Imagine the scenario: you try to access your WordPress dashboard, and realize that you’re completely locked out. Even worse, someone else has access to all of your content and data. At this point, they could wreak havoc across your entire website.
Security is a huge concern for many WordPress users, and with good reason. No one wants to lose their website just because someone managed to steal or even guess their password.
That’s where two-factor authentication comes in. This is an additional security check that a potential hacker will need to pass before they can access your WordPress dashboard.
In this post, I’ll show you how to add this extra layer of protection to your website using a free plugin. We’ll also implement a failsafe, just in case something goes wrong and you cannot complete your two-factor authentication check.
Everything You Need to Know About Two-Factor Authentication
Sometimes referred to as multi-factor authentication, two-factor authentication is a hugely popular security mechanism. With two-factor authentication in place, you’ll need to enter the correct username and password and then pass an additional security check before accessing your account.
This extra security check can take many forms. For example, WordPress may ask you to enter a one-time PIN or password that it sends to your email address. Alternatively, you might need to enter a verification code that’s sent to your personal smartphone via SMS.
Some of the biggest tech companies in the world rely on two-factor authentication to keep their users safe. In fact, Microsoft has gone on record to state that two-factor authentication blocks over 99.9% of account compromise attacks. If it’s good enough for the tech giants, then two-factor authentication clearly has a lot to offer your WordPress website.
How to Add Two-Factor Authentication to WordPress
On planet WordPress, there’s pretty much a plugin for everything, and two-factor authentication is no exception. In this tutorial, we’ll be securing your website using the Two-Factor plugin.
After installing and activating this plugin, navigate to Users > Profile. You can then scroll to the Two-Factor Options section.
The Two-Factor plugin supports a few different authentication methods. For example, you might choose to prove your identity via email, or by entering a time-based one-time password (TOTP).
You can even configure multiple authentication methods. This can ensure you don’t permanently lose access to your website, just because you break your smartphone or forget the password to your email account.
If you do configure multiple methods, then you can nominate a primary authentication process. WordPress will always ask you to authenticate via this method, before defaulting to any alternatives.
Once you have the Two-Factor plugin set up, let’s take a closer look at your authentication options!
1. Email Authentication
Whenever you try to log in to your website, the Two-Factor plugin can send an authentication code to the email address associated with your WordPress account. You’ll then input this code into the WordPress login page to access your dashboard.
There’s a chance that you may look at these settings and realize that you want to use an alternative email for your two-factor authentication—and your WordPress website in general. If this is the case, then navigate to Users > All Users. You can then hover over your username and select the Edit link when it appears.
Now, scroll to the Contact Info section, and enter the new email address that you want to associate with your WordPress account.
Don’t forget to save your changes by clicking Update Profile. WordPress will now verify this address by sending you a test email. Once you’ve received this message and clicked on its URL, WordPress will link this address to your account. You can now use this account as part of your two-factor authentication.
If you do make this change, then navigate back to the plugin's settings (Users > Profile). On this screen, select the Enabled button that appears alongside Email. If you’re configuring multiple methods, then you’ll also need to specify whether email is your primary authentication process.
To save your changes, click Update Profile. Now, whenever you try to log in to the dashboard, WordPress will send an email to the address associated with your account.
This message will contain a verification code that you’ll need to enter in the WordPress dashboard to gain access to your account.
2. TOTP (Time-Based One-Time Password) Authentication
A TOTP is a string of letters and digits that changes automatically after a certain amount of time has elapsed.
The Two-Factor plugin can generate this code in cooperation with an authenticator app that you install on your smartphone or tablet. If a malicious third party wanted to hack into your account, then they’d need to enter your WordPress username and password—and then authenticate their identity using your personal smartphone or tablet. Immediately, this makes it much more difficult to break into your website.
To use TOTP as your authentication method, you’ll need to first install an authenticator app on your mobile device. Some popular options include Microsoft Authenticator and the Google Authenticator app.
Once you have an authenticator app set up on your smartphone or tablet, find Time-Based One-Time Password (TOTP) in the WordPress dashboard. Then, select its accompanying Enabled icon. WordPress will now generate a QR code.
Grab your mobile device and scan this QR code using its built-in camera. After a few moments, a popup should appear on your smartphone or tablet, prompting you to launch your chosen authenticator app.
Now, tap on Open to launch your authenticator app. The next steps may vary depending on the application in question and how authentication is set up on your mobile device. For example, if you’re using the Microsoft Authentication app, then you’ll need to tap Unlock.
You’ll then need to complete your standard device's authentication process, for example by entering your lockscreen PIN or performing touch ID. Once you’ve confirmed your identity, the Authenticator app will display a time-sensitive code.
Switch back to your WordPress dashboard, and enter this code into the Authentication Code section:
Click on Submit, and the Two-Factor plugin will set a secret key. Note that this key isn’t permanent. If you ever need to link WordPress to an alternative device, then simply navigate back to this screen, and rescan the QR code. This will generate a fresh key, which you can use to connect the Two-Factor plugin to your new device.
Assuming that the authentication is a success, double-check that you’ve selected the Enabled radio button that appears alongside the Time Based One-Time Password (TOTP) section. Then, click on Update Profile.
Now, whenever you try to log in to your account, WordPress will ask you to input a one-time code that’s generated by the authenticator app on your mobile device.
3. FIDO U2F Security Keys
A FIDO U2F Security Key is a water-resistant USB authentication key that you can purchase online. This key authenticates your account using standard public key cryptography techniques.
If you opt to use a Security Key, then two-factor authentication looks a little different. Instead of entering a PIN or password, you’ll plug the registered key into your device. Then, you simply need to press a button on your FIDO U2F Security Key, and WordPress will verify that this USB contains the correct public key.
You might use a Security Key if you’re concerned that hackers could bypass other two-factor authentication methods. For example, if a malicious third party managed to break into your email account, then they could potentially pass your email-based two-factor authentication.
If you want to use this unusual authentication method, then you’ll first need to register a new key. In the Users > Profile page, scroll to the Security Keys section.
Here, select Register New Keys. The Two-Factor plugin will now scan for any available keys. This is your cue to insert the FIDO U2F Security Key into your device, and hold down its button.
Once you’ve successfully paired the USB authentication key with your WordPress account, scroll to the FIDO U2F Security Keys section, and select its accompanying Enabled button. If you’re using multiple authentication methods, then decide whether to make this your Primary two-factor authentication process.
Next, click Update Profile. Now, whenever you attempt to log in to your account, WordPress will prompt you to plug the registered USB stick into your device.
How to Create a Backup Verification Code
Two-factor authentication makes it more difficult for hackers to break into your website. However, it can also make it more difficult for you to access your site.
There are many legitimate reasons why you might struggle to perform two-factor authentication. Perhaps you’ve lost or broken your smartphone, or someone hacks into your email account and then promptly changes the password, locking you out forever—and making it impossible to pass your two-factor authentication check.
Thankfully, the Two-Factor plugin does have a failsafe, in the form of ten one-time backup verification codes.
If you’re ever struggling to access your account, then you can input any unused code and recover your account. You can then navigate straight to the Users > Profile screen and update your two-factor authentication settings. For example, you might generate a fresh QR code and link your WordPress account to a new smartphone or tablet.
To ensure you have this safety net in place, select the Generate Verification Codes button. Two-Factor will now display a grand total of ten codes.
For added security, these codes will vanish as soon as you navigate away from this page. This is your only chance to make a note of these codes, so make sure you stash them somewhere safe.
How to Log in Without a Backup Verification Code
If you’re locked out of your account without access to a backup verification code, don’t panic! All is not lost. You may be able to recover your account by deactivating all of your plugins.
Once the Two-Factor plugin is out of action, you should have no problems logging in to your dashboard using just your password and username. Deactivating every single WordPress plugin is a drastic move that may temporarily break your website, or render it completely inaccessible to visitors. However, it may be the only way to recover a locked account.
If you really have no other choice, then you can connect to your site using a File Transfer Protocol (FTP) client such as FileZilla. In this client, navigate to your site’s wp-content folder.
Find the plugins directory, and right-click it. You can then select Rename.
Give this directory the name plugins.deactivate. This will immediately disable all of the plugins across your website. You should now be able to log in to your dashboard without performing two-factor authentication.
Once you’ve successfully accessed your account, switch back to FileZilla and rename the plugins.deactivate folder to plugins. In the WordPress dashboard, navigate to Plugins > Installed Plugins and then reactivate all of your plugins.
You can now reimplement your two-factor authentication. To ensure you never get into this situation again, take this opportunity to generate a few backup verification codes, and store them somewhere safe.
In this post, I showed you how to protect your WordPress website using two-factor authentication. By adding this extra security check, you can make life significantly more difficult for hackers.
If you do decide to implement two-factor authentication, then it’s vital that you generate backup verification codes and store them somewhere safe. Although there are workarounds that can help you recover a locked website, these are much more difficult than simply entering a verification code!
Subscribe below and we’ll send you a weekly email summary of all new Web Design tutorials. Never miss out on learning about the next big thing.Update me weekly