Two-Factor Authentication or 2FA provides an additional layer of security requiring a second factor of identification beyond just a username and password. Two-factor authentication has long been used to control access to personal and financial data processed in banks or insurance companies; and today website owners are increasingly using 2FA to protect their users’ accounts from cybercriminals exploiting weak or stolen WordPress passwords and compromised credentials.
A FREE & EASY TO USE TWO-FACTOR AUTHENTICATION PLUGIN FOR WORDPRESS Add an extra layer of security to your WordPress website login page and its users. Enable two-factor authentication (2FA), the best protection against users using weak passwords, and automated password guessing and brute force attacks. Two-Factor Authentication (2FA) or Two-Step Verification is an additional layer of security you add to your WordPress login pages. With 2FA it is virtually impossible for attackers to hijack your WordPress user, even if they guess the password. Two-factor authentication is also good to help mitigate WordPress brute force attacks.
When 2FA is enabled on a website, it requires a user to provide an additional verification PIN code when signing into the website. This verification code is generated automatically and sent to the user by email. As an additional security measure, you can specify a separate email address on a per-user basis specifically for delivering 2FA verification codes.
To continue the user has to enter the verification PIN code into the form. If the user didn’t receive the code, they can either try to get another one or cancel the login process.
Two-Factor Authentication form is used to verify the user
How to enable Two-Factor Authentication
You can easily enable 2FA on a per-role basis on the User Policies admin page. WP Cerber Security enables you to configure different 2FA settings for each role. In the Advanced mode, you can specify a set of conditions for enforcing two-factor authentication for a certain role. The Advanced mode is available in the Professional version of the plugin.
Note: Before you can enable 2FA for administrators’ accounts, you have to complete one successful login with 2FA enabled for any other role on the website.
Per-user 2FA settings
You can customize some 2FA settings on a per-user basis on the user edit page (user profile page). Additionally to per-role 2FA settings, you can disable or enable two-factor authentication for a specific user. You can choose from “Always enabled”, “Disabled” and “Determined by user role policies”. This feature is available in the professional version of WP Cerber.
As an additional security measure, you can specify a separate email address specifically for delivering verification codes.
Two-Factor Authentication for WordPress: per-user settings in the professional version
Whitelisting IP addresses
All WordPress users that are logging in from IP addresses in the White IP Access List are excluded from being enforced two-factor authentication.
Monitoring two-factor authentication events
When two-factor authentication is enforced for a user, WP Cerber logs this event to the Activity log as “Two-factor authentication enforced”. At this moment a new verification PIN code is generated and sent ot the user. When a user enters the correct verification PIN code the login event is marked as “2FA code verified”.
To monitor user logins made with two-factor authentication, go to the Activity log, select “Two-factor authentication enforced” event from the drop-down list and click the Filter button.
How to manage 2FA settings on multiple websites
Do you know that you can monitor and manage 2FA settings on any number of websites remotely? Enable a Cerber.Hub master mode on the main website and a slave mode on your other websites to manage all WP Cerber settings and monitor user activity from one WordPress dashboard by switching between your websites in a click.
Note that some 2FA features are available in the professional version only.
Features | Free | Professional |
Standard 2FA mode | Yes | Yes |
Advanced 2FA mode | No | Yes |
Per-user 2FA policies | No | Yes |
Separate email address for 2FA codes | No | Yes |
Managing 2FA on multiple websites | No | Yes |
Have any questions?
If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered here: G2.COM/WPCerber.
How to limit the number of concurrent user sessions in WordPress
Two-factor authentication is a simple way to make your WordPress login more secure and protect it from brute-force attacks.
Google uses this technology for years, so don’t wait any longer and implement this feature as well.
Contents
How to Add Two-Factor Authentication / Video
Wordpress 2fa Login
If you prefer watching a video instead of reading this article on how to secure the WordPress-Login, you can watch this entire article as a video:
Do you like to watch more videos like this?
Check out our YouTube Channel.
Check out our YouTube Channel.
Two Step Authentication Wordpress
How Two-Factor Authentication Works
Passwords are the standard for logging in on the web, but they’re relatively easy to break. Even if you make good passwords and change them regularly, they need to be stored wherever you’re logging in, and a server breach can leak them.
- Something you know: This could be a personal identification number (PIN), a password, answers to secret questions, or a specific keystroke pattern
- Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token
- Something you are: This category is a little more advanced and might include a biometric pattern of a fingerprint, an iris scan, or a voiceprint
Logging in with a password is single-factor authentication. It relies only on something you know. Two-factor authentication, by definition, is a system where you use two of the three possible factors to prove your identity instead of just one. We combine “Something you know” (your password) and “Something you have” (your smartphone).
There are a lot of different places to increase the security of a site. Still, the WordPress Security Team has said that “The weakest link in the security of anything you do online is your password,” so it makes sense to put energy into strengthening that aspect of your site.
Use of Two-Factor Authentication on WordPress
On the login screen, first, you will provide your WordPress username and password:
In the second step, you have to enter an authentication code. You will receive this code via an authentication app on your smartphone:
How to Install the plugin WP 2FA for Two-Factor Authentication
Search for the WP 2FA plugin in the plugin repository. Install and activate the Two-Factor Authentication plugin.
After activation, go to Plugins > WP 2FA > Configure 2FA Settings
to open the setup wizard.
to open the setup wizard.
Next, you need to install a “2FA” app on your phone. I recommend the Google Authenticator.
Open your authentication app and scan the QR code that appears in the setup wizard.
Enter the code shown in the app on your smartphone.
That’s all; your authentication app will now save the code sent once by WP 2FA. Now make the settings that match your WordPress site.
The next time you log into your website, the plugin will ask you for the two-factor authentication code after entering your password.
To do this, open the authentication app on your phone again and enter the code you see on it.
You’ve made a good step forward to improve the security of your WordPress login. If you want to secure your entire WordPress website, don’t stop reading and check out the article “How to Secure your WordPress Website.”
Wordpress 2fa Not Working
There I’ll explain everything you need to know about WordPress security.