Legacy Two-Factor Authentication
Two-Factor Authentication allows you to add an extra layer of security to your WordPress login page.
Note that the legacy two-factor authentication is available on the “Tools” page for older Premium Wordfence installations that were installed before version 7.3.1.
For the new version of our two-factor authentication, which is available to both free and Premium users, see the two-factor authentication help page.
“Two-factor authentication” is an additional login security feature that is used by banks, government agencies, and the military worldwide. It is one of the most secure forms of remote system authentication. This method of logging in to your site relies on something you know and something in your possession. That is why it is referred to as “two-factor” because two factors are involved in authenticating you.
In this case, you know your password and you are in possession of your cellphone. If we can verify both of these, then we know that it is okay to allow you to access your site as an administrator. Two-factor authentication is designed to be used mainly by site administrators and those with high-level access such as an editor. Please note that this is a Premium feature which means you need to purchase a premium Wordfence key from our website at http://www.wordfence.com to activate two-factor authentication.
Wordfence provides two methods of two-factor authentication. You can either use SMS or you can use the Google Authenticator Application. The latter is recommended since it tends to be more reliable.
How to enable two-factor authentication
Enter the name of the user you want to enable two-factor authentication for.
Select whether you want to “Use authenticator app” or “Send code to a phone number”. If you want to use an authenticator application, you need to install that application on your phone before proceeding. We recommend Google Authenticator, which is available in the Google Play Store and Apple’s App store for free.
If you selected “Use authenticator app” you will now press “Enable user”. This will give you a prompt that contains a QR code and recovery codes. Scan the QR code with your authenticator application, then download and save the recovery codes in a safe place. These codes can be used for your login if you were to lose access to your phone. You can now close the prompt. Get a code from the application on your phone and enter it next to the username in the “Enter activation code” field. Click “Activate”. Two-factor authentication is now enabled for the user.
If you selected “Send code to a phone number” you will now enter a phone number in the field to the right of “Send code to a phone number”. Press to “Enable user”. You will now get a prompt with recovery codes. Save these in a safe location. You will also receive an SMS message with a code. Enter that code in the “Enter activation code” field and click “Activate”. Two-factor authentication is now enabled for the user.
How to log in with two-factor authentication
You can use two-factor authentication either with an application or with an SMS message, based on which method you chose when setting it up. Please see related instructions for each method below.
Using the “app” method with Google Authenticator:
- Enter your username and password as you normally would and press the Log In button.
- You will be shown a message asking you to enter your username and password again followed by a space, “wf”, and the code created in the application. You will need to open your authenticator application and fetch a code. For the purpose of these instructions, we will pretend that the code is 123456.
- Log in again. Your username is entered correctly, but your password should now be your password, a space, the letters “wf” and a code fetched from your authenticator application. For example, if your password was w0rdf3nce#! and your code was 123456 then you would enter w0rdf3nce#! wf123456
- Press the Log In button and you should be able to log in.
NOTE: Before entering your password with the code, make sure and remove the password in your password field if it was saved there as this can sometimes be incorrect and cause a login failure.
Using the “SMS” method:
- Enter your username and password as you normally would and press the Log In button.
- A unique code is now sent to your phone via an SMS message. For example 123456.
- You will be shown a message asking you to enter your username and password again followed by a space, the letters “wf”, and the code that you were sent.
- Log in again. Your username is entered correctly, but your password should now be your password, a space, the letters “wf” and the code that you were sent. For example, if your password was w0rdf3nce#! you would enter w0rdf3nce#! wf123456
- Press the Log In button and you should be able to log in.
NOTE: Some browsers and browser extensions will automatically fill in the password field. In some situations, it may be necessary to remove the auto-filled password and paste it manually into your password field.
How to disable two-factor authentication
If you want to disable two-factor authentication for a specific user, simply hit the “delete” link next to their username on the two-factor authentication page.
Security Options
Require Two-factor authentication for all Administrators
When this option is enabled, all administrators on the site are required to use two-factor authentication. Administrators not using two-factor authentication will not be able to log in.
You must have at least one administrator user currently using two-factor authentication to enable this option.
Enabling the separate prompt for the code
If you enable this option, you will get a separate prompt where you can enter only the two-factor authentication code after entering your username and password initially. Note that this option requires the PHP “output_buffering” function to be enabled on your hosting server.
Using Recovery Codes
When enabling two-factor authentication you are provided with a set of “recovery codes” that you can use in the event that you cannot receive SMS messages, or if you have lost your phone. It is recommended that you save these codes somewhere safe, in case you ever need them. The codes are only shown once, but you can generate a new set of codes by removing the user’s settings, and following the setup steps again.
To use a recovery code on the login page:
- Enter your username and password. The login screen will refresh.
- Log in again. Your username is entered correctly, but your password should now be your password, a space, the letters “wf” and your recovery code. For example, if your password isĀ w0rdf3nce#! and your recovery code is 2ad4 3a8b d727 2938, you would enter: w0rdf3nce#! wf2ad4 3a8b d7272938B.
- Press the Log In button and you should be able to log in.
Note that a recovery code expires when it is used. If you use all of your recovery codes, we recommend removing two-factor authentication for your username and setting it up again to get a new set of recovery codes.
Frequently Asked Questions
- I am not receiving the Two Factor SMS code
If using the SMS option and you don’t get a code to your phone, try to login normally again. In the few cases where this has happened, trying again results in a new code being sent.
If you have any pending OS updates on your phone, we recommend installing those and restarting the phone. Make sure you are able to receive SMS from other phone numbers. If you are not able to receive SMS at all, it’s likely that your phone carrier is experiencing some technical difficulties.
If you need immediate access to the site, please use FTP/SSH or the cpanel file manager for your site and rename the Wordfence directory usually found in the folder : public_html/wp-content/plugins/wordfence. This immediately deactivates the plugin which allows you to log in without two factor authentication.