“Two-factor authentication” is an additional login security feature that is used by banks, government agencies, and the military worldwide. It is one of the most secure forms of remote system authentication. This method of logging in to your site relies on something you know and something in your possession. That is why it is referred to as “two-factor” because two factors are involved in authenticating you.
In this case, you know your password and you are in possession of your cell phone or another authenticator device. If we can verify both of these, then we know that it is okay to allow you to access your site. Wordfence two-factor authentication is designed to be used mainly by site administrators and with high-level access such as an editor but is now also available for other roles if you choose. Two-factor authentication was previously a Premium feature but is now also available to users running the free version of Wordfence.
Wordfence two-factor authentication now uses an authenticator application, such as Google Authenticator, to generate unique codes for you rather than relying on SMS text messages.
How to enable two-factor authentication
If your site uses the older version of two-factor authentication, see the Legacy Two-Factor Authentication help page.
In Wordfence 7.3 and later, two-factor authentication uses an authenticator application for better security and reliability, instead of SMS text messages.
First, choose an authenticator application to use, if you do not already have one installed on a cell phone or tablet. There are many available for iOS, Android, and other platforms, including:
- Google Authenticator
- Sophos Mobile Security
- FreeOTP Authenticator
- 1Password (mobile and desktop versions) See: 1Password help
- LastPass Authenticator
- Microsoft Authenticator
- Authy 2-Factor Authentication
- Any other authenticator app that supports Time-Based One-Time Passwords (TOTP)
Enabling two-factor authentication:
- Go to the Wordfence “Login Security” page.
- For admins, this is on the main Wordfence menu.
- For other users, this is a separate menu item with a Wordfence logo.
- Open your authenticator application and add a new entry. Most apps have a plus sign symbol or a tiny QR code symbol.
- Scan the QR code on the “Login Security” page. Your authenticator application should then display a six-digit code.
- If you are accessing a site on a phone or tablet and obviously cannot point the camera at its own screen, you can copy the line of letters and numbers below the QR code, and paste that in an application, using the application’s “manual” setup option.
- In the “Download recovery codes” section, click the “Download” button.
- Recovery codes can be used if you lose your device.
- Print or save the file, and store it in a safe place.
- Enter the six-digit code that appears in your authenticator application.
- This code changes every 30 seconds.
- If the code expires, you can enter the next code instead.
- Click the “Activate” button.
If this is your first time setting up two-factor authentication on a site then you may want to try logging in to the site in a different browser, or in a private or incognito browser window, to check for any compatibility issues before logging out.
How to log in with two-factor authentication
Steps to log in:
- Enter your username and password and press the “Log In” button.
- When the “2FA Code” prompt appears, enter the code from your authenticator application.
- If you use two-factor authentication for multiple sites, be sure to pick the correct site.
- Press the “Log In” button.
If you use another incompatible plugin or theme that modifies the login page and you cannot see the “2FA Code” prompt, or if you prefer a slightly quicker method, you can also enter a two-factor authentication code directly after your password, in the same field:
- Enter your username and password, but do not press the “Log In” button yet.
- Immediately after your password, enter the code from your authenticator application.
- If you used the old Wordfence two-factor authentication, note that you no longer need to enter a space or letters
- For example, if your password is w0rdf3nce#! and the code is 233455 then enter w0rdf3nce#!233455.
- Press the “Log In” button
How to use recovery codes
The recovery codes that you saved or printed during setup can be used if you ever lose your authenticator device, if you remove the application, or you remove your site’s entry by mistake. Make sure that you store these codes in a safe place.
Because they do not expire, recovery codes are longer than normal codes. They are 16 letters and numbers instead of only 6 numbers, but each code can only be used once. An example recovery code looks like 5199 5c24 77dc 0ed7.
The log in process is the same as using a code from an authenticator application:
- Enter your username and password and press the “Log In”.
- When the “2FA Code” prompt appears, enter a recovery code.
- Remember, recovery codes are longer than regular two-factor authentication codes.
- In this example, we would enter 5199 5c24 77dc 0ed7.
- Press the “Log In” button.
Each recovery code can only be used once. You can generate new recovery codes on the “Login Security” page of your site. This is useful if you have used most of your codes, or if you lose the codes you previously saved or printed. Generating new codes will invalidate the previous codes.
How to disable two-factor authentication
You can disable two-factor authentication with a few clicks. This is useful if you want to switch to a new device, use a different authenticator application, or if you need to help another user who is unable to log in. Of course, always confirm that the user you are helping is really who they say they are!
If you need to disable two-factor authentication on your own account:
- Log in to your site and go to the “Login Security” page
- Press the “Deactivate” button.
If you need to disable two-factor authentication for another user:
- Go to the WordPress “Users” page.
- Hover over the user’s record and click the “2FA” link below their username.
- This will take you to the “Login Security” page. Near the top of the page, you will see “Editing User: their_username”.
- Press the “Deactivate” button.
When you are logged in as an administrator, the bottom of the “Two-Factor Authentication” page shows “Server Time” and “Browser Time”. Accuracy of the server time is important for “TOTP” authenticator apps.
If you have trouble setting up two-factor authentication, you can check that the server time is correct. Browser time is included for your reference, though if your computer’s time is incorrect, it will only matter if you are generating codes on your computer. The Wordfence Login Security module attempts to correct the time by using a service called “NTP” if possible, but some hosting providers do not allow outbound NTP connections.