (and laughably insecure) passwords.

Because 2FA uses a separate device to generate additional login information (usually a numeric or alphanumeric token called a TOTP; Time-based One-Time Password), hackers don’t have physical access to that device and hence it makes the task of hacking into a system much much more difficult.

Unless that additional device is stolen or hacked into, the hacker has no way of providing the additional token needed to gain access into a system.

Why Phone-Based Keypad and SMS Authentications Are Not Good

Multi-factor authentication has been around for a while and some large organisations have been calling account holders and telling them to press a number on the keypad or simply sending them an SMS code as the additional token.

These types of authentication systems are easily spoofed. Most phones will give out a tone when you press a key on the keypad – this can be recorded and played back to gain access (there are only around 12 keys on a phone keypad).

SMS messages are sent unencrypted in plain-text so they can be intercepted if a hacker has the right tech.

Try avoiding SMS and keypad authentication in favour of an app or fob-based 2FA authentication system to generate the token.

How To Protect WordPress Using 2FA

Fortunately it’s very easy to protect your WordPress login using 2FA.

First, instal the free and very excellent Wordfence plugin from the WordPress.org repository.

You can download the zip file from the repository or search and install it form your WordPress dashboard at Plugins > Add New (recommended for new users).

Installing Wordfence on WordPress
Adding Wordfence to your WordPress website

In the image above I typed in Wordfence to the keyword search field.

WordPress did a search of the respository at wordpress.org and returned the Wordfence Security – Firewall & Malware Scan pluing.

Of course I already have it installed and active, as I do with all my WordPress Site Care customers.

You can go ahead and click on the Install button and then Activate the plugin.

Navigate to Wordfence > Login Security from your new new WordPress dashboard option.

First you will have to download a 2FA token generator app to your phone.

I’m an Andoid user so I use the Google Authenticator app.

Google Authenticator Android phone app

Wordfence supports multiple apps that generate TOTPs so if you are an iPhone or other phone user check their list of TOTP generator apps.

Setting up 2FA for WordPress using Wordfence

You will see a similar screen to the one above where you can scan the QR code into your authenticator app.

I’ve blacked out the recovery codes and bits of the QR code – just so you know – this is for a local WordPress site on my PC and not a live site – but I’ve blacked them out just in case.

The Google authenticator app on your phone will generate a token and you enter that token into the step 2 window at the bottom (where the placeholder is 123456).

Google Authenticator app for 2FA logins.
Note, this is not my actual app

If the code is correct then you have properly enabled 2FA for WordPress.

Note that you have about 30 seconds before the app generates a new token and sometimes if the token doesn’t work, you need to resync the app with Google in the app settings.

You should download the recovery codes and keep them password protected on a local computer – in case your phone doesn’t work and you don’t have access to the 2FA app.

That’s it!

Now when you logout of WordPress and try to login, you will be prompted to enter your 2FA code generated from your mobile phone app.

Wordfence asking for 2FA authentication code
Wordfence asking for 2FA authentication code

You can choose who used 2FA from their WordPress profile or from within WordPress by forcing all user roles (like Administrators) to require a code to login.

Posted in


Wil is a dad, consultant, developer, conference organiser, speaker and business mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.
Scroll to Top