WordPress two-factor authentication with two-factor

With the Two-Factor plugin you can increase the login security of your WordPress website with two-factor authentication. This means that unauthorized persons can no longer gain access to your WordPress account so easily, even with knowledge of the login data.

Why two-factor verification makes sense

By setting up two-factor authentication, you can increase the security of your online accounts. In addition to the user name and password, a second component is required for the login, usually in the form of a six-digit confirmation code.

Two-factor authentication with smartphone

Most online services such as Facebook, Twitter, Github or PayPal now offer a system for two-factor authentication. This T3N article explains how you can configure two-factor verification for popular web services.

You can also secure your WordPress website or your WordPress admin account with 2-factor authentication. There are a number of plugins available for this.

Looking for an alternative to the Google Authenticator plugin

So far I have always used the Google Authenticator plugin, which I introduced two years ago in my article Increasing WordPress Security with Google Authenticator Plugin . The plugin still works, but is no longer really updated.

A small problem was that it displayed the input field for the confirmation code directly in the WordPress login. In both of my theme shops, I use a shortcode from Easy Digital Downloads for the login, with which customers can log in directly in the frontend.

The two plugins were only compatible with a little custom code. In the case of updates, of course, it can always happen that it no longer works and adjustments become necessary. In order to rule out this source of error, I have now switched to two-factor. It works without having to intervene in the code.

Two-Factor WordPress Plugin

Two-Factor is regularly updated and actively developed on Github . The plugin has also been suggested for integration into WordPress Core. With the focus on Gutenberg, I am not sure whether an implementation in the core is still up to date.

Activate two-factor authentication with time-based one-time passwords (OTP, Google Authenticator), Universal 2nd Factor (FIDO U2F, YubiKey), email and ...

By: Plugin Contributors

( 130 )
Last updated: 5 months ago
20,000+ active installations
Compatible up to: 5.5.3

Two-Factor can be installed from the official WordPress.org plugin directory. Unfortunately, the plug-in is only sparsely described there, without instructions, FAQs and screenshots. That probably contributes to the fact that it currently has very few installations, although in my opinion it is one of the best plugins for two-factor authentication.

Set up WordPress two-factor authentication

After installing Two-Factor, the plug-in must first be configured. The two-factor authentication is set up individually for each user, which is why the plugin settings can be found in your profile.

This also means that you can only set up two-factor authentication for your own admin account, but editors and other users can still log in with their email and password as normal, without an additional authentication code.

You can edit your profile and the two-factor options under Users → Your Profile .

Two-Factor Profile Settings
QR code for authenticator apps. And no, that is not the actual QR code for themekiller.me 😉

There are four different methods of obtaining authentication codes:

  1. e-mail
  2. Time-based code via APP (e.g. Authy, Google Authenticator)
  3. FIDO U2F standard for hardware tokens (e.g. Yubikey, U2F Zero)
  4. Backup codes

I recommend enabling two options. A primary method and also the backup codes in case the smartphone or hardware token is lost or broken. Personally, I still use an authentication app for my smartphone, but I've already considered buying a YubiKey .

If you select the checkbox for time-limited codes, you can scan the QR code with your authentication app (e.g. Google Authenticator). Then enter the currently generated code in the WordPress Two-Factor Options and click on [ Submit ] .

If the code is correct (time and key match), successful setup is displayed:

WordPress Two Factor Plugin activated

Then you can generate the backup codes and write them down safely.

WordPress login with two-factor authentication

You can now log out to test the plugin. Logging in takes place normally with username and password. After the first step, instead of logging in, there is now a second step in which the authentication code is requested:

WordPress login with two-factor authentication

After entering the correct code, authentication and login are complete.

How do you handle the WordPress login? Does someone use a YubiKey and can describe their experiences? As always, I look forward to your comments and opinions.