How to Enable Two Factor Authentication for WordPress

Updated on Nov 29, 2022

Have you noticed how popular websites such as Facebook and Google now allow you to add two-factor authentication to improve security?

You can now enable two-factor authentication on your WordPress site. This ensures the highest level of security for your WordPress site and all registered users.

In this article, we'll show you how to use Google Authenticator and an SMS text message to add two-factor authentication to WordPress.

This post includes:

What is WordPress 2-Factor Authentication?

Do you believe that the security of your website is dependent on a plugin?

That is only partially correct.

In reality, the majority of your site's security is up to you. You must act and set up defenses for your WordPress site.

WordPress Two-Factor Authentication is a prime example of this.

You'll understand why very soon.

WordPress Two-Factor Authentication is a security feature that adds an extra layer of security to your login page in addition to your password.

Adding WordPress 2FA makes it virtually impossible: 

  • For a hacker to hijack your site, even if they have your password guessed;
  • For a bot to break into your site login page, even if they are trying to brute force it

When you enable WordPress 2FA, you will still need to log in with your username and password. However, you will require additional information to confirm that it is indeed you.

What extra information is this?

Usually, this is:

  • An OTP sent to a device that only you would have access to;
  • A time-based OTP sent via email;
  • An additional password or PIN;
  • A security question that you would set at the time of installation (NOT RECOMMENDED);

The real reason why you should use WordPress Two-Factor Authentication is that the password you use can be hacked in a million different ways. In fact, password hacking is estimated to rise even further and cost the world $6 trillion annually by 2021.

Let us ask you again: How soundly do you sleep at night?

Reality Check: It’s easier than you think to steal your password. Most of your team and users also use very weak passwords that are easy to guess for a hacker with a brute force algorithm and rainbow tables (more on this soon).

Installing 2FA on your site is not a substitute for a strong password. You should still create a really strong password to protect your site.

Let's help you set up WordPress Two-Factor Authentication for your site now that you understand what it is and how it works.

Just keep going with the next bit.

How to Install WordPress Two-Factor Authentication?

WordPress Two-Factor Authentication can only be installed via a third-party plugin. The standard WordPress installation does NOT include 2FA protection for your login page. A login limiter is the most you can get from a Softaculous installation.

Even so, it's not a great option for a standard WordPress installation.

A security plugin is the best way to install WordPress 2FA on your site.

There are two approaches to this:

  • Install a full security suite that comes with powerful security features
  • Use a specialized plugin that only installs WordPress 2FA

We’re going to explore both options.

WordPress 2FA Plugins

There are numerous WordPress Two-Factor Authentication plugins available. The majority of these only do one thing well. On the surface, this appears to be a reasonable proposition.

However, this is not the case.

WordPress 2FA plugins only add one layer of security to your site.

Naturally, if you already have a plugin for:

  • Malware scanning; 
  • Malware cleaning; 
  • WordPress hardening;

If all you want is WordPress two-factor authentication, by all means, install a separate plugin.

You could also start using MalCare right away and avoid having to install six different plugins.

That being said, here is our list of the top 5 WordPress plugins for login security and two-factor authentication that you can rely on:

MalCare

This option has already been discussed in this article.

To be honest, listing MalCare alongside other WordPress two-factor authentication plugins seems a little unfair.

In reality, MalCare is a comprehensive WordPress security suite.

If you are new to WordPress security and want a simple solution you can rely on, we highly recommend MalCare.

“We aim to make WordPress easy to use so that our customers can focus on what really matters – their business. The philosophy behind MalCare is to provide simple, one-click security for ALL WordPress site owners. We do it by constantly developing better and more reliable security measures for your site.” – Akshat Choudhary, CEO of MalCare

Two-Factor

Two-Factor is a useful free plugin that does the job. The 2FA settings on your WordPress user profile page are simple and easy to use. You may:

  • Get an OTP via email
  • Get an OTP using Google Authenticator

You can also generate a backup code in case you are unable to log in with the second factor.

The only disadvantage is that there is no global setting in Two-Factor. As the administrator, you would have to enable 2FA for each user individually.

WP 2FA

WP 2FA is another free plugin for enabling two-factor authentication in WordPress. Our friends at WPWhiteSecurity created WP 2FA. WPWhiteSecurity, by the way, is MalCare-protected.

This is one of the most straightforward two-factor authentication plugins ever created.

A special emphasis is placed on making the user experience as simple as possible. As a result, a setup wizard is provided to guide each user through the process of enabling two-factor authentication for their accounts. There is no requirement for ANY technical knowledge (just like MalCare).

You can choose from a variety of OTP options, and you can make 2FA mandatory for all users from the admin account.

If you end up installing this one, I have no complaints.

Google Authenticator

We first used Google Authenticator as a 2FA plugin.

This plugin is also free, and it is the most basic and straightforward 2FA WordPress plugin. Visit your profile page after installing the plugin and enable the Google Authenticator Settings. Then, using the Google Authenticator app on your smartphone, scan the QR code that appears.

There are several reasons why you should not use this one.

For starters, it is only compatible with Google Authenticator and no other authentication app.

This plugin, too, lacks global settings. As a result, you will have to manually configure 2FA for all of your users.

There are also no backup codes. If you misplace your smartphone, you must manually delete the plugin using FTP or SSH.

Final Thoughts

Now that you know what WordPress Two-Factor Authentication is and how to configure it on your site, you need to recognize that it is insufficient.

Don't rely solely on a 2FA plugin, and think your site is secure. It isn't. Use a malware scanner to keep an eye out for malware on your website. Install a reliable malware cleaner so that you can clean your site immediately if it becomes infected.

Yes, a good firewall is required to protect your login page. Most importantly, you should strengthen your security measures with WordPress security hardening plugins.

Hackers profit from your ignorance. The majority of hacks occur simply because WordPress users do not take the time to understand the threats they face on a daily basis.

We hope you find this article useful. Discover more about FastCloud - the top-rated Hosting Solutions for personal and small business websites in four consecutive years by the HostAdvice Community!

WordPress Hosting

  • Free WordPress Installation
  • 24/7 WordPress Support
  • Free Domain Transfer
  • Hack-free Protection
  • Fast SSD Storage
  • Free WordPress Transfer
  • Free CloudFlare CDN
  • Immediate Activation
View More