Generally, you only use a username and a password to log in to your WordPress Admin Area. If your password is stolen or guessed, someone else can now login to your management panel. Two-Factor Authentication (2FA) protects against password theft or re-use, phishing, and key-logger attacks. In short, the access to WordPress Admin Panel will be blocked to everyone, unless a special code found in your mobile phone is entered. Two-Factor Authentication is a great way to add an extra layer of security to your website. In this tutorial, you will learn how to enable two-factor authentication for WordPress.
What you’ll need
Before you begin this guide you’ll need the following:
- Access to WordPress Admin Panel
- Time-based one-time password (TOTP) application on your smartphone
- FTP Access (Optional)
Step 1 — Choosing a plug-in
There are quite a few WordPress Two-Factor Authentication plugins to choose from, such as:
- Authy Two Factor Authentication
- Google Authenticator
- Clef Two-Factor Authentication
- Wordfence Security
In this guide, we will be using Authy Two Factor Authentication
Step 2 — Installing the plugin
Step 3 — Setting up the plugin
Once the plugin is installed, you will need to take several others steps for the security features to be fully integrated. First of all, you will need to create an account on Authy and get an API key.
In order for the plug-in to work, you will need to copy the API key via WordPress Admin Panel -> Settings -> Authy section.
Once the key is entered, you will need to navigate to WordPress Admin Panel -> Users and enable Two-Factor Authentication for your user(s).
After selecting a user, scroll to the bottom and press the Enable/Disable Authy button.
Enter your phone number and press Continue. If you have the Authy application on your smartphone, your WordPress user will be automatically added there (if not, you will receive a text message with a code each time you try to login with the user).
You can test the plug-in by logging out of your WordPress Admin Panel and logging in again. Here is the screen that you will be prompted after entering your login credentials:
Step 4 (Optional) – Disabling Two-Factor Authentication
In case you lost access to your phone and have no way of accessing your WP Dashboard, you can easily disable the plug-in using File Manager or FTP client. You will simply need to navigate to wp-content -> plugins and rename the folder authy-two-factor-authentication. For example, you can set it to authy-two-factor-authentication.disabled so that it would be easier to know which plugins you disabled manually. In order to re-activate it, set the name to the original value and it will work once again.
By following this guide you have learned how to enable Two-Factor Authentication for your WordPress site. Now, even if someone got a hold of your WP Dashboard password, you would not need to worry in the slightest. Since the plug-in allows you to enable this feature for other WordPress Dashboard users, you can also secure the users of your editors, website developers and others.