Home » The Blog » WordPress » Why You Need 2FA on Your WordPress Website (and everything else)

Why You Need 2FA on Your WordPress Website (and everything else)

This year identity theft and hacking is up 70%. That's a crazy increase. This is why I have 2FA (Two-factor Authentication) on everything I can when the option is available to me. Including all my WordPress websites.

Yours truly has had the fun experience of debit cards and even my PayPal account being compromised. Nothing like waking up on a Saturday morning and looking at your bank account to find that you spent four figures at Saks Fifth Avenue online. Me spending money at Saks? Not likely.

Then a week later, someone gained access to my PayPal account and added a Visa gift card. They then proceeded to “fill” it with funds from my PayPal balance. PayPal has since upgraded their security. Even admitting that should never have been allowed to happen without confirmation from me as the account owner.

WordPress Stress and Aggravation

When it comes to my WordPress websites, they are locked down because that is in my control to control. Not infallible, nothing is, but I have the peace of mind in knowing I've covered all the bases that I can.

I get it — tech is tough to keep up with, I hear the frustration and aggravation in my client's voices on a pretty regular basis. Regardless, when it comes to security and your website, you need to do what you need to do.

My article Tips to Secure Your WordPress Website covers 2FA. When I login to a site that doesn't have 2FA in place, I immediately make that recommendation. But recommending doesn't mean they follow through.

I'm not sure why. Is it the extra step of having to look at your phone and type in a code? That's the only thing I can think of.

Let me tell you, without a doubt, that if your site does get compromised you'll look at that couple of extra steps a bit differently. After going through a site recovery, 2FA is something you'll actually enjoy.

Compromising WordPress Websites

There are two ways that your WordPress website can get compromised. On the server side and through your dashboard.

This is where a quality host comes into play. It is a website host's responsibility to secure those servers and their network. You can assist in that effort by having a crazy complicated and long password to access your hosting and FTP accounts.

Same goes for your WordPress dashboard login. The more difficult the password the better. Yeah, I now that's a PIA as well. But it is worth it.

If you don't want to have to remember whacky passwords — check out LastPass. I have it on my desktop, tablet and phone. Once a password is saved, I don't have to worry about typing it in again.

Setting Up 2FA The Easy Way

By setting up 2FA to access for your WordPress website's dashboard, you and any other users that you designate will need to enter the 2FA code that is sent only to their phone to gain access. Without that code; no entry.

First start by installing the Wordfence security plugin. It is an all around security plugin and will also allow you to keep tabs of the nefarious activity on your WordPress website.

The 2FA settings are located in Wordfence > Login Security. You'll see two tabs: Two-factor Authentication and Settings. Let's start with the Two-factor Authentication tab:

WordPress 2FA Setup
  • Now you have to install the Google authenticator app for your phone. It is free and available for iOS (Apple App Store) and Android (Google Play Store).
  • Once installed go to the Left Sidebar: WordFence > Login Security
  • Scan the QR code on that page with your authenticator app (open the app and click the + sign).
  • Download the recovery codes to your computer just in case you don't have your phone sometime in the future and need to login to your site.
  • Enter the code from the app into the 123456 box and activate.

Once you are setup, when you login to your site, another step will appear to add the code from the app into the 2FA box. This code will refresh to be a different code each time you login.

You'll notice an option to not ask for a login code for 30 days. Check that.

2FA Settings Tab

Go to the Settings tab where you'll see the user summary noting if 2FA is active.

  • Enable 2FA for these roles: This sets the user levels you want to use 2FA on your site.
  • Require 2FA for all administrators: Admins have the most permissions within your dashboard. Minimally you want to require that all Admins have 2FA activated.
  • Grace period to require 2FA: You can set the date before 2FA kicks in and the click SEND NOTICATION so that all Admins are made aware.
  • Allow remembering device for 30 days: If enabled, users with 2FA enabled may choose to be prompted for a code only once every 30 days per device.
  • Enable reCAPTCHA on the login and user registration pages: eCAPTCHA v3 does not make users solve puzzles or click a checkbox like previous versions. The only visible part is the reCAPTCHA logo. If a visitor's browser fails the CAPTCHA, Wordfence will send an email to the user's address with a link they can click to verify that they are a user of your site.

Safe and Secure

Now you can relax a bit with the knowledge that you added additional security to ensure that your WordPress dashboard can only be accessed by those you designate. Remember, nothing is 100% guaranteed. However, by adding 2FA combined with crazy, wacky, long and non-sensical passwords, you minimize your risk dramatically.

At your service,

Judith: WordPress Consultant and Business Coach