Enabling 2factor Authentication for WordPress¶
2-factor authentication (2fa) allows you to use one piece of information you have (your password) in conjunction with a device (software or hardware) to allow access to your account. Doing so reduces the likelihood of someone gaining access to your account without quite a bit more effort (or, an exploit) — highly recommended! Do note that once 2fa logins are enabled, you'll always need that secondary device around to login to your site.
There's many, many different ways of getting 2fa implemented on WordPress. You can add it using WordFence premium, iThemes, Jetpack, etc. Some support physical keys (yubikeys, for ex) whereas others make use of software that you'll install on your phone — like google authenticator, duo security, or others.
We'll cover the free route here, using the WordPress
google-authenticator plugin available for free.
Additional 2fa considerations¶
While adding 2fa is highly recommended, there are some considerations to take into account. Note that despite all of the drawbacks, we highly recommend implementing 2fa in some form.
2fa software can have exploits¶
2fa software can have exploits, rendering 2fa useless at best, and at worst: opening new holes entirely.
Without your phone, you won't be able to login & manage your site. While the bulk of us keep our phones on us almost perpetually, this is another thing to consider.
Swapping devices is an increased pain point¶
With 2fa enabled, changing to a new device adds another step to take into account. You'll need to login (using your old device), disable 2fa, and then reenable it & activate it on your new device. Upgrading to a new phone means you'll need both devices in hand to do so, or, follow the Lost 2fa device instructions. Some of our users print out their qr codes and save them in a safe to easily reimport them when a device is sold or lost.
Adding google authenticator to your phone¶
If you don't already have it, you'll need to install google authenticator on your phone in advance. Google's instructions for this are actively updated, so review them here and return here once completed: Installing google authenticator
Adding the google-authenticator plugin¶
- Login to your WordPress administrative section, and navigate to
Plugins > Add new.
- Once there, type
google-authenticatorinto the upper right search field & hit enter.
- Next, find the Google Authenticator plugin by
Henrik Schackand install it. After it's installed, hit activate on that same interface.
Enabling 2fa for your WordPress user¶
- Login to your WordPress installation as your user.
Howdy, user(where user is your username) in the upper right.
- Scroll down to
Google Authenticator Settings.
- Then, hit
create new secret. A QR code will appear. Open google authenticator on your phone, and hit the plus symbol & select
- Scan the barcode provided, and then scroll down on your WordPress profile and hit
Logging in now that 2fa is enabled¶
- Navigate to your WordPress administrative login location
- Populate your username/password, and then open the google authenticator app. on your phone.
- Ensure the code isn't about to expire (there's a small timer next to each code). Then, type in that code & login.
If you're unsuccesful, wait until the code regenerates and try again.
Lost 2fa device¶
Once in awhile a phone goes missing, stolen, or lost. You can use these instructions to disable 2fa access.
Using another administrator¶
If you've lost your 2fa device, an administrator can uncheck the
google authenticator by modifying your profile using the instructions below.
- Have another administrator login to WordPress to perform these steps
- Navigate to
Users > All users
- From there, select the username you need to disable 2fa on.
- Then, uncheck the checkbox next to
Activebelow Google authenticator.
- Now, that user's login will no longer have google authenticator as a requirement. They can then follow the Enabling 2fa for your WordPress user instructions again.
For advanced users, you can login to shell & use wp-cli to enable/disable google-authenticator. Or, create a new administrator (that you remove afterwards) to login.
Without administrative access¶
Reach out to the Fused team and we'll verify your account access, and, provided we can authorize you, we'll handle it.