Two Factor Authentication is a plugin from the authors of UpdraftPlus that adds a layer of protection for WordPress logins. The advantage of using a two-factor authentication (2FA) plugin for your WordPress site is that it helps to protect users with weak or exploited passwords.
It does this by requiring a one-time code when a user has to log in. These codes are obtained through an authentication plugin or email. This tutorial will step you through using this plugin and describe its features.
- Two Factor Authentication – Video
- Installing the Two Factor Authentication Plugin
- Enabling 2FA with the Plugin
- Plugin Features
Two Factor Authentication – Video
Installing the Two Factor Authentication Plugin
This WordPress plugin installation will require you to log into your Administrator Dashboard.
- Click on Plugins.
- Click on Add New.
- Search for “Two Factor Authentication.” Several plugins will appear, but search for the one by “David Anderson, original plugin by Oskar Hane and enhanced by Dee Nutbourne.”
- Click on Activate.
When the installation completes, you will see Two Factor Auth added to the menu under Users. Note that 2FA has not yet been enabled for WordPress. The site-wide settings are linked in the Admin setup or can be found under the WordPress site Settings menu.
Enabling 2FA with the Plugin
Enabling two-factor authentication requires that you set it up for your user and/or for the entire site. For Administrators and non-admin users, the Two Factor Auth menu added under Users is only for configuring 2FA. The screenshots below show how it will look for admins versus non-admin users.
Configuring the User
To set up your user, you need to do three things: enable 2FA, pick an authentication method and verify your authentication method.
- Activate two-factor authentication at the top of the page
- Click on the blue Save Changes button at the top of the page.
- Go to the bottom of the page and select your authentication method. TOTP or HOTP. You can only choose one. TOTP (Time-based One-Time Password) is used by applications like Google Authenticator. HOTP (Hash-based One-Time Password) requires access to the email you use for your WordPress user.
- Click on Save Changes.
- Complete the authenticator setup with the TOTP app or using HOTP with email.
Site-wide Configuration of Two-Factor Authentication for WordPress Users
First, it is important to note that some features for using 2FA are only available after upgrading the plugin to the premium version. These features include:
- Making two-factor authentication mandatory for all users
- Identifying trusted devices
- Emergency codes (backup codes if the authentication is lost or unusable)
There are many other features available with the premium version.
The free version of the Two Factor Authentication plugin allows you to configure the roles and the authentication option.
- If you want to make 2FA available to your users, you must do so by identifying the roles that are required to use it. By default, all user roles are selected. Click on a checkbox to make changes.
- Once you have completed making your changes, click on Save Changes under the list.
- Scroll down until you find the Default algorithm for codes generated by user devices. Select the authentication option you want your users to use: TOTP or HOTP.
- Click on Save Changes.
The one main feature available in the free version of the plugin is for XMLRPC requests. Some applications use XMLRPC requests for verification to access the website. This allows the application to access your WordPress site without authentication. If you set the option for 2FA to be required, then anytime you use the application accessing your WordPress site, you will be required to input your user-based 2FA authentication code.
All other features for the plugin are available only with the Premium version. These features include:
- Emergency codes
- Compulsory 2FA use
- Trusted devices
- Manage users centrally
- Use of shortcodes
- WooCommerce features
- Elementor support
- Form Support
- Technical Support access
Two Factor Authentication is a bare-bones plugin for secure logins on your WordPress site. It does not require your users to use 2FA, but its premium features help provide options for managing your 2FA users.
If you want a lightweight solution to add optional 2FA use on your WordPress site, then this plugin may be a good solution for you. Users can still quickly and easily enable their logins to use 2FA and help protect the WordPress site from intrusion due to insecure user passwords.
Other 2FA Plugins: