WordPress is the largest CMS per market share, powering millions of websites and counting. The open-source software allows you to create stunning blogs, websites, and apps.
WordPress.com and WordPress.org blogging platforms are popular with bloggers, webmasters, site owners, developers, and unfortunately, hackers.
Thankfully, with two-factor authentication (2FA), your site gets an additional layer of protection by requiring a PIN code to approve logins. So how do you enable 2FA for your WordPress site?
What You Need to Set Up 2FA in WordPress
To set up an extra layer of security in WordPress, you’ll need:
- A WordPress account.
- A 2FA plugin (e.g. Wordfence Login Security).
- An authenticator app (e.g. Twilio Authy).
Download: Twilio Authy for Android | iOS (Free)
These are the tools you’ll need to set up two-factor authentication in WordPress using Wordfence.
How to Set Up Wordfence 2FA in WordPress
You can enable 2FA in WordPress sitewide or per user. Here’s how to set up two-factor authentication using Wordfence.
Sign into your WordPress account and install any two-factor authenticator plugin of your choice, e.g. WP 2FA, Two Factor Authentication, or Wordfence.
For this tutorial, we’ll be using the Wordfence Security standalone plugin called Wordfence Login Security.
How to Install Wordfence Login Security Plugin
To install the Wordfence Security Login standalone plugin, hover your mouse pointer over My Sites > Network Admin in the top-left corner and click Plugins.
Next, click Add New beside Plugins.
Enter “Wordfence Login Security” into the Search plugins… search bar. Once the plugin appears in the search results, review it and click Install, then Activate. Once done, its status will change to Active.
Click Installed Plugins on the left side panel to view all your installed plugins. Wordfence Security Login should now be listed among them.
How to Set Wordfence Two-Factor Authentication for WordPress
Still within your WP dashboard, scroll down and click Login Security in the same left side panel.
This will launch the Wordfence Login Security Settings page.
Now, open your authenticator app on your phone. You can choose from several options including Microsoft Authenticator, Google Authenticator, Duo Mobile, Twilio Authy, among others. We use Twilio’s Authy for this demonstration.
Tap the three dots at the top-right, then Add Account from the mini-menu, and tap Scan QR Code. Scan the QR code with your smartphone camera, then tap Save to add your WordPress account to Authy. Authy will instantly generate a six-digit token.
If you’re having trouble scanning the code, you can tap Enter Code Manually on the authenticator and enter the 32-character textual private key beneath the QR code.
Take note of the recovery codes next to the QR code. These codes will enable you to sign into your WordPress site if you ever lose access to your authentication app or device. Copy or download them and keep them in a safe place.
Next, enter the six-digit code generated by Twilio into the appropriate field and click Activate to enable two-factor authentication for WordPress.
Note that each token is good for only 30 seconds, after which they expire. Also, ensure that your WordPress time and your authenticator’s time sync, since Wordfence uses time-based one-time-passwords (TOTP).
Upon activating 2FA, you will be prompted to download the recovery codes if you skipped it earlier. Click Download. Wordfence two-factor authentication should now be active on your account.
How to Verify Your WordPress 2FA Works
You need to confirm that your two-factor authentication set-up was actually successful.
To do so, log out of your current WordPress account and try to log in again. After inputting your username and password, click Log In. You should now see a page asking for a 2FA code.
Enter the six-digit token from your authenticator app, then click Log In.
2FA codes (or the recovery codes you downloaded) will be required for all future logins.
How to Deactivate Wordfence Two-Factor Authentication for WordPress
Here’s how to deactivate Wordfence 2FA for your WordPress site.
Log into your WordPress account. Go to My Sites > Network Admin > Plugins.
Next, click Login Security > Deactivate.
You’ll be asked if you’re sure you want to deactivate two-factor authentication; click Deactivate if you’re certain. And you’re done.
Security is the Watchword
You may set up a WordPress site in under 2 hours, but it may take years to recover if your site is ever hacked. Two-factor authentication can prevent this, and give you additional security and peace of mind.
To protect your WordPress site better, use strong and unique passwords, spam and bruteforce blockers, and then implement two-factor authentication. You’ll be very pleased you did.
Read Next
About The Author