Two-Factor Authentication (2FA) makes it far more difficult for hackers to breach your website, because as the name implies, Two-Factor Authentication requires two methods of verification in order for you to login.
One of the most common methods hackers use to gain access to your WordPress Admin, is a method called “brute force” – they use an automated scripts or bots that tries to guess your WordPress Admin username and password so that they can log in to your WordPress website.
To prevent them from logging in even if they guess your username and password, you can add an additional layer of security called 2FA or Two-Factor Authentication. After you enter your username and password to login to WordPress, the website will send you a code – either via text or via a 2FA mobile app like Google Authenticator, which you can download and use for free. This means you have to have your mobile phone (physical device) on hand to receive the code and enter it when requested (similar to the way banks and many other platforms do it). So it’s another layer of security to prevent hackers from logging in and hacking your site.
Authenticator apps
Use a WordPress security plugin like Wordfence or Solid Security to enable 2FA in your WordPress dashboard. Once the security plugin is installed and activated, you can enable 2FA within the plugin settings. Then you can enable 2FA for your login process by using an authenticator app.
An authenticator app is a smartphone app that generates a temporary one-time password for the accounts that you save in it.
Download an authenticator app, if you do not already have one installed on a cell phone or tablet. There are many available for iOS, Android, and other platforms, including:
- Google Authenticator – our recommendation.
- Sophos Mobile Security
- FreeOTP Authenticator
- 1Password (mobile and desktop versions) See: 1Password help
- LastPass Authenticator
- Microsoft Authenticator
- Authy 2-Factor Authentication
- Any other authenticator app that supports Time-Based One-Time Passwords (TOTP)
Step-by-step:
Login to WordPress. You will see a message at the top of your screen that says “You do not currently have two-factor authentication active on your account, which will be required beginning (date)”.
- Click the link: “Configure 2FA”
- Scan the QR code with your authenticator app on your phone
- In WordPress, enter the code from your authenticator app, then click ACTIVATE
- New codes are generated approximately every 30 seconds, so if it changes, just enter the new code
- Download Recovery Codes. This gives you some backup codes that you can use, in case you lose your phone or tablet where your authenticator app is installed.
Next time you login, you will be required to enter your username and password, and then you will also need to enter a code from your authenticator app.
