Two-factor (two-step, two-level) login (authentication, authorization) [na rôznych stránkach sa stretnete s rôznymi označeniami] is a more secure way of logging into your account, where you generally need something you know (a login and password) but also something you own (a mobile phone) to log in. If someone wants to hack into your account, it won’t be enough for them to know your name and password, they also need access to your phone. In practice, it works so that when you log in, after entering your name and password, the system where you log in will prompt you to enter a code, which you will receive in the form of an automated call, an SMS message, or you can find it in the authorization application on your phone.
Is it possible to use two-factor login in WordPress?
WordPress itself does not support two-factor login by default, so you need to use a plugin that will provide this functionality. There are dozens of such plugins in the official WordPress repository, you just have to choose. I personally decided to provide this two-step login through the Wordfence security plugin, which I use not only on my own site, but also on the sites I manage. Since Wordfence 7.3.1 (released 14.5.2019), this functionality is available in the free version of Wordfence, previously it was only available in the paid version.
How to activate it?
To use this two-step authentication via the aforementioned Wordfence plugin, you need to install it first, of course 🙂 At the same time, you’ll need some sort of authorization app for your mobile phone that will generate the security codes you need to log in. For Android, I recommend Google Authenticator. You can also use this application to log in to various other accounts. Of course, you can also use another dedicated app.
- Once you have both Wordfence and Google Authenticator installed (if you have opted for it), go to the Wordfence/Login Security section in the administration of your WorPress site
- On the left you will see a large QR code, on the right you will see backup codes (recovery codes). Download these codes and store them in a safe place. They’ll help you log into your account if you ever lose your mobile phone. You can’t log in to your account without your phone or these codes.
- On your mobile phone, launch Google Authenticator and click the big red + at the bottom right and select Scan Barcode. Then just point your phone’s camera at the QR code displayed in the Wordfence settings as per point 2). You will see a numeric code on your mobile phone screen, enter it in the box at the bottom right of the Wordfence settings and click Activate. This will pair your account with your mobile phone.
- Now when you want to log in to your WordPress site’s administration, you will be prompted to enter the 2FA Code after entering your username and password. You’ll get this code from the Google Authenticator app on your phone.
- If you use multiple administrator accounts to administer your site, I recommend enabling Require 2FA for all administrators in Wordfence settings so that all your administrator accounts are protected by this two-factor authorization, not just yours.
You can read more about two-factor login with Wordfence on this page.
Conclusion
Whether you decide to use my solution or some other (I’ll leave it up to you), especially use some. In this day and age of various (especially) automated attacks, I strongly recommend using two-factor authentication not only in your WordPress, but also when logging in to all other services that offer this option (Google, Facebook…). It’s better to prevent your account from being stolen and misused than to “grab your head” afterwards.
TIP: 10 tips to secure your WordPress site
