The security of access to the WordPress administration is a fundamental step in keeping your content management system safe from unauthorized access. To achieve this, it is possible to secure the administration with an additional verification step. With two-factor authentication, unauthorized individuals will not be able to access WordPress even if they know the correct login and password. Let’s take a look at how to set up two-factor authentication.
Installation of the WP 2FA Plugin – Two-factor authentication for WordPress
Two-factor authentication for accessing the WordPress administration can be easily set up using the free WP 2FA – Two-factor authentication for WordPress plugin. Follow these steps to install the plugin:
- In the left menu of the WordPress administration, click on “Plugins“.
- Then click on the “Add New” button.
- In the search field in the top right corner, type “wp 2fa“.
- Find the plugin and click on the “Install Now” button.
- Once the plugin is installed, activate it.
Setting up the plugin for two-factor authentication
Once you have installed and activated the plugin, you will see the plugin’s welcome screen. Click on the “LET’S GET STARTED” button on this screen.
The plugin will now ask you for the method by which two-factor authentication will be performed for access to the administration. So, select the One-time code via 2FA App (TOTP) method. Then click on “Continue setup“.
In the next step, the plugin will ask you if you want to activate an alternative login method using a so-called backup code. Leave this option enabled. If you were to lose your two-factor authentication device, you can use the alternative method by accessing the administration with a backup code. Again, click on the “Continue setup” button.
The plugin will now ask you for which users you want to enforce two-factor authentication. For the security of your website, set the option to “All users“. This will ensure two-factor authentication for everyone.
In the next step, the plugin will ask you if you want to exclude any users or user roles from two-factor authentication. To ensure that everyone has to use two-factor authentication for login, leave both fields empty.
By clicking on the “Continue setup” button, you will be taken to a page where you can decide when users will need to start using two-factor authentication.
You can choose to require it immediately (Users have to configure 2FA straight away.) or you can give them a grace period, for example, 3 days, to prepare the necessary settings (Give users a grace period to configure 2FA).
You can now click on the “ALL DONE” button.
Setting up your mobile device for two-factor authentication
Once you complete the two-factor authentication setup wizard, the plugin will show you a QR code. You can use this QR code to set up the device that will generate codes for accessing the WordPress administration. This QR code is very important!
Copy, save, or leave the QR code open for now, and do not close it.
Mobile Application for Two-Factor Authentication
Now, download an application to your mobile device that will generate codes for two-factor authentication. For these cases, I can recommend the Google Authenticator app. You can download the app from both Google Play for Android devices and the App Store for Apple devices. Once you have installed the app on your mobile device, launch it. In the app, click on the + button and select “Scan QR code“. Point your mobile device’s camera at the computer screen and scan the QR code generated by the plugin.
The app will read the QR code and generate your first two-factor authentication code, which consists of 6 numbers. Now, in the plugin settings, click on the “I’M READY” button. You will be prompted to enter the 6 numbers from your Google Authenticator mobile app. Then click on the “Validate & save” button.
The last thing you need to do to complete the installation properly is to generate backup codes. So, click on the “Generate list of backup codes” button.
The plugin will now generate backup codes for you. Save them in a secure place. You can use these codes to access the administration panel when you don’t have access to your two-factor authentication device. I recommend not storing them, for example, in public cloud storage, where they could be potentially misused.
You can now click on “I’m ready, close the wizard“. The next time you log in to your WordPress administration, after entering your username and password, you will also be prompted for two-factor authentication, where you will need to enter 6 numbers from your mobile device application as an additional step. If you don’t have your device handy, you can always use the “Or, use a backup code” link and enter a backup code for access.
The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.
Je mi líto, že pro Vás nebyl článek užitečný.
Jak mohu vylepšit článek?
Řekněte mi, jak jej mohu zlepšit.
Subscribe to the Newsletter
Stay informed! Join our newsletter subscription and be the first to receive the latest information directly to your email inbox. Follow updates, exclusive events, and inspiring content, all delivered straight to your email.