Enabling 2factor Authentication for WordPress

2-factor authentication (2fa) allows you to use one piece of information you have (your password) in conjunction with a device (software or hardware) to allow access to your account. Doing so reduces the likelihood of someone gaining access to your account without quite a bit more effort (or, an exploit) — highly recommended! Do note that once 2fa logins are enabled, you'll always need that secondary device around to login to your site.

There's many, many different ways of getting 2fa implemented on WordPress. You can add it using WordFence premium, iThemes, Jetpack, etc. Some support physical keys (yubikeys, for ex) whereas others make use of software that you'll install on your phone — like google authenticator, duo security, or others.

We'll cover the free route here, using the WordPress google-authenticator plugin available for free.

Additional 2fa considerations

While adding 2fa is highly recommended, there are some considerations to take into account. Note that despite all of the drawbacks, we highly recommend implementing 2fa in some form.

2fa software can have exploits

2fa software can have exploits, rendering 2fa useless at best, and at worst: opening new holes entirely.

Device awareness

Without your phone, you won't be able to login & manage your site. While the bulk of us keep our phones on us almost perpetually, this is another thing to consider.

Swapping devices is an increased pain point

With 2fa enabled, changing to a new device adds another step to take into account. You'll need to login (using your old device), disable 2fa, and then reenable it & activate it on your new device. Upgrading to a new phone means you'll need both devices in hand to do so, or, follow the Lost 2fa device instructions. Some of our users print out their qr codes and save them in a safe to easily reimport them when a device is sold or lost.

Adding google authenticator to your phone

If you don't already have it, you'll need to install google authenticator on your phone in advance. Google's instructions for this are actively updated, so review them here and return here once completed: Installing google authenticator

Adding the google-authenticator plugin

  1. Login to your WordPress administrative section, and navigate to Plugins > Add new.
  2. Once there, type google-authenticator into the upper right search field & hit enter.
  3. Next, find the Google Authenticator plugin by Henrik Schack and install it. After it's installed, hit activate on that same interface.

Enabling 2fa for your WordPress user

  1. Login to your WordPress installation as your user.
  2. Select Howdy, user (where user is your username) in the upper right.
  3. Scroll down to Google Authenticator Settings.
  4. Check active.
  5. Then, hit create new secret. A QR code will appear. Open google authenticator on your phone, and hit the plus symbol & select Scan barcode.
  6. Scan the barcode provided, and then scroll down on your WordPress profile and hit Update profile.

Logging in now that 2fa is enabled

  1. Navigate to your WordPress administrative login location
  2. Populate your username/password, and then open the google authenticator app. on your phone.
  3. Ensure the code isn't about to expire (there's a small timer next to each code). Then, type in that code & login.

If you're unsuccesful, wait until the code regenerates and try again.

Lost 2fa device

Once in awhile a phone goes missing, stolen, or lost. You can use these instructions to disable 2fa access.

Using another administrator

If you've lost your 2fa device, an administrator can uncheck the google authenticator by modifying your profile using the instructions below.

  1. Have another administrator login to WordPress to perform these steps
  2. Navigate to Users > All users
  3. From there, select the username you need to disable 2fa on.
  4. Then, uncheck the checkbox next to Active below Google authenticator.
  5. Now, that user's login will no longer have google authenticator as a requirement. They can then follow the Enabling 2fa for your WordPress user instructions again.

Advanced

For advanced users, you can login to shell & use wp-cli to enable/disable google-authenticator. Or, create a new administrator (that you remove afterwards) to login.

Without administrative access

Reach out to the Fused team and we'll verify your account access, and, provided we can authorize you, we'll handle it.