Securing WordPress with 2-factor authentication


In this blog, we’ll cover securing WordPress with 2-factor authentication. That is, adding an additional security step when you log-in to your website WordPress admin page. I’m going to use a plugin called Wordfence. It has 3+ million active installations (according to WordPress), and is one of the most widely used WordPress firewalls and security scanners. For the token generation, I’ve chosen the Authy application on a mobile phone.

The reason I chose Authy is that it’s possible to have it on more than one device and they’ll give the same onetime codes. If I lose my phone, I can still access my Authy codes from another phone, or from my laptop, and I can add and remove devices from my Authy account. Last year over 170,000 WordPress blogs and websites were hacked, according to, and while just 8% of those hacks were down to password weaknesses, it’s not a difficult thing to secure.

If you’re wondering if your site is getting login hacking attempts, try logging in to your WP admin account and browsing to “Settings>Limit Login Attempts” and look at the number of times the account has been locked out.

I know from the login attempts below none were mine because the “admin” account doesn’t exist, so I’d never use it. The below statistics were from a WordPress site that was little more than two weeks old.

Wordpress Login Attempts Lockout Log
WordPress Login Attempts Lockout Log

Installing Wordfence

1; From the WordPress dashboard go to “Plugins>Add New”, search for keyword “2FA” and select “Install Now”.

Securing WordPress with 2-factor authentication. Installing the Wordfence WordPress plugin
Installing the Wordfence WordPress plugin

2; Activate the plugin from “Installed Plugins>Activate”.

Securing WordPress with 2-factor authentication. Activating the Wordfence WordPress plugin
Activating the Wordfence plugin

3; Enter the email address to which you’d like Wordfence to send notifications. Select the other options you’d like and click “Continue”.

Securing WordPress with 2-factor authentication. Setting up your email.
Wordfence email setup page

4; Select “No Thanks” when prompted for a premium key. You can upgrade at a later time if you’d like.

Securing WordPress with 2-factor authentication. Skipping the "Upgrade To Premium" option during the Wordfence setup process.
Skipping the “Upgrade To Premium” option during the Wordfence setup process.

5; Click “Wordfence>Login Security” and click “Next” through the prompts until you get to the “Two Factor Authentication” tab.

Securing WordPress with 2-factor authentication. Skipping the introductory dialogues.
Wordfence install, skipping the introductory dialogues.

Activating the two factor authentication

6; The next step is to activate 2fa on the site and to do that you need the Authy application, either on a laptop, tablet or phone. I won’t cover the installation of the application because that can be covered in another post.

In this case, we’reusing the Authy application on a phone and that means we have access to a camera that we can use to scan the QR (Quick Response) square barcode on the activation page.

In the Authy app, from the main screen, click on the three dots to the top right of the screen, then click on “Add Account”.

Securing WordPress with 2-factor authentication. Choosing to Add an account to the Authy application.
Open the Authy application, and choose “Add Account”.

7; Click on “Scan QR Code”.

Selecting the button to "Scan QR Code"
Click on the “Scan QT Code” button

8; Use the camera to scan the square barcode from the Wordfence Two Factor Authentication page. If your device had no camera, you could have copied the text from below the barcode into the app. At this point also copy the download recovery codes to a safe place. I usually add them to a password manager (in my case I use Keepass) and back that up to the cloud.

Securing WordPress with 2-factor authentication. Scanning the QR (Quick Reponse) barcode.
Scan the square QR barcode or copy the text below it, into the Authy application, and save the recovery codes to a safe place.

9; Click done to add the account to Authy. You can click “Select Another One” to change the icon and use a WordPress icon instead.

Select done in Authy to confirm account creation.

10; Enter the token code from Authy into box number 2, replacing the greyed out 123456 and then click on Activate, (see the image in step 8 above). This will confirm that the Authy app and the Wordfence plugin agree on the codes and are in sync with one another.

A screenshot of the completed account showwing the One Time Password token.
Authy WordPress account showing One Time Password

11; Select the Settings Tab and adjust the various settings to your liking. Below ar the settings I chose to go with.

Select done in Authy to confirm account creation.

12; Logout and then log back in to test it all works. You should be presented with your usual password prompt followed by a request for the 2FA token.

Login after Two Factor Authentication has been activated.

To cut a long story short, the summary

WordPress web sites represent a tempting target for hackers with over 170,000 being hacked last year and we could see evidence of login hacking attempts to this site even though it had only been online for a very short period of time.

It’s fairly easy to add a second step to the login process providing more security with Two Factor Authentication.

We chose Wordfence as the WordPress security plugin and Authy as the token generation application. Wordfence because it has a widely installed base and good reviews, and Authy because it’s easy to back up and allows the user to have more than one device.

If you’re a network engineer and you could use an IPv4 subnet calculator check out the free techiedoodah IPv4 excel subnet calculator spreadsheet and if you get a lot of time hands on rackside and need a tray to put your laptop on, let us know what you think of the Portable Rack Mount Laptop Tray and sign up if you want one. Type with two hands instead of one, be more comfortable, improve your productivity and get out of the server room sooner, (or wherever the rack happens to be).

Techiedoodah blogs are created in the hope that they can help others by giving real-life examples. If this has been useful to you please feel free to leave a comment. If you’re reading this post on the home page, you won’t be able to post comments here, so follow this link to the blog, and then scroll to the comments section at the bottom of the page.

Securing WordPress with 2-factor authentication

Leave a Reply

Your email address will not be published. Required fields are marked *