Securing Your Website: WordPress + Two-Factor Authentication

In this post I am going to discuss a simple, effective way to make your WordPress site much more secure by implementing two-factor authentication, also referred to as “2FA”, for your user accounts. I would imagine that most people are already using it even if they aren’t familiar with the term itself. If you aren’t familiar with the term two-factor authentication, I will explain what it means.

Two-factor authentication is the idea that a username and password are not the only two pieces of information that someone needs to have in order to log into their account. A second factor, in addition to the password, is required in order to be authenticated. This can be a text message sent to your phone when you enter your username and password, an email with a code, or a randomly generated code that changes every 30-60 seconds. There are even hardware devices that you such as the Symantec VIP Hardware Authenticator, a small physical device that generates codes for you to use when logging in.

Most websites that deal with sensitive information are starting to require this for everyone because of the insecurity of only using a password and people reusing the same password for many of their accounts.

You can leverage this security on your own WordPress site with a plugin called WordFence. WordFence is a good plugin to be using even if you aren’t using 2FA. It will give you a summary of the overall security on your WordPress site and make recommendations for things you can do to make your site more secure.

This is not going to be a comprehensive walkthrough but rather a high level explanation of the steps to take.

Here is a high level overview of what you need to do to implement WordFence for 2FA, or alternatively, have Airtight Design help secure your website!

1. Install the Wordfence Security Plugin

• Log in to your WordPress Admin Dashboard.
• Navigate to Plugins > Add New.
• In the search bar, type “WordFence”.
• Click Install Now next to the Wordfence Security plugin.
• After the installation is complete, click Activate.

2. Set Up Wordfence

• Once activated, you’ll be guided through an initial setup wizard.

3. Enable Two-Factor Authentication (2FA)

• After setup, navigate to Wordfence > Login Security from your WordPress dashboard.
• Under the Two-Factor Authentication tab, you’ll see an option to enable 2FA.

4. Configure 2FA for Users

• To require 2FA for all users, go to the Settings section on the same page.
• You’ll see options to enable 2FA for different user roles, such as Administrators, Editors, Authors, etc.

5. Set Up 2FA for Individual Users

• Each user will need to configure their 2FA.
• Users should go to Users > Your Profile (or Profile if accessing their own profile).
• In their profile, they will find the Two-Factor Authentication section.
• They need to scan the QR code using an authenticator app (like Google Authenticator or Microsoft Authenticator) on their mobile device.

6. Require 2FA for All Users

• After users have set up 2FA, it will be required for them to log in.

7. Backup Codes

• Users should also generate and save backup codes, which can be used to access the site if they lose access to their authenticator app.
• Save these codes somewhere you would keep sensitive files or information that you don’t want anyone else accessing.

8. Testing

• Test the 2FA setup by logging out and logging back in to ensure that 2FA is functioning as expected.

Seem daunting? Contact us! This is one of many items Airtight Design’s list of security touch points for building professional, secure WordPress sites.