How to Set Up Two-Factor Authentication on Your WordPress Website

Support | | by Rebecca

To enhance your website’s security, we advise implementing two-factor authentication via the Wordfence WordPress plugin. The following instructions detail the setup process, adding an essential extra layer of protection to your site.

Why Set Up 2FA?

Implementing Two-Factor Authentication (2FA) for your website’s logins is an effective defence against cyber threats. Standard passwords, no matter how complex, are vulnerable to phishing, bot attacks, and brute-force attacks. By requiring a second form of verification, such as a time-sensitive code from an app or a physical security key, you ensure that even if a hacker successfully steals your login credentials, they are still locked out. Since a website account often has the power to delete data, install malicious code, or access sensitive user information, 2FA acts as a critical fail-safe.

Wordfence is our tool of choice as it provides a number of security features – such as firewalls to block attacks, a malware scanner, and real-time threat intelligence in addition to 2FA. It also allows us to add a ‘grace period’ for users – meaning that they can still log in without 2FA for a short period of time, but will be prompted to set it up upon logging in. After this grace period, they will no longer be able to log in.

Instructions on 2-Factor Authentication

Once you have Wordfence installed:

  1. Log in to your WordPress website as normal with your username and password
  2. In the top right corner, hover over your name and click ‘Edit profile’
  3. Scroll down to the ‘Wordfence Login Security’ section and click ‘Activate 2FA’
  4. You’ll need to use an authentication app on your mobile to scan the QR code – we use Google Authenticator, but there are also options such as Authy and Microsoft Authenticator
  5. Once scanned on your mobile authenticator app, a 6-digit code will appear – enter this on your computer screen
  6. Download the backup codes so that you can sign into your account, even if you lose your smartphone. Make sure these are stored safely.
  7. Click ‘Activate’
  8. The next time you log in to the website, you’ll be prompted to input a 2FA code, which you can get from your mobile authentication app

Other Security Tips

For enhanced security, we advise against using a common or generic username. Instead, create a unique username by using your name followed by a combination of random characters, including letters, numbers, and symbols.

Need Help?

If you need help with making your WordPress website secure, Ballyhoo can help. In addition to helping you set up two-factor authentication, we offer support and maintenance services, where we ensure your WordPress core version and all plugins are kept up to date. 

Headshot of Rebecca young new team member

Rebecca

Rebecca helps to keep the team organised and supports all of our clients with day to day activities and content. She also runs all of Ballyhoo's internal marketing.