Two-Factor Authentication

Two-factor authentication allows you to add an extra layer of security to your WordPress login. This section describes how to use it.

“Two-factor authentication” is an additional login security feature which is used by banks, government agencies, and military worldwide. It is one of the most secure forms of remote system authentication. It’s available from Wordfence for your WordPress website. This method of signing in to your website relies on something you know and something in your possession. That is why it is referred to as two-factor – because two factors are involved in authenticating you.

In this case you know your password and you are in possession of your cell phone or another authenticator device. If we can verify both of these, then we know that it’s okay to allow you to access your website. Wordfence two-factor authentication is designed to be used mainly by site administrators and those with high level access, e.g. users with publisher access, but is now also available for other roles if you choose. Two-factor authentication was previously a premium feature, but is now available to sites running the free version of Wordfence as well.

Wordfence 2FA now uses an authenticator app, such as Google Authenticator, to generate unique codes for you rather than relying on text messages.

How to enable two-factor authentication

If your site uses the older version of two-factor authentication, see the Legacy Two-Factor Authentication page.

In Wordfence 7.3 and later, two-factor authentication uses an authenticator app for better security and reliability, instead of SMS / text messages.

First, choose an authenticator app to use, if you do not already have one installed on a cell phone or tablet. There are many available for iOS, Android, and other platforms, including:

  • Google Authenticator
  • Sophos Mobile Security
  • FreeOTP Authenticator
  • 1Password (mobile and desktop versions) See: 1Password help
  • LastPass Authenticator
  • Microsoft Authenticator
  • Authy 2-Factor Authentication
  • Any other authenticator app that supports Time-based One-Time Passwords (TOTP)

Enabling two-factor authentication:

  1. Go to the Login Security page in your site’s wp-admin area
    • For admins, this is on the Wordfence menu
    • For other users, this is a separate menu with a Wordfence logo
  2. Open your authenticator app and add a new entry; most apps have a plus sign or a tiny QR code
  3. Scan the QR code on the login security page; your authenticator app should then display a six digit code
    • If you are accessing a site on a phone or tablet and obviously can’t point the camera at its own screen, you can copy the line of letters and numbers below the QR code, and paste that in an app, using the app’s “manual” setup option
  4. In the “Download recovery codes” section, click the Download button
    • Recovery codes can be used if you lose your device
    • Print or save the file, and store it in a safe place
  5. Enter the six digit code that appears in your authenticator app
    • This code changes every 30 seconds
    • If the code expires, you can enter the next code instead
  6. Click the Activate button

That’s it! If this is your first time setting up 2FA on a site you may want to try logging in to the site in a different browser or in a private or incognito browser window to check for any compatibility issues before logging out.

How to log in with two-factor authentication

Steps to log in:

  1. Enter your username and password and click the “Log In” button, as usual
  2. When the “2FA Code” prompt appears, enter the code from your authenticator app
    • If you use 2FA for multiple sites, be sure to pick the correct site
  3. Click the “Log In” button

If you have incompatible plugins or themes and can’t see the “2FA Code” prompt, or if you prefer a slightly quicker method, you can also enter a 2FA code directly after your password, in the same field:

  1. Enter your username and password, but do not click the “Log In” button yet
  2. Immediately after your password, enter the code from your authenticator app
    • If you used the old Wordfence 2FA, note that you no longer need to enter a space or letters
    • Example: For the password ‘mypass’ and code ‘233455’, enter ‘mypass233455’
  3. Click the “Log In” button

How to use recovery codes

The recovery codes that you saved or printed during setup can be used if you ever lose your authenticator device or if you remove the app or its saved codes by mistake. Make sure you store these codes in a safe place.

Because they don’t expire, recovery codes are longer than normal codes — 16 letters and numbers instead of only 6 numbers — but each code can only be used once. An example recovery code looks like this: 5199 5c24 77dc 0ed7

The login process is the same as using a code from an authenticator app:

  1. Enter your username and password and click the “Log In” button, as usual
  2. When the “2FA Code” prompt appears, enter a recovery code
    • Remember, recovery codes are longer than regular 2FA codes
    • In this example, we would enter: 5199 5c24 77dc 0ed7
  3. Click the “Log In” button

Each recovery code can only be used once. You can generate new recovery codes on the Login Security page of your site. This is useful if you have used most of your codes, or if you lose the codes you previously saved or printed. Generating new codes will invalidate the previous codes.

How to disable two-factor authentication

You can disable 2FA with a few clicks. This is useful if you want to switch to a new device or a different authenticator app, or if you need to help another user who is unable to log in. Of course, always confirm that the user you’re helping is really who they say they are!

If you need to disable 2FA on your own account:

  1. Log into your site and go to the Login Security page
  2. Click the Deactivate button.

If you need to disable 2FA for another user:

  1. Go to the WordPress “Users” page
  2. Hover over the user’s record and click the “2FA” link below their username
  3. This will take you to the Login Security page; near the top of the page, you will see “Editing User: their_username”
  4. Click Deactivate

Server Time

When you are logged in as an admin, the bottom of the Two-Factor Authentication page shows “Server Time” and “Browser Time”. Accuracy of the server time is important for “TOTP” authenticator apps.

If you have trouble setting up 2FA, you can check that the server time is correct. Browser time is included for your reference, though if your computer’s time is incorrect, it will only matter if you are generating codes on your computer. Wordfence Login Security attempts to correct the time by using a service called “NTP” if possible, but some hosts do not allow NTP connections.