Login Security Options

The Login Security page currently contains settings for two-factor authentication (2FA) and reCAPTCHA. In a future Wordfence version, existing login-related features will also move to the same page.

This page describes the settings for Two-Factor Authentication and reCAPTCHA. For help setting up 2FA on your login or logging into a site using 2FA, click here.

Two-Factor Authentication Options

User Summary

This table counts the total users for each user role and the number of users with 2FA active.

Note: For multisite installations, only the main site is currently counted.

Enable 2FA for these roles

By default, only admins are allowed to use 2FA. You can enable 2FA for other roles on the site, and each user can manage their own 2FA devices. Non-admin users will see a separate Login Security menu on the left WordPress menu, when you enable 2FA for their roles.

Require 2FA for all administrators

When enabled, this option prevents admins from logging in if they have not set up 2FA. This ensures that an admin cannot remove 2FA from their account, such as when switching to a new device, and forget to set up 2FA on a new device. It also can help prevent rogue admins from logging in if a attacks on the database or a theme/plugin vulnerability allows creation of new users.

If you need to add a new admin to the site, they will need to set up 2FA in order to log in. The safest way to work around this is to allow 2FA for Editors or another lower role, and create the new admin’s account using that role instead. Once they have set up 2FA, you can promote them to admin. (Alternately, you could temporarily turn off this option, but that disables the requirement for all admins until you re-enable it.)

The optional “Grace period to require 2FA“ allows you to set a date when this option will become effective, allowing admins to log in without 2FA until that time. After saving with this option enabled, you can click the “Send notification” button to send an email to other admins on the site, notifying them of the date.

Allow remembering device for 30 days

When this option is enabled, users can click a checkbox to remember their device for 30 days. This sets a cookie unique to their device that will allow them to log in without using 2FA from that device and browser. This feature is for convenience, but it is less secure than requiring 2FA for each login.

Require 2FA for XML-RPC call authentication

This option is set to “Required” by default, to prevent logins without 2FA via xmlrpc.php. Attackers often target xmlrpc.php with password guessing attacks, so it is important to keep this feature enabled if possible.

Plugins, features, and external apps or services that require authenticated XML-RPC calls are usually not compatible with this option. For example, if you use the WordPress app on your phone with a user account that uses 2FA, you will most likely need to set this option to “Skipped”, unless you have specific IPs or ranges you can safely whitelist.

Custom applications that log in via XML-RPC may be made compatible if they can generate a TOTP code and append the current code to the password during authentication. Codes still expire after the first use.

Disable XML-RPC authentication

This option rejects all XML-RPC requests that require authentication, whether they have a valid username and password or not. It applies to all logins, not only those for users with 2FA enabled.

This option is not compatible with the WordPress phone app, the Jetpack plugin, or most other services that use XML-RPC.

Whitelisted IP addresses that bypass 2FA

This field accepts IP addresses or ranges where 2FA will not be required. You can use this to skip 2FA on networks you trust, like if you have a static IP and want to skip 2FA when connecting from your usual location. Another example is if you have a network with a trusted range of IPs, such as allowing users on your corporate network to log in without 2FA unless they are logging in from outside the network.

CAPTCHA options

This CAPTCHA implementation uses Google’s reCAPTCHA v3. See documentation from Google at https://developers.google.com/recaptcha/docs/v3 for more details.

Enable reCAPTCHA on the login and user registration pages

Enabling this feature will add a CAPTCHA test to WordPress’s login and registration forms. After enabling the checkbox, you need to enter a Site Key and Secret Key, available from Google at https://www.google.com/recaptcha/intro/v3.html

How it works

When this feature is enabled, it displays a reCAPTCHA logo on the WordPress login and registration forms. Unlike older CAPTCHA implementations, it does not require the user to read distorted letters, click road signs, or click a checkbox. Instead, Google calculates a score for each user.

One drawback is that you cannot see the reason that Google has given a lower score. There may be cases where a real user is blocked from logging in or registering, if Google determines that they may be a bot.

Scores from each user’s last login attempt are shown on the standard WordPress Users page. Keep in mind that it may be from the user attempting to log in, or a bot attempting to log in with their username. Scores are also aggregated in a chart on the login security settings page, including both good and bad login attempts.

The reCAPTCHA service requires scripts that are loaded from Google and calls to their servers to validate that visitors are real people.

What users will see

Generally, most users should see only a Google reCAPTCHA logo on the login and registration pages.

If any valid users get a low score from Google reCAPTCHA and are blocked while logging in, they will see a message saying “Additional verification is required for login”, and asking them to check their email. They should receive an email with a link that will allow them to log in.

Users with 2FA enabled will automatically skip the CAPTCHA scoring, since they are already required to enter a valid 2FA code.

If registration is enabled on your site and a user is blocked from registering due to a low score from reCAPTCHA, they are shown a form to send a message to the main admin email address listed on the WordPress General settings. This is necessary since there is no user record with a known email address for them yet. This form is rate-limited, so bots cannot send repeated requests.

reCAPTCHA human/bot threshold score

You can adjust the threshold used by the captcha if it is too strict or too lenient for your site. The default value is 0.5. You can use the score history chart described below to see the typical scores for your site. If valid users are sometimes blocked by the captcha, you can set the score lower to 0.4 or 0.3 if necessary. If bots are being allowed too often, you can raise the score to 0.6 or 0.7 for example.

reCAPTCHA score history

This chart aggregates the scores for any login attempts, from both humans and bots. Typically you should see a spike toward the high end (users) and the low end (bots). You can use these results to decide if you need to adjust the threshold above. You can reset the chart using the “Reset Score Statistics” link below it.

If scores of 0.0 appear common and regular users are sent validation emails, you may have a conflict with another plugin’s javascript, a caching issue, or an incorrect reCAPTCHA key.

Run reCAPTCHA in test mode

When this option is enabled, the captcha will record scores in the chart above but it will not block bots or visitors.

This is intended to be used for a short period — likely a few days or a few hours, depending on your traffic — to decide on whether you need to set the threshold above or below the default of 0.5 or to check for conflicts with other plugins or themes. Because it is important to remember to disable test mode, since the captcha will not block bots during testing, this option adds an admin notice that can be dismissed only by disabling test mode.

Customizing CAPTCHA behavior with WordPress filters

You can customize some aspects of the CAPTCHA process with WordPress filters in your theme’s functions.php file, or in custom plugins.

The filter “wfls_registration_blocked_message” can be used to customize the message when registration is blocked. You can write a custom message to replace the default message and admin contact link, for example, directing the visitor to email you or complete a different contact form. Your filter should return the message that you want to display to the visitor.

The filter “wordfence_ls_require_captcha” can be used to disable the CAPTCHA in circumstances of your choice. This may be useful for plugins that contain REST endpoints with authentication that should not require a CAPTCHA. Your filter should return false to bypass the CAPTCHA requirement when necessary, or otherwise true when the CAPTCHA should be required.

How to get IPs

When using the standalone Wordfence Login Security plugin without the full Wordfence plugin, you will see choices for how the plugin gets visitor IP addresses. This is important if you use the whitelist feature, to be sure the plugin can detect visitors’ IPs. In most cases, you can leave this set to the default value, “Use the most secure method to get visitor IP addresses.” If the correct IP is not shown, you can choose one of the other options, based on how your server has been set up.

A preview of your detected IP appears below the choices. If you know your public IP address, you can compare it to this, to be sure the correct IP is detected.

If your server is behind one or more proxies, you can click “Edit trusted proxies” to add the proxy IP addresses or ranges.

If you are using the full Wordfence plugin, the “How to get IPs” section does not appear, since the full plugin has a similar section, and enhanced automatic detection.

Delete Login Security tables and data on deactivation

This checkbox can be used to remove the Login Security tables and data. If the checkbox is enabled when the plugin is deactivated, the data will be removed at that time, including all settings, users’ 2FA codes, and backup codes. This will reset the plugin to its default state if you enable it again, and users would need to set up 2FA on their accounts again.