This page describes the settings for Two-Factor Authentication and reCAPTCHA. For help setting up 2FA on your login or logging into a site using 2FA, click here.
Two-Factor Authentication Options
This table counts the total users for each user role and the number of users with 2FA active.
Note: For multisite installations, only the main site is currently counted.
Enable 2FA for these roles
By default, only admins are allowed to use 2FA. You can enable 2FA for other roles on the site, and each user can manage their own 2FA devices. Non-admin users will see a separate Login Security menu on the left WordPress menu, when you enable 2FA for their roles.
Require 2FA for all administrators
When enabled, this option prevents admins from logging in if they have not set up 2FA. This ensures that an admin cannot remove 2FA from their account, such as when switching to a new device, and forget to set up 2FA on a new device. It also can help prevent rogue admins from logging in if a attacks on the database or a theme/plugin vulnerability allows creation of new users.
If you need to add a new admin to the site, they will need to set up 2FA in order to log in. The safest way to work around this is to allow 2FA for Editors or another lower role, and create the new admin’s account using that role instead. Once they have set up 2FA, you can promote them to admin. (Alternately, you could temporarily turn off this option, but that disables the requirement for all admins until you re-enable it.)
The optional “Grace period to require 2FA“ allows you to set a date when this option will become effective, allowing admins to log in without 2FA until that time. After saving with this option enabled, you can click the “Send notification” button to send an email to other admins on the site, notifying them of the date.
Allow remembering device for 30 days
When this option is enabled, users can click a checkbox to remember their device for 30 days. This sets a cookie unique to their device that will allow them to log in without using 2FA from that device and browser. This feature is for convenience, but it is less secure than requiring 2FA for each login.
Require 2FA for XML-RPC call authentication
This option is set to “Required” by default, to prevent logins without 2FA via xmlrpc.php. Attackers often target xmlrpc.php with password guessing attacks, so it is important to keep this feature enabled if possible.
Plugins, features, and external apps or services that require authenticated XML-RPC calls are usually not compatible with this option. For example, if you use the WordPress app on your phone with a user account that uses 2FA, you will most likely need to set this option to “Skipped”, unless you have specific IPs or ranges you can safely whitelist.
Custom applications that log in via XML-RPC may be made compatible if they can generate a TOTP code and append the current code to the password during authentication. Codes still expire after the first use.
Disable XML-RPC authentication
This option rejects all XML-RPC requests that require authentication, whether they have a valid username and password or not. It applies to all logins, not only those for users with 2FA enabled.
This option is not compatible with the WordPress phone app, the Jetpack plugin, or most other services that use XML-RPC.
Whitelisted IP addresses that bypass 2FA
This field accepts IP addresses or ranges where 2FA will not be required. You can use this to skip 2FA on networks you trust, like if you have a static IP and want to skip 2FA when connecting from your usual location. Another example is if you have a network with a trusted range of IPs, such as allowing users on your corporate network to log in without 2FA unless they are logging in from outside the network.
This CAPTCHA implementation uses Google’s reCAPTCHA v3. See documentation from Google at https://developers.google.com/recaptcha/docs/v3 for more details.
Enable reCAPTCHA on the login and user registration pages
Enabling this feature will add a CAPTCHA test to WordPress’s login and registration forms. After enabling the checkbox, you need to enter a Site Key and Secret Key, available from Google at https://www.google.com/recaptcha/intro/v3.html
How it works
When this feature is enabled, it displays a reCAPTCHA logo on the WordPress login and registration forms. Unlike older CAPTCHA implementations, it does not require the user to read distorted letters, click road signs, or click a checkbox. Instead, Google calculates a score for each user.
One drawback is that you cannot see the reason that Google has given a lower score. There may be cases where a real user is blocked from logging in or registering, if Google determines that they may be a bot.
Scores from each user’s last login attempt are shown on the standard WordPress Users page. Keep in mind that it may be from the user attempting to log in, or a bot attempting to log in with their username.
The reCAPTCHA service requires scripts that are loaded from Google and calls to their servers to validate that visitors are real people.
What users will see
Generally, most users should see only a Google reCAPTCHA logo on the login and registration pages.
If any valid users get a low score from Google reCAPTCHA and are blocked while logging in, they will see a message saying “Additional verification is required for login”, and asking them to check their email. They should receive an email with a link that will allow them to log in.
Users with 2FA enabled will automatically skip the CAPTCHA scoring, since they are already required to enter a valid 2FA code.
If registration is enabled on your site and a user is blocked from registering due to a low score from reCAPTCHA, they are shown a form to send a message to the main admin email address listed on the WordPress General settings. This is necessary since there is no user record with a known email address for them yet. This form is rate-limited, so bots cannot send repeated requests.
Customizing CAPTCHA behavior with WordPress filters
You can customize some aspects of the CAPTCHA process with WordPress filters in your theme’s functions.php file, or in custom plugins.
The filter “wfls_registration_blocked_message” can be used to customize the message when registration is blocked. You can write a custom message to replace the default message and admin contact link, for example, directing the visitor to email you or complete a different contact form. Your filter should return the message that you want to display to the visitor.
The filter “wordfence_ls_require_captcha” can be used to disable the CAPTCHA in circumstances of your choice. This may be useful for plugins that contain REST endpoints with authentication that should not require a CAPTCHA. Your filter should return false to bypass the CAPTCHA requirement when necessary, or otherwise true when the CAPTCHA should be required.