EssentialGovernanceSecurity

2FA for WordPress websites

29.10.2024
BenB
m

2FA is a pain in the arse.

You were all thinking it, and I was as well. But it’s more of a pain when your site get’s hacked, so like almost all security, it’s one of things you just have to do to avoid pain in the future.

Anyways – if you aren’t getting your web team to do it – then here’s a handy guide to doing it yourself.

Step 1: Choose a 2FA Plugin

While there are several plugins available for implementing 2FA on WordPress, some of the most popular and reliable ones include:

  1. Wordfence Security: Offers comprehensive security features, including 2FA.
  2. Google Authenticator – Two Factor Authentication (by Henrik Schack): Simple and effective.
  3. Two Factor Authentication (by David Anderson): Developed by the authors of the popular plugins like iThemes Security and WP Security Audit Log.
  4. Duo Two-Factor Authentication: Enterprise-level security features.
  5. Authy – Two Factor Authentication: User-friendly with multiple device support.

For this guide, we’ll use Wordfence Security due to its robust feature set and ease of use.

Step 2: Install and Activate the Wordfence Security Plugin

  1. Log in to Your WordPress Admin Dashboard
    • Navigate to https://yourwebsite.com/wp-admin and log in with your administrator credentials.
  2. Navigate to the Plugins Section
    • From the left-hand menu, click on Plugins > Add New.
  3. Search for Wordfence Security
    • In the search bar, type “Wordfence Security”.
    • Locate the plugin developed by Wordfence.
  4. Install the Plugin
    • Click the Install Now button next to the Wordfence Security plugin.
  5. Activate the Plugin
    • Once installed, the Install Now button will change to Activate. Click it to activate the plugin.

Step 3: Configure Wordfence Security

  1. Initial Setup
    • Upon activation, you might be prompted to start the setup wizard. Follow the on-screen instructions to configure basic settings.
  2. Access Wordfence Settings
    • From the left-hand menu, click on Wordfence > Login Security.
  3. Enable Two-Factor Authentication
    • In the Login Security section, look for the Two-Factor Authentication option.
    • Toggle the switch to Enable.
  4. Choose the Authentication Method
    • Wordfence offers several 2FA methods, including:
      • Email-Based Authentication: Sends a code to the user’s email.
      • Authentication App: Use apps like Google Authenticator, Authy, or Duo.
      • U2F/WebAuthn: Use hardware keys like YubiKey.
    • For most users, Authentication App is recommended for its balance of security and convenience.
  5. Set Up Authentication App
    • Download an Authenticator App: If you haven’t already, install an authenticator app on your smartphone. Popular options include:
    • Scan the QR Code:
      • In the Wordfence settings, click Enable next to the Authentication App option.
      • A QR code will appear. Open your authenticator app, choose to add a new account, and scan the QR code.
    • Enter the Verification Code:
      • After scanning, the authenticator app will generate a 6-digit code.
      • Enter this code into the Wordfence setup to verify the connection.
  6. Enforce 2FA for Users
    • Decide which user roles should be required to use 2FA. It’s recommended to enforce 2FA for all users with login access, especially administrators.
    • In the Login Security settings, under Two-Factor Authentication, specify the roles that must use 2FA.

Step 4: Enroll Users in 2FA

  1. User Login
    • Each user with a role that requires 2FA will need to set it up upon their next login.
  2. Prompt to Set Up 2FA
    • Upon logging in, users will be prompted to set up 2FA if they haven’t already.
    • They should follow the on-screen instructions to link their authenticator app.
  3. Backup Codes
    • Encourage users to generate and securely store backup codes. These codes can be used to access their accounts if they lose access to their authenticator device.

Step 5: Test the 2FA Setup

  1. Log Out of WordPress
    • Click on your profile picture in the top-right corner and select Log Out.
  2. Attempt to Log In Again
    • Navigate to your WordPress login page and enter your credentials.
  3. Enter the 2FA Code
    • After entering your username and password, you will be prompted to enter the 2FA code from your authenticator app.
  4. Successful Login
    • If everything is set up correctly, entering the correct 2FA code should grant you access to the dashboard.
BenB
Connect

You may also be interested in:

Customer service is a design choice

If customer service is one of your company’s values, it shouldn’t stop at your contact form. We tend to think of customer service as a team, a department, or maybe a cheerful chatbot in the bottom-right corner of a screen. But if service is part of your brand DNA, if you pride yourself on being […]

The infrastructure of content

I’ve been thinking about websites as business assets for a long time, and I keep coming back to this: the core of any website is the content. After all, “Content sells the product; design sells the content.” So, if a website is to be valuable to a business, then the content on that site is […]

You suck at briefing. But that’s our fault.

I’m going to be very honest in this post. Most of my clients don’t understand websites and how they work (if you are a client of mine, I don’t mean you, I mean my other clients, the ones who aren’t my favourite…) – at least not from a technical perspective. It can be more difficult […]