Two Factor Authentication

Two Factor Authentication allows you to add an extra layer of security to your WordPress login. This section describes how to use it.

“Two Factor Authentication” is an additional login security feature which is used by banks, government agencies and military World-wide. It is one of the most secure forms of remote system authentication. It’s available from Wordfence for your WordPress website. This method of signing into your website relies on something you know and something in your possession. That is why it is referred to as two factor – because two factors are involved in authenticating you.

In this case you know your password and you are in possession of your cellphone. If we can verify both of these, then we know that it’s OK to allow you to access your website as an administrator. Wordfence cellphone sign-in is designed to be used mainly by site administrators and those with high level access e.g. with publisher access. Please note that this is a premium feature which means you need to purchase a premium Wordfence key from our website at http://www.wordfence.com to activate cellphone sign-in.

Wordfence provides two methods of Two Factor Authentication. You can either use SMS or you can use the Google Authenticator App. The latter is recommended since it tends to be more reliable.

How to enable Two factor authentication

Enter the name of the user you want to enable Two Factor Authentication for.
Select whether you want to “Use authenticator app” or “Send code to a phone number”. If you want to use an authenticator app, you need to install that app on your phone before proceeding. We recommend Google Authenticator, which is available in the Google Play Store an Apple’s App store for free.

If you selected to “Use authenticator app” you will now press “Enable user”. This will give you a prompt that contains a QR code and recovery codes. Scan the QR code with your authenticator app, then download and save the recovery codes in a safe place. These codes can be used for login if you were to lose access to your phone. You can now close the prompt. Get a code from the app on your phone and enter it next to the username in the “Enter activation code” field. Click “Activate”. Two Factor Authentication with app is now enabled for the user.

If you selected “Send code to a phone number” you will now enter a phone number in the field to the right of “Send code to a phone number”. Press to “Enable user”. You will now get a prompt with recovery codes. Save these in a safe location. You will also receive an SMS message with a code. Enter that code in the “Enter activation code” field and click “Activate”. Two Factor Authentication with SMS is now enabled for the user.

How to log in with Two factor authentication

You can use Two factor authentication either with app or with SMS. Please see related instructions for each method below.

Using the “app” method with Google Authenticator –

  • Enter your username and password as per normal and hit the login button.
  • You will be shown a message asking you to re-enter your username and password followed by a space, wf, and the code you were sent. You will need to open your authenticator app and fetch a code. For the purpose of these instructions, we’ll pretend the code was 123456.
  • Log in again. Your username is entered like usual, but your password should now be: your password, a space, the letters “wf” and a code fetched from your authenticator app. For example, if your password was w0rdf3nce#! and your code was 123456 you would enter w0rdf3nce#! wf123456
  • Hit the login the login button and it should sign you in.

NOTE: Before entering your password with the code, make sure and remove the password in your password field if it was saved there as this can sometimes be wrong and cause problems

Using the “SMS” method –

  • Enter your username and password as per normal and hit the login button.
  • A unique code is now sent to your phone via SMS. For example 123456
  • You will be shown a message asking you to re-enter your username and password followed by a space, the letters wf, and the code you were sent.
  • Log in again. Your username is entered like usual, but this time add a space character to the end of your password followed by the letters “wf” and the code you were sent. For example, if your password was w0rdf3nce#! you would enter w0rdf3nce#! wf123456
  • Hit the login the login button and it should sign you in.

NOTE: Some browsers and browser plugins will automatically fill password fields. In some situations it may be necessary to remove the auto filled password in and paste it in manually in your password field.

How to disable Two factor authentication

If you want to disable Two factor authentication for a specific user, simply hit the ‘delete’ link next to their username on the Two factor authentication page.

Security Options

Require Two factor authentication for all Administrators

When this option is enabled, all administrators on the site are required to use two factor authentication. Administrators not using two factor authentication will not be able to log in.
You must have one administrator user currently using two factor authentication to enable this option.

Enabling the separate prompt for the code

If you enable this option, you will get a separate prompt where you can enter only the two factor code after entering your username and password initially. Please note that this option requires the PHPs setting output_buffering to be on.

Using Recovery Codes

When enabling Two Factor Authentication you are provided with a set of “recovery codes” that you can use in the event that you cannot receive SMS messages, or if you have lost your phone. It is recommended that you save these codes somewhere safe, in case you ever need them. The codes are only shown once, but you can generate a new set of codes by removing the user’s cellphone sign-in settings, and following the setup steps again.

To use a recovery code on the login page:

  • Enter your username and password. The login screen will refresh.
  • Log in again. Your username is entered like usual, but your password should now be: your password, followed by a space and the letters “wf” and your recovery code. For example, if your password is “MyPassword” and your recovery code is “2ad4 3a8b d727 2938”, you would enter: “MyPassword wf2ad4 3a8b d727 2938”
  • Hit the login the login button and it should sign you in.

NOTE: A recovery code expires when it is used. If you use all of the recovery codes, we recommend removing your cellphone sign-in settings for that user, and setting them up again, to get a new set of codes.

Frequently Asked Questions

  • I am not receiving the Two Factor SMS code

    If using the SMS option and you don’t get a code to your phone, try to login normally again. In the few cases where this has happened, trying again results in a new code being sent.

    If you have any pending OS updates on your phone, we recommend installing those and restarting the phone. Make sure you are able to receive SMS from other phone numbers. If you are not able to receive SMS at all, it’s likely that your phone carrier is experiencing some technical difficulties.

    If you need immediate access to the site, please use FTP/SSH or the cpanel file manager for your site and rename the Wordfence directory usually found in the folder : public_html/wp-content/plugins/wordfence. This immediately deactivates the plugin which allows you to log in without two factor authentication.