EssentialGovernanceSecurity

2FA for WordPress websites

29.10.2024
BenB
m

2FA is a pain in the arse.

You were all thinking it, and I was as well. But it’s more of a pain when your site get’s hacked, so like almost all security, it’s one of things you just have to do to avoid pain in the future.

Anyways – if you aren’t getting your web team to do it – then here’s a handy guide to doing it yourself.

Step 1: Choose a 2FA Plugin

While there are several plugins available for implementing 2FA on WordPress, some of the most popular and reliable ones include:

  1. Wordfence Security: Offers comprehensive security features, including 2FA.
  2. Google Authenticator – Two Factor Authentication (by Henrik Schack): Simple and effective.
  3. Two Factor Authentication (by David Anderson): Developed by the authors of the popular plugins like iThemes Security and WP Security Audit Log.
  4. Duo Two-Factor Authentication: Enterprise-level security features.
  5. Authy – Two Factor Authentication: User-friendly with multiple device support.

For this guide, we’ll use Wordfence Security due to its robust feature set and ease of use.

Step 2: Install and Activate the Wordfence Security Plugin

  1. Log in to Your WordPress Admin Dashboard
    • Navigate to https://yourwebsite.com/wp-admin and log in with your administrator credentials.
  2. Navigate to the Plugins Section
    • From the left-hand menu, click on Plugins > Add New.
  3. Search for Wordfence Security
    • In the search bar, type “Wordfence Security”.
    • Locate the plugin developed by Wordfence.
  4. Install the Plugin
    • Click the Install Now button next to the Wordfence Security plugin.
  5. Activate the Plugin
    • Once installed, the Install Now button will change to Activate. Click it to activate the plugin.

Step 3: Configure Wordfence Security

  1. Initial Setup
    • Upon activation, you might be prompted to start the setup wizard. Follow the on-screen instructions to configure basic settings.
  2. Access Wordfence Settings
    • From the left-hand menu, click on Wordfence > Login Security.
  3. Enable Two-Factor Authentication
    • In the Login Security section, look for the Two-Factor Authentication option.
    • Toggle the switch to Enable.
  4. Choose the Authentication Method
    • Wordfence offers several 2FA methods, including:
      • Email-Based Authentication: Sends a code to the user’s email.
      • Authentication App: Use apps like Google Authenticator, Authy, or Duo.
      • U2F/WebAuthn: Use hardware keys like YubiKey.
    • For most users, Authentication App is recommended for its balance of security and convenience.
  5. Set Up Authentication App
    • Download an Authenticator App: If you haven’t already, install an authenticator app on your smartphone. Popular options include:
    • Scan the QR Code:
      • In the Wordfence settings, click Enable next to the Authentication App option.
      • A QR code will appear. Open your authenticator app, choose to add a new account, and scan the QR code.
    • Enter the Verification Code:
      • After scanning, the authenticator app will generate a 6-digit code.
      • Enter this code into the Wordfence setup to verify the connection.
  6. Enforce 2FA for Users
    • Decide which user roles should be required to use 2FA. It’s recommended to enforce 2FA for all users with login access, especially administrators.
    • In the Login Security settings, under Two-Factor Authentication, specify the roles that must use 2FA.

Step 4: Enroll Users in 2FA

  1. User Login
    • Each user with a role that requires 2FA will need to set it up upon their next login.
  2. Prompt to Set Up 2FA
    • Upon logging in, users will be prompted to set up 2FA if they haven’t already.
    • They should follow the on-screen instructions to link their authenticator app.
  3. Backup Codes
    • Encourage users to generate and securely store backup codes. These codes can be used to access their accounts if they lose access to their authenticator device.

Step 5: Test the 2FA Setup

  1. Log Out of WordPress
    • Click on your profile picture in the top-right corner and select Log Out.
  2. Attempt to Log In Again
    • Navigate to your WordPress login page and enter your credentials.
  3. Enter the 2FA Code
    • After entering your username and password, you will be prompted to enter the 2FA code from your authenticator app.
  4. Successful Login
    • If everything is set up correctly, entering the correct 2FA code should grant you access to the dashboard.
BenB
Connect

You may also be interested in:

Let’s stop obsessing over SEO. Seriously.

I know—I’ve said this before, but it’s worth repeating:Stop obsessing over SEO and AdWords.They’re not a strategy. They’re just tactics. Think about it this way: back in the day, you wouldn’t walk into a media agency and say, “I just want to do radio,” or “only TV.” You’d ask, what’s the best way to reach […]

Pexels.com: A Treasure Trove of Free Stock Imagery

In the realm of digital content creation, finding high-quality images that won’t break the bank has always been a challenge for me. That’s where Pexels.com comes in. Offering an extensive library of free stock images and videos, Pexels has become one of my go-to resources for creating blog posts, prototypes, and more. But while I’ve […]

Your Attack Surface: Understanding and Securing Your Digital Perimeter

In the increasingly connected world of business, your digital assets are both the backbone of your operations and a tempting target for cyber adversaries. As medium-sized businesses embrace digital transformation, the complexity of their online presence grows—and so does their attack surface. But what exactly is an attack surface, and why should it matter to […]