# 2FA for WordPress websites >- 2FA is a pain in the arse. You were all thinking it, and I was as well. But it’s more of a pain when your site get’s hacked, so like almost all security, it’s one of things you just have to do to avoid pain in the future. Anyways – if you aren’t getting your web team to do it – then here’s a handy guide to doing it yourself. * * * ### Step 1: Choose a 2FA Plugin While there are several plugins available for implementing 2FA on WordPress, some of the most popular and reliable ones include: 1. **Wordfence Security**: Offers comprehensive security features, including 2FA. 2. **Google Authenticator – Two Factor Authentication (by Henrik Schack)**: Simple and effective. 3. **Two Factor Authentication (by David Anderson)**: Developed by the authors of the popular plugins like iThemes Security and WP Security Audit Log. 4. **Duo Two-Factor Authentication**: Enterprise-level security features. 5. **Authy – Two Factor Authentication**: User-friendly with multiple device support. For this guide, we’ll use **Wordfence Security** due to its robust feature set and ease of use. * * * ### Step 2: Install and Activate the Wordfence Security Plugin 1. **Log in to Your WordPress Admin Dashboard** - Navigate to `https://yourwebsite.com/wp-admin` and log in with your administrator credentials. 2. **Navigate to the Plugins Section** - From the left-hand menu, click on **Plugins** > **Add New**. 3. **Search for Wordfence Security** - In the search bar, type **“Wordfence Security”**. - Locate the plugin developed by **Wordfence**. 4. **Install the Plugin** - Click the **Install Now** button next to the Wordfence Security plugin. 5. **Activate the Plugin** - Once installed, the **Install Now** button will change to **Activate**. Click it to activate the plugin. * * * ### Step 3: Configure Wordfence Security 1. **Initial Setup** - Upon activation, you might be prompted to start the setup wizard. Follow the on-screen instructions to configure basic settings. 2. **Access Wordfence Settings** - From the left-hand menu, click on **Wordfence** > **Login Security**. 3. **Enable Two-Factor Authentication** - In the **Login Security** section, look for the **Two-Factor Authentication** option. - Toggle the switch to **Enable**. 4. **Choose the Authentication Method** - Wordfence offers several 2FA methods, including: - **Email-Based Authentication**: Sends a code to the user’s email. - **Authentication App**: Use apps like Google Authenticator, Authy, or Duo. - **U2F/WebAuthn**: Use hardware keys like YubiKey. - For most users, **Authentication App** is recommended for its balance of security and convenience. 5. **Set Up Authentication App** - **Download an Authenticator App**: If you haven’t already, install an authenticator app on your smartphone. Popular options include: - Google Authenticator - Authy - Duo Mobile - **Scan the QR Code**: - In the Wordfence settings, click **Enable** next to the Authentication App option. - A QR code will appear. Open your authenticator app, choose to add a new account, and scan the QR code. - **Enter the Verification Code**: - After scanning, the authenticator app will generate a 6-digit code. - Enter this code into the Wordfence setup to verify the connection. 6. **Enforce 2FA for Users** - Decide which user roles should be required to use 2FA. It’s recommended to enforce 2FA for all users with login access, especially administrators. - In the **Login Security** settings, under **Two-Factor Authentication**, specify the roles that must use 2FA. * * * ### Step 4: Enroll Users in 2FA 1. **User Login** - Each user with a role that requires 2FA will need to set it up upon their next login. 2. **Prompt to Set Up 2FA** - Upon logging in, users will be prompted to set up 2FA if they haven’t already. - They should follow the on-screen instructions to link their authenticator app. 3. **Backup Codes** - Encourage users to generate and securely store backup codes. These codes can be used to access their accounts if they lose access to their authenticator device. * * * ### Step 5: Test the 2FA Setup 1. **Log Out of WordPress** - Click on your profile picture in the top-right corner and select **Log Out**. 2. **Attempt to Log In Again** - Navigate to your WordPress login page and enter your credentials. 3. **Enter the 2FA Code** - After entering your username and password, you will be prompted to enter the 2FA code from your authenticator app. 4. **Successful Login** - If everything is set up correctly, entering the correct 2FA code should grant you access to the dashboard.