Wordfence Adds Two Factor Auth for WooCommerce Customers
Wordfence 7.9.0 has been released and it includes a very exciting feature for WooCommerce sites and other WordPress sites wanting to make two factor authentication (2fa) available to their site users or members. Wordfence 7.9.0 now lets you give your users the ability to configure 2fa on their profile pages.
For WooCommerce websites, by enabling this feature, your users will be able to configure 2fa on their “Account” page. For other site types wanting to use this feature, we’ve provided a short code you can embed on your user profile pages that allows your users to configure 2fa themselves.
Wordfence does a great job of securing your WordPress website, and this new feature will significantly improve the security of your individual site users and members. In the security industry we take a layered approach to security, and having your site users add two factor authentication creates a robust additional security layer that will help prevent account breaches.
Wordfence 7.9.0 also includes bug fixes and performance enhancements for our two factor authentication system. The rest of this post includes more detail on what changes Wordfence 7.9.0 includes, and how to set up this new feature.
Wordfence 7.9.0 Changelog
Improvement: Added 2FA management shortcode and WooCommerce account integration
Until now, Wordfence’s two-factor authentication has only been available to users who have access to wp-admin pages. We heard from several users who would like to allow the WooCommerce Customer role to use 2FA or to place the 2FA form on a custom profile page, and we have now implemented this. New options can be found on the Settings tab of the Login Security page on the Wordfence menu.
To use this feature on WooCommerce, enable the new option “Show Wordfence 2FA menu on WooCommerce Account page”, and in the “2FA Roles” section, set the Customer role to “Optional”. The 2FA option will appear on the menu on the “account” page.
For non-WooCommerce sites, you can enable “2FA management shortcode” instead, which allows using a shortcode to embed the 2FA setup form and QR code on other pages.
By default, the option “Use single-column layout for WooCommerce/shortcode 2FA management interface” is enabled, which should work well with most themes. If you prefer a side-by-side view of the 2FA setup page, similar to the one used in wp-admin, you can disable this option. It may require additional style changes in your theme, depending on the available space and differences in styling for mobile devices.
More details about using these features can be found on the Login Security help page. Be sure to test the login process as a lower privileged user, in case of compatibility issues with any other plugins or themes. Keep in mind that some users will eventually lose or break a phone that they had set up with 2FA. If they did not save their backup codes, your customer service team will need to work with them to help them regain access. That means you’ll need to verify their identity and then grant them access to their account.
Improvement: Improved performance when viewing 2FA settings on sites with many users
On sites with a large number of users, the 2FA settings page could load very slowly. Wordfence previously used the count_users() WordPress core function, but now uses a more efficient query to count the users of each role, who have 2FA active or inactive.
Fix: Ensured Captcha and 2FA scripts load on WooCommerce when activated on a sub-site in multisite
We fixed an issue where multisites that had WooCommerce enabled individually on sub-sites would not load Wordfence’s Captcha and 2FA scripts, due to the load order of network-activated plugins.
Fix: Prevented reCAPTCHA logo from being obscured by some themes
Some themes could previously have elements overlapping the reCAPTCHA logo. This has been fixed by raising the z-index.
Fix: Enabled wfls_registration_blocked_message filter support for WooCommerce integration
Wordfence’s “registration blocked” message can be customized, to display a different message if the user’s browser has failed the captcha. Previously, this was only available for regular login pages, but it is now also supported on WooCommerce’s login page. Documentation for this filter appears on the Login Security help page.