Wordfence WooCommerce 2FA: Set Up This New Feature To Protect Your Customers
On February 15, we made the exciting announcement that the latest release of Wordfence, version 7.9.0, includes a new feature: WooCommerce 2FA (two-factor authentication) for customer level users.
What does this mean for you as an e-commerce store operator? And how can you start using this feature?
Let’s dive in.
Why Customer Level E-Commerce Users Should Have 2FA Capabilities
If the steady stream of emails I’ve been getting from Have I Been Pwned? (a notification service for data breaches involving your email address) are any indication, no one is immune from the fallout of security breaches.
It’s not a question of if your login information will be compromised, but when. With this in mind, if your customers are inadvertently using a compromised password or tend to reuse the same email login and password set across multiple sites, this behavior could compromise their account on your WooCommerce site.
By implementing the new Wordfence WooCommerce 2FA feature, you’re helping customers protect sensitive personal data, including saved payment methods. That also helps you, as an e-commerce store operator, reduce the potential for fraudulent charges.
Popular E-Commerce Stores Using 2FA for Customer Level Users
Although the Wordfence WooCommerce 2FA feature is new to the Wordfence Security plugin, it’s not a new concept for some of the most popular e-commerce stores on the internet.
Take Amazon, for example. They offer multiple 2FA (or two-step verification, as they refer to it) options for all users:
Another major e-tailer and Amazon competitor, Target, offers a similar 2FA security feature for users — connected to your email and mobile phone if desired:
Other popular e-tailers offering 2FA for user level accounts include:
Wordfence WooCommerce 2FA Capabilities & Set Up Steps
Regardless of which version of the Wordfence Security plugin you have installed on your WooCommerce website — free or premium — here’s the good news: everyone has access.
Here’s how to enable WooCommerce 2FA for your users:
- Login to the WordPress dashboard, then navigate to Wordfence in the sidebar. Select Login Security, then navigate to the Settings tab.
- Scroll down to set 2FA roles and click on the toggles to set options to your preferences. Select from “required,” “optional,” and “disabled.” It’s recommended that you set the customer role to “optional” to enable 2FA for customers.
- Scroll down and select WooCommerce Integration, as well as the option to Show Wordfence 2FA menu on WooCommerce Account Page. This action will add a new Wordfence 2FA tab to the user’s WooCommerce account menu — enabling 2FA management for all users and customers outside of the WordPress admin dashboard.
Here’s how your users can get started using the Wordfence login security WooCommerce integration:
- Users will either need to create or login to their WooCommerce user account.
- Visit the “My Account” (or any custom terminology you’ve used for the user account on your WooCommerce website) link, then click the Wordfence 2FA tab.
- Complete setup by scanning the QR code and adding it to your preferred authenticator app, like Google Authenticator or FreeOTP.
- Type the 6-digit code from the new entry that populated in your authenticator app into the field on the bottom right of the page, then click Activate.
- Download the recovery codes (which can be used in place of a 6-digit 2FA code) and store them in a safe place in case your device is lost or stolen.
- Users will be prompted to enter an active 2FA code (or recovery code) when attempting to log back into their account on your WooCommerce website.
Watch our video for a full walkthrough of the process:
Get Started With Wordfence WooCommerce 2FA
Ready to try the new Wordfence login security WooCommerce integration? You’ll need to either update to the latest version of the Wordfence Security plugin, 7.9.0, or install Wordfence Security if you’re just using it for the first time. Then, follow the instructions outlined earlier in this post to configure this feature for your WooCommerce customers.
If you’re looking for product support, watch this video for assistance:
For Wordfence Security free users, you can get support on our WordPress.org forums. Wordfence Security premium users can get support using our ticketing system.
All trademarks, logos, and brand names are the property of their respective owners. All company, product, and service names used in this website are for identification purposes only. Use of these names, trademarks, and brands does not imply endorsement.
Giving web site owners the option of 2FA for customers is a great move, however are you missing giving our customers the choice of getting the one time password by SMS as an alternative to an authenticator app?
I fully appreciate that SMS authentication is vulnerable compared to an authenticator app; you removed it from Wordfence a few years ago. Some of the banks I am with use SMS authentication. I read “SMS-based 2FA is absolutely better than no 2FA.”
Looking at the examples you use (Amazon, Target, Best Buy, Etsy, Samsung and eBay), almost have both options. I wonder what the relative take-up for someone like Amazon is – proportion of customers who use SMS, an App or no-2FA? Appreciating I can make it optional, I am a bit concerned that without SMS I might lose some potential customers who are less technical or see it as adding time and complexity to their shopping, especially if they only shop with me very occasionally.
When we previously offered SMS 2FA it was a Premium-only offering due to the cost to us of sending SMS messages. While it is better than nothing, it has since become significantly easier for attackers to reroute SMS messages and attackers no longer need to use social engineering to do this in some cases. As such we decided against reintroducing a known weak 2FA method that had already been discontinued in favor of something we could reasonably offer as a security enhancement to all of our users, including our Free users.
This is a great feature!
We don't need to use another premium plugin any longer.
Thank you guys