WP Umbrella Logo

How to implement Two-Factor Authentication (2FA) in WordPress With WP 2FA Plugin

Robert Abela

Anyone trying to access their WordPress account will have to enter their username and password to log in. This method of authentication usually provides a good amount of security if the password follows security best practices. However, you can get even better security by asking your users to log in to WordPress with 2FA. 

In this tutorial, we will discuss several benefits of 2FA and how you can incorporate 2FA into your own website.

What is 2FA in WordPress?

Many users choose some easy-to-remember (and vulnerable) passwords for convenience. This can be a major security risk. User credentials can also get stolen due to an exploit or attack. As a website owner, you should try to take precautions that can mitigate the bad effects of these risks. One such precaution is two-factor authentication or 2FA for WordPress.

Relying only on their username and password to authenticate a user constitutes single-factor authentication. Two-factor authentication requires that users will have to verify their identity using two different authentication factors. The term 2FA is short for two-factor authentication. 

The first factor is usually their knowledge of the username and password. The second factor is usually based on their possession of a device, or email address etc. This device or email address receives a one-time valid link or code to complete user authentication.

Main Benefits of 2FA Authentication

One of the biggest benefits of using 2FA for WordPress is the additional security that it provides. This additional security comes in the form of protection against vulnerable passwords, credential theft, and phishing. Let’s see how 2FA can provide additional security for a website where a user’s username-password combination is the only authentication method.

1. Protection Against Vulnerable Passwords

Not everyone uses long passwords that contain all kinds of random letters, numbers, and special characters. One reason for this behavior is that complex passwords are hard to remember, and password-managing tools are not widely used by the general population.

This means that the users of a website will likely use a short and easy-to-remember password. Some examples of such passwords are pa$$word, passw0rd, qwerty, etc. Such passwords are easy to crack for bad actors. They usually attempt this using a brute force attack.

In a brute force attack, the attacker tries to gain access by guessing usernames and/or passwords through trial and error. There are many approaches the attacker could take. Two examples would be trying all possible combinations one at a time or going through a list of commonly used passwords.

With 2FA in place, someone malicious will not be able to log in to one of your user’s accounts even if they were able to correctly guess their password. This is because they will still need to authenticate the login request. This is usually done either by entering a one-time code that a user with 2FA configured will receive on their device or email address or by giving approval for the login through a push notification from a designated app such as Authy.

You should also remind your website users that implementing 2FA is not an excuse to stop using strong passwords. Ideally, their password should still be difficult to guess or crack. One way to enforce the usage of strong passwords is to install the Melapress Login Security plugin. It also offers several other benefits, such as the ability to change the login page URL, limit failed login attempts, and much more.

2. Protection Against Credential Theft

A data breach that results in the exposure of user credentials can help someone gain unauthorized access to your user’s accounts. Having a strong password will not be of any help in this case.

It is also common for people to use the same set of passwords on multiple websites. This means that bad actors could have access to the account credentials of users on your website, even if the theft happened somewhere else.

However, 2FA will still be able to prevent bad actors from gaining access to your user’s accounts.

3. Protection Against Phishing

Not every user registered on your website might be very tech-savvy. Such users can become an easy target for phishers who might create a website very similar to your original website. Unsuspecting users are likely to enter their login credentials on these websites.

Once the bad actors have access to the user’s login details, they will be able to use them to gain access to the user’s account on your website. Enabling 2FA prevents access to user accounts whose credentials were unknowingly leaked through a phishing attack.

4. Account Recovery

Another benefit of 2FA is that it can help users regain access to their accounts if they ever lose or forget their login credentials. They will simply have to verify their identity using an alternate authentication method that they registered while setting up 2FA.

Ready to boost your productivity, impress your clients and grow your WordPress agency?

Install WP Umbrella on your websites in a minute and discover a new way to manage multiple WordPress sites.

Get Started for free

How does 2FA work and different types of 2FA

As we mentioned earlier, 2FA stands for two-factor authentication, so it relies on two different authentication factors to let users gain access to their accounts.

One of those factors is the user’s knowledge of their username and password. This is the sole authentication method that most websites use by default. It works on the assumption that only your users will know their login credentials.

The other factor is usually based on the user’s possession of an item or object. This could be anything, such as a smartphone or an email address. Once 2FA is enabled, a user will usually have to enter a passcode. They could receive it through SMS, an app on their smartphone, or in an email sent to their email address. They could also receive a push notification asking for login approval if that’s the 2FA method they chose. 

The assumption here is that even if a user’s credentials get stolen or exposed, a bad actor will still not be able to gain access to their account because they won’t have access to the device or email address that receives the passcode or push notification for the second authentication test.

WordPress Security Best Practices

A study by Verizon’s Data Breach Investigations found that 81% of hacking-related breaches leveraged either stolen or weak passwords, underscores the importance of 2FA.

The Most common 2FA Methods

1. One-time code from a 2FA App

Users get a one-time code from an app that they have to input while logging in. This code is valid for a short duration. There are quite a few apps, such as Authy, Google Authenticator, Microsoft Authenticator, and FreeOTP, that users can use to set up 2FA. These apps are also free. Users can download and use them without paying anything.

WP 2FA supports all the major authentication apps. If some of your users are already using an authentication app, this will enable them to simply keep using the existing app instead of starting from scratch.

You can also give users the option to request a link or OTP (One-Time Passcode) via email to authenticate themselves. Both the link and the OTP will only be valid for a limited period of time.

The WP 2FA plugin allows you to specify separate durations independently for the validity of the link and the one-time code.

If you enable this method, we highly recommend that you ensure email deliverability for your WordPress website. Users will only be able to authenticate themselves once they receive an email from your end.

3. One-time Code via SMS

Sending your users a one-time code via SMS for authentication is yet another 2FA method. WP 2FA allows you to set this up with the help of SMS delivery services Twilio. 

One advantage of this method is that your users don’t need to install any apps. Another benefit is that it doesn’t require users to have a smartphone or a phone with internet connectivity. Any basic phone that can receive SMS will work just fine.

4. Push Notifications

This method requires users to tap on a push notification in an app such as Authy to provide approval for account access. This will successfully complete their authentication.

An app can send a push notification even if it isn’t running in the foreground. This makes authentication through push notifications a bit more user-friendly as users won’t have to explicitly start an app and then enter a code. They can simply click on the push notification that pops up for authentication.

You should note that all of these 2FA methods require users to be in possession of either their device or email address.

Let’s say users can verify their identity through both their knowledge of the username-password combination and possession of a device or email address. It significantly increases the chances that they are the legitimate owners of their accounts and not someone who is trying to gain access through stolen credentials.

How to Implement WordPress 2FA Authentication

We will now discuss how you can add two-factor authentication to your WordPress website using the WordPress WP 2FA plugin. This plugin comes with a lot of features. For example, it supports multiple 2FA methods, backup 2FA methods, fully editable email templates, one-click WooCommerce integration, the ability to add trusted devices, and much more.

We will begin by installing the plugin. You should have received an email from MelaPress with the license key and a link to download the plugin upon completing your purchase. Once you install the plugin on your site, you will have to enter the license key in order to activate the plugin.

You can now navigate to WP 2FA > 2FA Policies from the WordPress admin dashboard. WP 2FA enables you to deploy 2FA through configurable policies. These policies determine how and when 2FA should be enforced. It is also possible to enforce 2FA for all users or only specific users or user roles.

Let’s say you want to enforce 2FA for all users except one; you can specify that user as an exception by adding the username of that particular user under Exclude the following users input. You can also exclude specific roles from being forced to implement 2FA using the Exclude the following roles input.

It is important to keep in mind that the users and roles that you are excluding from 2FA should actually exist on the website.

2FA policies

Next, you can specify which of the 2FA methods are available for users, such as a one-time code via a 2FA app, a link or OTP sent via email, a one-time code sent through SMS, or through push notifications.

 These 2FA methods and other configuration settings are applicable site-wide by default. This means that they will be applicable to all user roles. You can also provide a separate configuration for different roles, such as the editor, author, contributor, subscriber, etc., by selecting a checkbox that says Configure different 2FA settings for this user role, as shown below.

We have made three methods available to the users to configure 2FA through the WP 2FA plugin in this tutorial. The plugin allows you to configure two more methods — Push notification via the Authy app and one-time code via SMS delivered through Twilio. However, they will require integration with 3rd party services.

All users who fall under the criteria of requiring 2FA will see the following prompt the next time they try to log in.

2FA warning in WordPress

By default, users get a grace period of 3 days to set up 2FA before their accounts get locked. You can also tell WP 2FA to force them to configure 2FA right away or provide a longer grace period.

This is all that you need to do in order to use two-factor authentication on your website with the help of the WP 2FA plugin.

2FA method selection

Here is the configuration wizard that asks users to choose a 2FA method. You might have noticed that these are the same methods that we enabled earlier in the policy settings of the WP 2FA plugin.

 Users will be able to complete their configuration setup according to their preferences.

If they decide to use a one-time code via 2FA apps as an authentication method, they will need to use one of the freely available 2FA applications such as Google Authenticator, Microsoft Authenticator, Authy etc. After that, they will have to scan a QR code from within the app. Finally, they can enter the authentication code to complete the setup.

The two other methods require users to verify their email address through a one-time code. This is the email address that they used to register an account on your website. It is also possible for users to provide a different email address for authentication. However, you will have to enable this option while configuring the 2FA policies for your website under WP 2FA > 2FA Policies.

Advances Configuration Options Available in WP 2FA

There are a few features available in WP 2FA that can make the two-factor authentication setup even better for you as well as your users. Let’s take a look at some of them.

White labeling

The WP 2FA plugin walks users through a user-friendly setup wizard to configure their authentication method. This setup wizard will help the users specify their preferences for 2FA. This includes the method that they would like to use for 2FA.

The WP 2FA plugin gives you the option to extensively customize the styling of the 2FA code page where the users complete the authentication. It also allows you to customize the messages on different screens, such as the welcome screen and the 2FA method selection screen. This helps you keep the styling and tone of the 2FA setup wizard completely matched to the rest of the website.

WP 2FA also allows you to change the background color, add your logo, update the default text, etc., for the 2FA code page design.

You can change the font family, button color, button text, and even provide custom styling for the code entry screen.

For this tutorial, we have only made two changes to the default settings. We changed the background of the code entry screen to white and added our own custom logo. Users will see the following screen when the plugin prompts them for their 2FA code.

custom login page with 2FA in wordpress

People who are comfortable writing their own CSS can customize other visual aspects of the authentication screen as well.

Trusted devices

By default, WP 2FA configuration requires users to provide an authentication code every time they log in. Your users will usually be logging in from the same set of devices that they use actively. WP 2FA gives you the option to allow users to mark these devices as trusted devices.

This way, users won’t have to provide a 2FA access code every time they decide to log in. This feature improves the user experience without compromising account security.

Let’s say a bad actor has got access to one of your user’s login credentials and is trying to log in. Unless they have access to the user’s device, they will use some other device to log in. This other device won’t be a trusted device, so they will be prompted to enter the authentication code.

In other words, user accounts will have almost the same level of security while making the authentication process more user-friendly at the same time.

You can turn on the option to remember a device by navigating to WP 2FA > 2FA Policies form within the admin dashboard. You can specify how long WP 2FA should remember a device. WP 2FA remembers users with the help of a browser cookie and their IP address.

trusted device WP2FA

You can also specify if the plugin should prompt users for a code when a cookie isn’t found or the IP address changes. This provides a little more security in comparison to a check for just missing cookies.

Backup methods

In some circumstances, users might not be able to authenticate themselves using an app or through a one-time code received via SMS. For instance, they could be away from their phone at the moment, or their phone might have run out of battery. In such cases, allowing them to verify their identity using an alternate 2FA mode is better than keeping them locked out.

WP 2FA handles this situation by giving users the option to authenticate themselves using email-based 2FA in case their primary 2FA method isn’t working. As a secondary backup method, it only applies to users who use apps on their smartphones to complete 2FA.

Users can also generate a list of backup codes through WP 2FA for completing authentication if they are unable to authenticate through a 2FA app. A single backup code is only valid for use once. WP 2FA gives users 10 of these backup codes at a time. Users have the option to download them, print them, or get them via email.

backup WP 2FA

Some users might rely on emails or one-time code via SMS as their primary authentication method. In this case, they can still use backup codes to login. Keep in mind that these backup codes are secondary authentication methods. Users will not be able to use them as primary methods of authentication. 

Having these backup authentication methods in place means that users have very little chance of being locked out of their accounts.

2FA for users without access to the WordPress dashboard

WP 2FA Page

In some WordPress setups, users might not have access to the WordPress dashboard. One reason for this could be that the website uses a custom user profile page. WP 2FA takes this fact into consideration and gives you the option to set up a page for users to configure their 2FA settings.

We have provided a brief overview of some of the useful but optional features in WP 2FA, such as trusted devices, white labeling, and backup methods. WP 2FA includes many more features, making this a must-have plugin if you’re looking to improve the security of your WordPress website. 

Conclusion

Enabling 2FA can improve the safety for both your users and your website. With 2FA, your users are protected against credential theft, password vulnerabilities, and phishing attacks. As a website owner, you can also stay relaxed because a bad actor will have a hard time gaining access to your website and do something malicious with 2FA in place.

Setting up 2FA for a WordPress website in a secure manner becomes incredibly easy with WP 2FA. It provides both user-friendliness and security in a plugin that’s easy to set up and manage.