EssentialGovernanceSecurity

2FA for WordPress websites

29.10.2024
BenB
m

2FA is a pain in the arse.

You were all thinking it, and I was as well. But it’s more of a pain when your site get’s hacked, so like almost all security, it’s one of things you just have to do to avoid pain in the future.

Anyways – if you aren’t getting your web team to do it – then here’s a handy guide to doing it yourself.

Step 1: Choose a 2FA Plugin

While there are several plugins available for implementing 2FA on WordPress, some of the most popular and reliable ones include:

  1. Wordfence Security: Offers comprehensive security features, including 2FA.
  2. Google Authenticator – Two Factor Authentication (by Henrik Schack): Simple and effective.
  3. Two Factor Authentication (by David Anderson): Developed by the authors of the popular plugins like iThemes Security and WP Security Audit Log.
  4. Duo Two-Factor Authentication: Enterprise-level security features.
  5. Authy – Two Factor Authentication: User-friendly with multiple device support.

For this guide, we’ll use Wordfence Security due to its robust feature set and ease of use.

Step 2: Install and Activate the Wordfence Security Plugin

  1. Log in to Your WordPress Admin Dashboard
    • Navigate to https://yourwebsite.com/wp-admin and log in with your administrator credentials.
  2. Navigate to the Plugins Section
    • From the left-hand menu, click on Plugins > Add New.
  3. Search for Wordfence Security
    • In the search bar, type “Wordfence Security”.
    • Locate the plugin developed by Wordfence.
  4. Install the Plugin
    • Click the Install Now button next to the Wordfence Security plugin.
  5. Activate the Plugin
    • Once installed, the Install Now button will change to Activate. Click it to activate the plugin.

Step 3: Configure Wordfence Security

  1. Initial Setup
    • Upon activation, you might be prompted to start the setup wizard. Follow the on-screen instructions to configure basic settings.
  2. Access Wordfence Settings
    • From the left-hand menu, click on Wordfence > Login Security.
  3. Enable Two-Factor Authentication
    • In the Login Security section, look for the Two-Factor Authentication option.
    • Toggle the switch to Enable.
  4. Choose the Authentication Method
    • Wordfence offers several 2FA methods, including:
      • Email-Based Authentication: Sends a code to the user’s email.
      • Authentication App: Use apps like Google Authenticator, Authy, or Duo.
      • U2F/WebAuthn: Use hardware keys like YubiKey.
    • For most users, Authentication App is recommended for its balance of security and convenience.
  5. Set Up Authentication App
    • Download an Authenticator App: If you haven’t already, install an authenticator app on your smartphone. Popular options include:
    • Scan the QR Code:
      • In the Wordfence settings, click Enable next to the Authentication App option.
      • A QR code will appear. Open your authenticator app, choose to add a new account, and scan the QR code.
    • Enter the Verification Code:
      • After scanning, the authenticator app will generate a 6-digit code.
      • Enter this code into the Wordfence setup to verify the connection.
  6. Enforce 2FA for Users
    • Decide which user roles should be required to use 2FA. It’s recommended to enforce 2FA for all users with login access, especially administrators.
    • In the Login Security settings, under Two-Factor Authentication, specify the roles that must use 2FA.

Step 4: Enroll Users in 2FA

  1. User Login
    • Each user with a role that requires 2FA will need to set it up upon their next login.
  2. Prompt to Set Up 2FA
    • Upon logging in, users will be prompted to set up 2FA if they haven’t already.
    • They should follow the on-screen instructions to link their authenticator app.
  3. Backup Codes
    • Encourage users to generate and securely store backup codes. These codes can be used to access their accounts if they lose access to their authenticator device.

Step 5: Test the 2FA Setup

  1. Log Out of WordPress
    • Click on your profile picture in the top-right corner and select Log Out.
  2. Attempt to Log In Again
    • Navigate to your WordPress login page and enter your credentials.
  3. Enter the 2FA Code
    • After entering your username and password, you will be prompted to enter the 2FA code from your authenticator app.
  4. Successful Login
    • If everything is set up correctly, entering the correct 2FA code should grant you access to the dashboard.
BenB
Connect

You may also be interested in:

Structuring Your Website for Purpose and Performance: A Funnel-Based Approach

In this article, we’ll explore how to apply the TOFU–MOFU–BOFU framework at a page level,…

The worlds best pies.

Is your website trying to sell the world’s best pies? Let me explain. I was driving through the countryside with my family — lovely day, windows down, stomachs rumbling — when we passed through Bilpin. If you’re from New South Wales, you’ll know it’s famous for apples. And where there are apples, there are apple […]

Let’s stop obsessing over SEO. Seriously.

I know—I’ve said this before, but it’s worth repeating:Stop obsessing over SEO and AdWords.They’re not a strategy. They’re just tactics. Think about it this way: back in the day, you wouldn’t walk into a media agency and say, “I just want to do radio,” or “only TV.” You’d ask, what’s the best way to reach […]