Login page is one of the big security threats for all site owners using WordPress platform. Anyone can access the login page by adding /wp-admin/ or /wp-login.php suffix to the website name. This makes the hackers and bots job easier for sending automated queries. This is called brute force attack which is one of the biggest problems for those using weak or leaked passwords for login. The best option to protect your website is to use two factor authentication for WordPress login page on your site.
What is Two Factor Authentication?
Two factor authentication is a protection mechanism which helps to add an additional password layer to your current setup. In WordPress, it will work like below after you enable two factor authentication system.
- User go to WordPress login page.
- Provide correct username/email and password.
- System will ask you enter second authentication code. Depending upon the setup, you receive the code in email or get from one of the Authenticator apps.
- Enter the code and login to admin panel.
No users, including you, will be able to login to website without entering second authentication code.
Requirements for Two Factor Authentication in WordPress
Now that you know how two factor authentication system works in WordPress. Before you plan to implement it your own website, here are the things you need.
- Install a two fact authentication plugin.
- Have a mobile phone or a valid email address.
- Install an authenticator app for mobiles or working email setup on your WordPress installation.
Installing Authenticator App in Mobiles
Since, using two factor authentication with mobile app is an easy option we will explain this in this article. You can get a free authenticator app from Google Play Store for Android and from Apple App Store for iPhone.
- Install one of these free apps – Google Authenticator, Microsoft Authenticator, Duo Security, Authy, Lastpass, FreeOTP or Okta Verify.
- During setup in your site, you need to scan the QR code using the mobile app and connect your site with the authenticator app.
- Whenever you login, open the app and find the autogenerated six digits code to use as an authentication code.
Install WP 2FA plugin
There are few two factor authentication plugins available for WordPress. Login to your admin panel and go to “Plugins > Add New” section. Search for “authentication” to find WP 2A – Two-factor Authentication for WordPress plugin. Install the plugin and activate it on your site.
Setup Two Factor Authentication in WordPress
After installing the plugin, it will show you the getting started wizard. You can either follow the wizard by clicking on the “Let’s get started!” button or close the wizard and use the configuration setting. However, we recommend you to close the wizard and do manual setup as anyway you need to adjust the settings after following the wizard.
Setup Mobile Authentication
You can go back to the setup wizard either from the plugins page or from your user profile section. Go to “Users > Profile” and scroll down to the bottom of the page. Click on “Configure Two-factor authentication (2FA)” button.
You will see a QR code like below along with a key for manually paring your site with an authenticator app.
Open your authenticator app and scan the QR code of your site. you will see the site name appears along with a six digit code. The app will auto refresh the code every 30 seconds (in Microsoft Authenticator, this may change depending upon the app you choose to use).
After pairing your site with the app, click on the “I’m Ready” button on the site’s setup wizard. On the next screen, enter the code from the app and click on “Finish” button.
That’s all!!! Now, you have successfully setup the two factor authentication for logging into your WordPress site.
Generate Backup Codes
What happens you do not have the mobile nearer to you or not able login after setting 2FA? In order to avoid unforeseen situations, you can generate backup codes and use instead of the code from authenticator app. When you are in the setup wizard, click on the “Continue & configure backup codes” button. On the next screen, again click on “Generate backup codes” button.
The plugin will generate 10 backup codes which you can write down, download as a text file or print for offline reference.
you can use one of these 10 codes for logging in when you are not able to use authenticator app. If you closed the wizard before generating backup codes, go to your profile section. From here, you can generate the backup codes by clicking on the “Generate backup codes” button.
Setup Email Instead of Mobile Authentication
If you want to receive the code in your email instead of mobile app then you can configure it by navigating to “Settings > Two-factor Authentication” menu. Select “One-time code via email (HOTP)” method under “2FA Settings” tab. You can also use the email along with mobile authentication code.
After that go to “Email Settings & Templates” tab and configure your email. You can choose to use the administrator email of your current user from WordPress user profile or enter a custom email address.
- Setup email template for each action like 2FA, login code, account locked and account unlocked.
- Test email delivery to confirm the email setup is working on your site.
After that go back to user profile and click on the “Configure Two-factor Authentication (2FA)” button. On the screen that open, you can choose email method and click next to proceed further.
Enter custom email address or use the current user’s email and click “I’m Ready” button.
You will receive the authentication code in your email as per the setup template. Enter the code and click “Finish” button to complete the email authentication method.
Other Settings for Two Factor Authentication
The plugin also offer some other useful settings:
- Enforce 2FA for all users or only for specific users and roles.
- You can exclude some user from entering 2FA code when logging into your site.
- It is also possible to offer a grace period to enforce user to setup 2FA.
- Setup a redirect page to send users after logging in with 2FA code.
- Allow users to disable 2FA from their profile page after log into the site.
- Setup a frontend page for 2FA along with a redirect option when your users using custom login page. This is useful option when you have a membership or online store and do not allow users to access WordPress dashboard. For example, WooCommerce plugin will have a custom login page and send users to their account page instead of displaying default WordPress dashboard. In this case, you can create a frontend 2FA page and setup a redirect for users to land after using the authentication code.
Make sure to save your changes after finishing the configuration setup.