How to activate two factor authentication (2fa) for WordPress admin

Here’s a fun little fact. In 2021: out of the reported 3.57 million skydives made, only 721 had to use their reserve parachute. In other words, the odds of a skydiver needing to use their reserve parachute are approximately 1 in 5,000.

Now, what if I was to tell you “Hey, just jump without your reserve?” Would you do it? I think the answer will be a resounding “No!” quite soundly. Why is that?

Disaster only needs to strike once and all is lost. Now I say all this because your WordPress website’s security rests on a similar balance.

“Almost 13000 WordPress sites are hacked daily!”

So it goes without saying that the risks are high. Cyber threats are ever-evolving, and hackers are constantly finding new ways to breach online defenses.

For WordPress admins, safeguarding the admin area is crucial to prevent unauthorized access, data breaches, and potential damage to your site’s reputation.

A very easy solution to this security headache is two factor authentication (2fa). In this article we’ll dive deeper into what 2FA is, why it’s essential for your WordPress site, and how you can easily set it up to fortify your digital fortress.

Table of Contents
    Add a header to begin generating the table of contents

    What is Two Factor Authentication for WordPress admin?

    Two-factor authentication (2FA) is a security measure that requires two forms of identification to log in. The first is something you know, like your password. The second is something you have, such as a code sent to your phone or generated by an app.

    Two Factor Authentication for WordPress

    When you log in to your WordPress admin area, you enter your password first. Then, you’re asked for the second form of ID. This extra step ensures that even if someone steals your password, they can’t access your site without the second factor, making your WordPress admin area much more secure.

    Why Use Two-Factor Authentication for WordPress Admin?

    Because two factor authentication is the reserve parachute for your WordPress admin. If a malicious third party manages to crack your user credentials then wordpress admin two factor authentication will stand as that impregnable wall that they just won’t be able to go through or scale. If you’re still not sold here are some key reasons to use 2FA for your WordPress admin:

    Increased Security: This is the biggest benefit. As I’ve already mentioned, 2FA adds an extra layer of protection by requiring a second piece of information besides your password to login. This makes it much harder for attackers to gain access to your site, even if they steal your password through phishing or other means.

    Stops Brute-Force Attacks: Brute-force attacks involve attackers trying to guess your password by trying many different combinations. 2FA makes these attacks essentially useless because the attacker would also need your second factor, such as a code from your phone.

    Protects Against Weak Passwords: We all know it’s important to use strong passwords, but sometimes we fall short. We’re talking to you “password123” users! 2FA helps mitigate the risk of these weak passwords. Even if someone has a weak password, they still won’t be able to access your site without the second factor.

    Easy to Implement: There are many free and easy-to-use plugins available that allow you to enable 2FA on your WordPress site. Setting it up typically takes just a few minutes.

    Peace of Mind: Knowing that your WordPress admin is protected with 2FA gives you peace of mind. You can relax knowing that it’s much more difficult for your site to be hacked.

    In short, WordPress admin 2 factor authentication makes your WordPress account area much harder to hack, protecting your site and its valuable data

    How to Set Up Two-Factor Authentication in WordPress

    Setting up two-factor authentication (2FA) for your WordPress admin area is a straightforward process. Here’s a step-by-step guide to help you secure your site:

    Choose a 2FA Plugin

    First, you need to select a 2FA plugin. Some popular options are:

    These plugins are available in the WordPress plugin repository. For this guide, we’ll use the Google Authenticator app as an example.

    Install and Activate the Plugin

    • Log in to your WordPress admin dashboard.
    • Navigate to Plugins > Add New.
    • Search for “Wordfence”.
    • Click “Install Now” on the Wordfence plugin.
    • After installation, click “Activate“.
    Wordfence plugin install for 2fa

    Configure the Plugin

    • Go to Wordfence > Login security.
    • Scan the QR code with your authenticator app (Google Authenticator, Authy, etc.) on your smartphone.
    • Open the authenticator app on your smartphone.
    • Tap the “+” icon to add a new account.
    • Select “Scan a QR code” and use your phone’s camera to scan the QR code displayed in your WordPress settings.
    scan qr code with any authenticator app

    Set Up the Authenticator App

    • The app will generate a six-digit code.
    • Input the code here and click on activate
    enter the code from authenticator app and active

    Download Backup Codes

    As soon as you activate the 2FA, it will provide you a option to download the backup codes. 

    • Store these codes in a safe place.
    • These codes can be used if you lose access to your authenticator app.
    Download 2FA backup or recovery codes

    2FA Activation based on WordPress user Role

    • Navigate to settings 
    • Select Required / Optional / Disabled 2FA for roles 
    • Save the settings
    two factor authentication based on user role

    Testing the Setup

    • Log out of your WordPress admin area.
    • Log back in using your username and password.
    • You will now be prompted to enter the six-digit code from your authenticator app.
    • Enter the code and click “Log In”.
    Enter authentication code

    Enhance Security with Custom Login URL (Optional)

    While WordPress provides a secure login system, you can add an extra layer of protection by changing the default login URL (/wp-login.php). This makes it harder for automated bots to discover your login page. Here’s how to achieve this using WP Adminify’s URL Redirection functionality:

    What WP Adminify Offers:

    New Login URL:

    • Set a custom login URL (e.g., /secure-login) to replace the default /wp-admin or /wp-login.php.
    • This prevents direct access to the default login page.

    Redirect Admin:

    • Redirect users who try to access the standard admin URLs (/wp-admin or /wp-admin/) to a custom page (Could be a 404 error page).

    New Register URL (Optional):

    If you want to customize the user registration process, you can create a unique registration page. WP Adminify doesn’t directly control user registration, but you can combine it with other plugins to achieve this (e.g., Membership plugins with “Anyone can register” enabled). Then, set a custom URL for your registration page using WP Adminify.

    Change WordPress login url to enhance security besides 2fa

    Login Redirect:

    • Define where logged-in users with specific roles or usernames get redirected after logging in.

    Logout Redirect:

    • Control where users are sent after logging out, depending on their roles or usernames.
    User role based login and log out redirection

    Recommendation

    Since you’re already down the rabbit hole of security, there’s an extra level beyond 2FA you can go to ensure ultimate protection. This one’s a bit subtle so bear with us.

    How can a robber rob a safe if the safe doesn’t look like a safe? Think of cheesy money heist movies. The safes are always hidden in plain sight: behind a painting, or behind a bookshelf. What do we learn from this? You can’t steal from or break into something you can’t see.

    In terms of WordPress login pages, they are pretty easy to spot. They stick out like a sore thumb. What if we could change that?

    Well with Loginfy, you can.

    Loginfy is a WordPress plugin that lets you completely customize the look of your login page so that it doesn’t look like a typical WordPress login page. Hackers and malicious third parties will usually ignore custom-looking login pages because they are harder to break into. Loginfy lets you:

    • Change logos, backgrounds, forms, and buttons for a perfect design.
    • Live preview ensures a flawless login page before publishing.
    • Extensive color & typography options for perfect brand alignment.
    • Advanced features like custom CSS & Javascript for unique login pages.
    • Improve security & user experience with options to hide features.
    WordPress login page templates by WP Adminify

    Common Issues and How to Solve Them

    Implementing two-factor authentication (2FA) in WordPress significantly enhances security, but users may encounter some common issues. Here’s how to solve them:

    How do I disable 2FA for WordPress?

    • Log in to your WordPress admin dashboard.
    • Go to Wordfence >Login Security (or your chosen plugin).
    • You will get a button called “Deactivate” inside “Two-Factor Authentication”.
    • Just click on this button and confirm deactivation.
    Deactivate 2FA settings in WordPress login

    How do I reset my 2FA on WordPress?

    • Log in using a backup code if you have one.
    • Go to Settings > Google Authenticator (or your chosen plugin).
    • Scan a new QR code with your new authenticator app.

    If you don’t have a backup code, you may need to contact your site administrator for assistance or use any recovery options provided by your plugin.

    How to disable the two factor authentication from single user?

    • Log in to your WordPress admin dashboard.
    • Go to Users > All Users.
    • Click on the username of the account for which you want to disable 2FA.
    • Scroll down to the 2FA settings section.
    • Uncheck the box to disable 2FA for that user.
    • Save the settings.
    Wordfence Login security for user

    Other Possible Issues

    Synchronization Problems

    Scenario: The codes generated by your authenticator app are not working.

    Solution: Ensure your device’s time settings are correct and synchronized.

    Open your authenticator app and synchronize the time (if the app has this feature).

    Log in to your WordPress admin dashboard and try entering the code again.

    Forgotten Backup Codes

    Scenario: You’ve lost your backup codes and can’t access your site.

    Solution: Check if your 2FA plugin provides an alternative recovery method (e.g., email recovery).

    Contact your site administrator or hosting provider for help resetting your 2FA.

    Once you regain access, generate new backup codes and store them securely.

    Final Thoughts

    Implementing two-factor authentication for your WordPress admin area is a crucial step in fortifying your website’s security.

    This simple yet powerful tool significantly reduces the risk of unauthorized access, even if your password is compromised.

    While you may encounter minor setup challenges, the enhanced protection and peace of mind are well worth the effort.

    As cyber threats continue to evolve, 2FA stands as an essential safeguard for your digital assets. Don’t leave your WordPress site vulnerable. Thoroughly go through this guide, activate 2FA today, and take control of your website’s security.

     

    Avatar of Roy Jemee

    Roy Jemee

    Jemee is a dedicated content creator, video producer, and Support specialist for WP Adminify plugin users. With a passion for keeping the community informed, Jemee shares valuable insights through blog posts and engaging videos. Need assistance? Jemee is here to help you solve any WordPress-related challenges!

    WP Adminify V.4.0 is almost here. Fancy a Sneak Peek?