Add Two-Factor Authentication to WordPress

Internet privacy is finally at a point where the general public is starting to take the security of their online accounts seriously. Not only are most people beginning to understand the importance of a strong, unique password, many are also protecting online accounts with two-factor authentication. For this reason, plugin developers have made it easier than ever to add two-factor authentication to WordPress.

If you’re not already protecting your website with 2FA, now is the time. In the sections ahead, you’ll learn how to enable two-factor authentication for WordPress. But first, it’s important to understand why you should protect your website even if you’re not allowing visitors to register their own accounts.

Why should I enable two-factor authentication for WordPress?

Two-factor authentication – or 2FA for short – adds a second step to the standard sign in process. This is true whether the website you’re accessing is built on WordPress or not. When applied to all of your WordPress admin accounts, this second step makes your website much harder to hack.

Instead of signing a visitor in after they’ve supplied a matching password, a website protected with 2FA will ask users to verify their identity before granting account access. In some cases, that visitor will receive a text message containing a short code at a known number. The user would then need to confirm the code to finish signing in. Alternatively, the visitor can complete this step by interacting with an authenticator app that they’ve previously connected to their account.

Two-Step Verification

The advantage to this extra step is that an account is not immediately compromised even if its password is stolen. Password leaks happen all the time, but with 2FA, a password is not enough. A hacker would need to complete that second sign in step after supplying a correct password just as the actual account owner would. And as you might have guessed, that’s much harder for a hacker to do.

To better protect your website, you should add two-factor authentication to all WordPress admin accounts at the very least. But protecting your admin accounts may not be enough if you allow visitors to register accounts with the subscriber role. This is especially true if you collect payment information or other types of sensitive data from your WordPress website. In that case, you should make two-factor authentication available to all of your website’s users.

Enable WordPress Two-Factor Authentication Over SMS

While two-factor authentication over SMS (or text message) is inferior to 2FA over an app, it’s better than nothing. Fair warning: the initial setup process will be more involved for you – the admin – if you choose to add SMS two-factor authentication to WordPress.

With that said, many users prefer 2FA over SMS simply because the sign in process doesn’t require a separate mobile or desktop app. If you can receive a text message at your number, you’re good to go.

Install and Activate the Two-Factor Plugin

Two-Factor is a well-maintained WordPress plugin with tens of thousands of active installs. It supports 2FA over a variety of protocols, but with the right companion plugin, it’s one of only a few to support it over SMS.

Two Factor in Plugin Repository

Two-Factor is free from the plugin repository and is developed by a team who calls themselves Plugin Contributors. Again, it takes a little extra effort to add two-factor authentication to WordPress using this approach, and before you continue, you’ll need to install a second plugin.

Install and Activate Two-Factor SMS for WordPress

Two-Factor SMS adds text message support to the aforementioned Two-Factor plugin. Like Two-Factor by Plugin Contributors, it’s completely free, and you can find it in the plugin repository of your WordPress admin area.

WordPress Two-Factor Authentication SMS in Plugin Repository

Unfortunately, the developer hasn’t updated the plugin in several years. However, given the simple nature of the plugin and the strong support of its companion plugin, the long lapse in development is not a cause for real concern.

With both two-factor authentication WordPress plugins activated, you’re ready to proceed with setup. Next, you’ll need to register a free Twilio account.

Sign Up for a Free Twilio Account

Twilio is the go-to service for anyone who plans to send automated text messages over the web. It’s technically a paid service, but you can create an account with them for free. What’s more, if you’re only adding two-factor authentication to your WordPress admin accounts, you can probably get away without every paying for the service. You’ll receive $10 in account credit just for signing up, and that’s enough to send thousands of texts.

Twilio Homepage

After completing the sign up process, Twilio will direct you to your account dashboard. From here, you can generate a phone number for text messages and the credentials you’ll need to finish setup. Generate those credentials using the on-screen prompts then return to your WordPress admin area with this information.

Before continuing, head to the Plugins screen of your admin area and ensure that Two-Factor and Two-Factor SMS are both active. If they are, navigate to the Profile screen from the Users submenu of the WordPress admin menu.

Add Twilio Credentials to Your WordPress Profile

While logged into the admin area, the Profile screen of your account should offer several 2FA-related fields. First, locate the collection of “Two-Factor Options” fields then check the box and radio button next to “SMS (Twilio).”

Profile Two-Factor Options

Scroll down to the “Twilio” heading of your Profile screen. Enter your Twilio SID, your auth token, and both a sender number and a receiver number. Numbers should match the +########### format and must include a country code and an area code or similar. Double check all of the items you’ve provided then update your profile.

Now that you’ve successfully enabled WordPress two-factor authentication over SMS, go ahead and sign out then try to sign back in. You should be asked to confirm a randomly generated code that is sent to your phone via text message.

That message will likely include Twilio branding of some kind. The company will remove that branding if you go on to upgrade to a paid Twilio account.

Consider an Alternative to Two-Factor Authentication Over SMS

While your WordPress accounts are better protected with 2FA over SMS, this approach is not without its flaws. For starters, you must apply two-factor authentication settings one user at a time when using Two-Factor SMS and its companion plugin. This is fine if you only need to protect a single admin account or two but is less than ideal if you plan to protect visitor accounts as well.

Moreover, SMS is inherently insecure in its current state. If you become the target of an online attack for any reason, a hacker could potentially trick your phone carrier into routing text messages to his device. Sure, this requires a fair amount of effort, but if an online account has access to anything of value, why wouldn’t a hacker invest the time and energy?

Jack Dorsey SIM Swap Story New York Times

SIM swapping, as it’s known, is the method used to intercept another person’s text messages with a carrier’s help. Phone carriers are working to make this type of attack impossible, but for the time being, it’s a real risk. For this reason, two-factor authentication with an app is the better solution.

Enable WordPress Two-Factor Authentication with an App

Because 2FA with an authenticator app is superior to 2FA over SMS, the method is better supported by WordPress plugin developers. WP 2FA by WP White Security is one of the better solutions, and a built-in wizard makes quick work of the setup process.

When using an app to sign into a WordPress website protected with two-factor authentication, you and your users will need to provide a time-based one time password, or TOTP for short. Passwords of the TOTP variety are secure because they are regenerated every few seconds and require physical access to a device, and the WP 2FA plugin for WordPress fully supports them.

But before you install the required two-factor authentication WordPress plugin, you should ready an authenticator app. There are many great options to choose from.

Install an Authenticator App from Your Device

PCMag offers a decent roundup of available authenticator apps. Twilio’s Authy app is a fantastic choice since it’s free and is available for iOS, Android, and desktop. Popular alternatives include Microsoft Authenticator and Google Authenticator, both of which support WordPress two-factor authentication.

Authy App Homepage

Upon installation, the Authy app will ask for your phone number and an email address. Supply the required information and enter a confirmation code to finish the app setup process. You’re now ready to add two-factor authentication to WordPress with the WP 2FA plugin.

Install and Configure the WP 2FA Plugin

Go ahead and return to the admin area of your WordPress website if you’re not already there. You’ll need to install and activate the WP 2FA plugin to add two-factor authentication to WordPress. You can do that by downloading the plugin and manually uploading the ZIP file or by installing and activating WP 2FA from the Plugins screen of your WordPress control panel.

WP 2FA in Plugin Repository

WP 2FA should direct you to a setup wizard immediately after activation. During the first step of the wizard, you’ll choose primary WordPress 2FA methods for your website. It is best to enable the “One-time code via 2FA app (TOTP)” option and to disable the email option (HOTP) beneath it. WordPress two-factor authentication over email is notoriously insecure, but more on that later.

WordPress 2FA Setup Wizard

Continue to the second step of the wizard and you’ll be asked to select the roles to which 2FA requirements will apply. If you want to enforce two-factor authentication for all WordPress user roles (including subscribers and customers), fill the “All users” radio button. Otherwise, select “Only for specific users and roles” or “Do not enforce on any users” then continue. You’ll have an opportunity to create exceptions for specific users if you choose “All users.”

Finally, you’ll need to set a grace period for two-factor authentication enforcement. If you choose not to offer a grace period, affected users will need to enable 2FA the next time they sign into your WordPress website.

WP 2FA will ask users to set up two-factor authentication from a popup. Users can dismiss the popup, but it will return on subsequent page views until 2FA has been configured. Setting up 2FA over an app is as easy as launching Authy (or your app of choice), scanning a QR code, then confirming a short numeric code.

Review and Adjust WordPress 2FA Settings

WP 2FA makes several plugin settings available from the WP 2FA admin screen. You’ll find a link to the screen near the bottom of your admin menu as long as the plugin remains active. From this screen, you can configure the plugin if you skipped the setup wizard or adjust settings not available from the wizard.

WordPress 2FA Settings Policies

In particular, the “Backup codes” checkbox is worth a first or second look. Enabling the use of backup codes allows users to recover an account in the event that an authenticator app is lost. Alternatively, disabling the feature makes it impossible for users to sign in on their own without an app.

If you only plan to protect WordPress admin accounts with two-factor authentication, it may be in your best interest to disable backup codes entirely. When stored carelessly, a backup code negates the benefit of 2FA altogether.

If you do decide to enable backup codes, ask fellow administrators to store codes securely and separate from account passwords. Security advocates recommend printing codes out instead of storing them digitally. This way, a hacker would need physical access to a code in order to circumvent two-factor authentication protections.

Add Two-Factor Authentication to WooCommerce

As mentioned earlier, two-factor authentication is an absolute must if your website stores sensitive information. WooCommerce is one of the most popular WordPress plugins available. Millions of websites run it, and like many ecommerce plugins, it offers quick access to a customer’s recent payment methods. Therefore, if WooCommerce is running on your website, you should make 2FA available to all of your users.

While many of the best WordPress two-factor authentication plugins are free, finding one that offers deep WooCommerce support is difficult. Fortunately, CodeCanyon makes a two-factor authentication WooCommerce plugin available for a very reasonable price. It’s called WooCommerce Two-Factor Authentication and it is maintained by Italian developer vanquish.

WooCommerce Two-Factor Authentication Plugin

Check out the plugin’s CodeCanyon listing to see WooCommerce Two-Factor Authentication in action. The plugin hooks seamlessly into the existing WooCommerce sign in form and requires very little setup. The only downside? WooCommerce Two-Factor Authentication only supports 2FA over email, which is by far the least secure form of two-factor authentication available. Still, the plugin provides an additional layer of protection that is not available to your online shop’s customers by default.

Further Improve WordPress Security with SiteGround Security

The choice to add two-factor authentication to WordPress is a wise one, but why stop there? SiteGround offers an all-in-one security plugin to all WordPress webmasters completely free of charge.

SiteGround Security in Plugin Repository

SiteGround Security has quickly become one of the best security plugins available for WordPress. With it, you can enforce two-factor authentication with an app for all of your website’s administrators and editors. Likewise, you can restrict admin area access by IP address and limit the number of login attempts in order to prevent brute force attacks against your WordPress website.

In addition to login protection, SiteGround Security offers an admin activity log, advanced file protection, post-hack tools, and much more. The best part? You don’t even need to be a SiteGround customer to download and install the plugin. However, if you’re shopping for a new hosting provider, this plugin should serve as further proof that SiteGround is all in on the WordPress platform.

What about two-factor authentication over email?

As you might have noticed, very few of the above solutions rely on email for two-factor authentication. That’s because 2FA over email is inferior to other methods in one key way.

As this technical article from Twilio points out, with 2FA over email, you’re subjecting website accounts to a single point of failure: the user’s email address. Because 2FA over email sends codes via email, a hacker with access to a user’s inbox has unrestricted access to that user’s WordPress account.

With inbox access, the hacker can request a new password then immediately intercept a 2FA code after the password change. And if that inbox happens to belong to a WordPress administrator, the entire website is now at risk. But with 2FA over SMS or an app, that hacker would be stopped in his tracks after the password change.

2FA Over Email

While 2FA over email is less secure than other 2FA methods, you should enable it if it’s your only option. Regardless of how you choose to add two-factor authentication to WordPress, your website’s users are better protected for it.

Which WordPress two-factor authentication plugin is best?

If you’re not running WooCommerce and you allow visitors to create accounts with the subscriber role, WP 2FA may be your best bet. It’s free, it supports all account roles, and it offers a superior form of two-factor authentication for WordPress. You can always pair WP 2FA with SiteGround Security if you’re looking to further secure your WordPress website.

Ultimately, the best WordPress two-factor authentication plugin for your website is the one that users are most willing to adopt. While 2FA over an app is about as secure as it gets, most people have never used an authenticator app. This is why traditional 2FA plugins are so popular and why many websites still push 2FA over SMS and email. Sure, these methods are less secure, but you can reach almost anyone with a quick text message or email.

Consider what type of information a compromised WordPress account would put at risk then proceed accordingly. With the right WordPress two-factor authentication plugin, you can quickly enforce 2FA for some or all of your site’s users.

Our blog posts and email updates contain occasional affiliate links to third-party products and services. This means that we stand to earn a commission on any sales delivered with the links, but we do not recommend products or services that we don't use and love.