How To Enable Two Factor Authentication in WordPress (With a Free Plugin)

Have you enabled two-factor authentication on your Google account? Or maybe even on one of your social media accounts? You know, the one where you key in your password and then get a mobile notification to reconfirm if it was really you trying to log in?

It helps to have this extra layer of security, doesn’t it? It’s like, even if someone were to get hold of your password, they can’t access your account until you say yes. The power is in your hands!

As more and more website owners look for better ways to secure their website logins, two-factor authentication shows up all over the Internet.

Would you like to add a similar two-factor authentication for your WordPress site?

Yes, it is very much possible!

This guide will show you how. We will cover the options you have, how to implement two-factor authentication and some plugins you can use to implement it on your own website.

Two-Factor Authentication and WordPress

Similar to any other sites online, you can add two-factor authentication to your WordPress site easily. This provides your WordPress site with an increased level of security and you can’t have too much security!

Owing to its popularity, WordPress sites are a prime target for malicious attacks, brute force attacks, and hackers.

While having a solid password is imperative, having an extra security layer is well worth adding to your site. Needless to say, it’s better to be safe than sorry!

So, what is two-factor authentication? How do you set it up on your WordPress website? What are the best two-factor authentication plugins to use?

What Is Two-Factor Authentication?

2FA or two-factor authentication, is an additional layer of security you can add to your WordPress login pages. With 2FA, attackers can’t hijack your WordPress site, even if they were to guess your password.

You log into WordPress as normal with your username and password and a code will be sent to your phone. Using the code, you enter the site.

We all are used to having a single-step authentication, that’s using a password. The stronger the password is, the fewer chances of it being hacked.

Even if you were to create a strong password and change it periodically, there is still the possibility of it being compromised.

Enter two-factor authentication!

Why Is Two-Factor Authentication Required?

Do you know how many websites worldwide use WordPress?

WordPress powers close to 44% of global websites, with Wix and Squarespace in second and third position with a 7.17% and 4.06% market share, respectively. (Source: First Site Guide)

This indicates the market share and the dominance that WordPress holds.

Heard of the famous quote, ‘Avoid popularity if you would have peace – Abraham Lincoln‘?

Well, that’s the case here too!

Owing to its popularity, WordPress is a primary target for hackers and brute force attacks. If your site is hacked, your customer details and other confidential information are all at the mercy of the hackers.

So, it pays to have an extra layer of security for your WordPress site to help keep everything safe.

You have several ways to go about this. One way is by shifting the WordPress login URL.

Accessing the login screen is common knowledge to all those familiar with WordPress. For instance, for a domain https://yourdomain.com, the WordPress login URL will be https://yourdomain.com/wp-admin.

How do you hide the obvious and change the destination URL?

The easiest way to do so is by installing the WPS Hide Login plugin. Using this popular plugin, you easily create a new WordPress login URL by hiding the default one.

Another method to secure your website is by using strong passwords and changing them periodically. But, as mentioned earlier, this is not the best option.

Two-factor authentication is. At least until something better comes along!

Two-factor authentication doesn’t come with WordPress. You will need to install a plugin for it.

We will go ahead and enable two factor authentication using the Google Authenticator WordPress plugin.

How to Enable Two Factor Authentication

The easiest way to install a two-factor authentication is by using the Google Authenticator plugin. Let’s walk you through the steps on how to go about enabling it.

Enable Two-Factor Authentication Using Google Authenticator

Step 1: Install the Google Authenticator Plugin

Install and activate the Google Authenticator WordPress plugin from Plugins > Add New.

Once the plugin is activated, you’ll be prompted to click on Advance Settings or Logout and Configure.

Go ahead and click on the latter.

Step 2: Configure Google Authenticator

Once you re-login to your WordPress dashboard, you will be prompted to select a 2FA method for your website.

You could select from one of the available options.

We’ve selected the first option, i.e., Google / Authy / Microsoft Authenticator (Any TOTP Based Authenticator App).

In the following screen, select the Authenticator app from the available options and scan the QR code with your phone. If you do not have a QR code scanner installed, you can download one from the App Store or the Play Store.

Once completed, you will receive a 6-digit OTP, a verification code generated by the Google Authenticator app.

Enter the OTP and click on Verify and Save.

You will now find a list of recovery codes.

The recovery codes, also referred to as backup codes, can be used to log into your WordPress account when you’ve been either locked out or if you’ve forgotten your phone.

It is recommended that you download the codes and have them saved safely.

You will also receive an email containing the backup codes.

Click Finish once done.

Step 3: Enable Two-factor Authentication

Once you’ve completed all the above steps, head over to miniOrange 2-Factor > Two factor.

You’ll notice the Google Authenticator configured.

In addition to the Google Authenticator method, you can opt for any of the additional methods of 2FA, such as security questions, OTP over SMS, OTP over eMail, OTP over Whatsapp, many many more.

To enable 2FA for your website, click on the 2FA + Website Security option above.

Once enabled, you’ll notice a set of links appearing on the left-hand side, under miniOrange 2-Factor. You will also be directed to the dashboard.

The dashboard will provide detailed information about the number of failed logins, the number of attacks blocked, and so on.

Enable Two-Factor Authentication Using OTP Over SMS

If you’d like to configure OTP Over SMS, follow these steps.

Step 1: Configure OTP Over SMS

Head over to miniOrange 2-Factor > Two factor and click on Configure under OTP Over SMS.

For first-time users, you’ll have to register for an account with miniOrange before proceeding.

Once you’ve registered, you’ll get to see the number of remaining email and SMS transactions that you are allowed.

To obtain more credits, you’ll have to purchase them.

Once you’ve created an account, it’s time to configure the OTP over the SMS method.

Step 2: Configure OTP Over SMS

Now you are signed into your account, click on Configure under OTP over SMS.

Key in your mobile number and click on Verify.

Enter the OTP you’ve just received on your mobile number and click on Validate OTP.

That’s it, you have successfully set up 2FA using OTP!

Similarly, you can choose to set up other methods of 2FA.

Now, what are the other best two-factor authentication WordPress plugins? Let’s find out.

The Best Two-Factor Authentication Plugins for WordPress

Here’s a list of 2FA WordPress plugins that you can easily install to secure your website.

1. WP 2FA

WP 2FA is a free and easy-to-use two-factor authentication WordPress plugin that allows you to easily add extra security to your site.

Not only can you enable 2FA for the admin users of your site, but it also helps force your website users to use 2FA. Once installed, WP 2FA has a setup wizard that clearly shows you how to activate 2FA and get it up and running.

WordPress 2FA features:

• WP 2FA is a free and easy-to-set up two-factor authentication plugin (2FA)
• It supports TOTP (code from 2FA apps like Google Authenticator and Authy) and OTP (email-based codes)
• Set up policies to enable 2FA with a grace period. Alternatively, get users to set up 2FA post-login instantly
• Supports the use of 2FA backup codes
• Protects against automated password guessing and dictionary attacks

Go ahead and install the WP 2FA for free.

2. Two-Factor

Two-Factor is another free 2FA WordPress plugin. The settings for the 2FA are available under the WordPress user profile page.

You can configure 2FA from one of the following methods:

• Receive authentication codes via email
• Time-Based One-Time Passwords (TOTP)
• FIDO Universal 2nd Factor (U2F)
• Backup codes
• Option to use a dummy (sandbox) method only for testing purpose

The plugin does not have a global setting to enforce 2FA across all users. The administrator will have to enable 2FA individually for everyone who logs into your website.

The Two-Factor plugin also supports the use of backup codes. So if you cannot generate the second factor to login to your WordPress, you can use one of the backup codes.

Explore and install the Two-Factor plugin for free.

3. Google Authenticator

Google Authenticator is a very popular two-factor authentication plugin. It is a simple and an easy to use 2FA WordPress plugin.

After installing the plugin, visit your profile page to enable the Google Authenticator Settings. You then scan the QR code using the Google Authenticator app on your smartphone. In addition to the username and password, the next time you log into your WordPress site, you’ll be asked for the code from the Google Authenticator app.

Enter the code from the app into your WordPress login page and you will be granted access. Without it, you won’t be able to log in.

Using the Google Authenticator plugin, you can easily integrate 2FA into other popular WordPress plugins such as WooCommerce, BuddyPress, bbpress, Digimember, LearnDash, and many more.

Some of the features of Google Authenticator are:

• Simple and easy-to-use interface to set up Google Authenticator and 2FA
• A variety of 2FA methods
• Supports several languages for all methods of 2FA
• Login without a password or using a phone number. This method is supported by Google Authenticator and other 2FA methods
• The 2FA allows authentication on the login page itself for Google Authenticator
• Prevent brute force attack and IP blocking
• Monitor the user login with and without 2FA

Try the Google Authenticator WordPress plugin.

4. WordPress 2-Step Verification

WordPress 2-Step Verification is another free two-factor authentication WordPress plugin. Once installed, you can configure 2FA from the user profile page.

To login to your WordPress admin, in addition to the username and password, you’ll need to enter a code that’s generated by your Android/iPhone app. Alternatively, the plugin will email you the code after signing in.

Some of the features of this plugin include:

• Easy to set up
• Option to use the application or email
• Use of backup codes
• Ease of recovery (via FTP)
• Integrate 2FA for WooCommerce

Install the WordPress 2-step verification plugin.

5. Two Factor Authentication

The Two Factor Authentication plugin helps you secure WordPress login. Users will require a one-time code to log into their WordPress admin to help protect your website.

For creating one time passwords (OTP), this plugin uses industry-standard algorithms used by Google Authenticator.

Some of the features of the Two Factor Authentication plugin are:

• It supports the standard TOTP + HOTP protocols
• Easy scanning with the use of graphical QR codes
• Two-factor authentication can be made available based on user roles
• Integrates with WooCommerce and Affiliates-WP login forms
• It is compatible with WP Multisite
• Works with WP Members

Install Two Factor Authentication for free.

What Are Recovery Codes and How to Use Them?

Remember the backup codes we downloaded during the setup process?

What are these recovery codes meant for?

Recovery codes help you log into your account even if you were to lose your phone, or otherwise get locked out of your website.

The advantage of recovery codes is that they don’t expire. However, each recovery code can be used only once.

So, how do you use these recovery codes? Well, the process is the same as using an OTP code.

Visit the login page of your WordPress site.

Once you’ve keyed in the username and password, you’ll be directed to the Validate OTP page. Click on ‘Use Backup Codes’ and key in one of the backup codes you’ve downloaded or have in your email.

And then click on login to continue. That’s it!

It’s important to note that the previous codes won’t work if you generate new ones.

How to Disable Two-factor Authentication

It is an equally simple process to disable 2FA.

Head over to Settings under miniOrange 2-Factor > Two factor.

Click on the checkbox to disable two-factor authentication on your website.

Test it by logging out and re-logging in, and you won’t be asked to key in an OTP.

What’s Your Two-Factor Authentication Method?

If you’re running an online business, keeping your website secure is probably a top priority. Not only would you like to have complete control over your website, but you would also like to ensure that all the user and customer data are safe and secure.

Owing to its popularity, WordPress websites are a common target for hackers and brute force attacks. And unless you’d like to end up firefighting a situation, it’s best to add an extra layer of security by adding two-factor authentication for your website.

The native WordPress installation doesn’t come with the 2FA enabled. Fortunately, with the various plugins available, you can easily add two-factor authentication. Most are free and easy to use and add a valuable extra layer of defense for your website.

So, what’s your 2FA method? How do you protect your website from attack? We’d like to know in the comments below.