How do I use WordPress 2FA (two-factor authentication)?

Here are custom instructions for enabling / disabling 2 factor authentication in WordPress through the WordFence plugin. You can read the original up to date instructions on WordFence website.

REQUIREMENTS:
WordPress 2FA requires you to have the following available.

• A smart phone or tablet that is up to date.
• An active admin login to your WordPress admin tools.

Enabling WordPress 2FA

Follow these instructions for setting up and enabling 2FA for your admin account.

1. Authenticator app: If you don’t already have an “authenticator app” installed, follow these instructions to get one. Else skip to the next step.

Here are the most common ones for Android, iOS, and other platforms. Choose one from the list below, search for it in your smart device app store and install.

• Google Authenticator (our recommendation for Android or iOS devices)
• 1Password (mobile and desktop versions) See: 1Password help
• LastPass Authenticator
• Microsoft Authenticator
• Authy 2-Factor Authentication
• Any other authenticator app that supports Time-Based One-Time Passwords (TOTP)

2. Open your authenticator app on your smart device.

3. Login to your WordPress admin tools, then from the left column menu go to WordFence “Login Security” page. For admins, this is on the main Wordfence menu. For other users, this is a separate menu item with a Wordfence logo.

4. Open your authenticator application and add a new entry. Most apps have a plus sign symbol or a tiny QR code symbol. Name it something you can easily recognize, i.e. “mywebsite.com”.

5. Scan the QR code on the “Login Security” page. Your authenticator application should then display a six-digit code.

6. If you are accessing a site on a phone or tablet and obviously cannot point the camera at its own screen, you can copy the line of letters and numbers below the QR code, and paste that in an application, using the application’s “manual” setup option.

7. In the “Download recovery codes” section, click the “Download” button. Recovery codes can be used if you lose your device. Print or save the file, and store it in a safe place.

8. Enter the six-digit code that appears in your authenticator application. This code changes every 30 seconds. If the code expires, you can enter the next code instead.

9. Click the “Activate” button.

If this is your first time setting up two-factor authentication on a site then you may want to try logging in to the site in a different browser, or in a private or incognito browser window, to check for any compatibility issues before logging out.

How to Login To WordPress With 2FA

Steps to log in:

1. Open your authenticator app on your smart device and look for the authenticator item you created previously for your website.
2. Login to your WordPress admin tools and and when the “2FA Code” prompt appears on your website, enter the code from your authenticator application. If you use two-factor authentication for multiple sites, be sure to pick the correct site.
3. Press the “Log In” button.

If you use another incompatible plugin or theme that modifies the login page and you cannot see the “2FA Code” prompt, or if you prefer a slightly quicker method, you can also enter a two-factor authentication code directly after your password, in the same field:

1. Enter your username and password, but do not press the “Log In” button yet.
2. Immediately after your password, enter the code from your authenticator application.
3. If you used the old Wordfence two-factor authentication, note that you no longer need to enter a space or letters
4. For example, if your password is w0rdf3nce#! and the code is 233455 then enter w0rdf3nce#!233455.
5. Press the “Log In” button

Disabling WordPress 2FA

If you need to disable two-factor authentication on your own account:

1. Log in to your site and go to the “Login Security” page
2. Press the “Deactivate” button.

If you need to disable two-factor authentication for another user:

1. Go to the WordPress “Users” page.
2. Hover over the user’s record and click the “2FA” link below their username.
3. This will take you to the “Login Security” page. Near the top of the page, you will see “Editing User: their_username”.
4. Press the “Deactivate” button.

Common Issues

Here is a list of common issues and some tips to handle these.

ISSUE: My authenticator app code isn’t being accepted.
SOLUTION: Ensure you are looking at the correct item in your authenticator. Once you confirm this if it still isn’t accepting your code, ensure you are entering your code before the code resets, which is 60 seconds. Most authenticator apps have a “timer” animation showing you when the code is about to change.

ISSUE: I don’t have access to my smart phone / tablet and need to get into the WordPress admin in a hurry!
SOLUTION: Unfortunately with 2FA enabled for your user account, if you don’t have your smart device handy, you cannot get into your WordPress admin tools easily. Your options include:

• Contact another administrator to have them disable your account 2FA.
• Temporarily remove the WordFence plugin via your hosting control panel, login, then add WordFence plugin back and disable your account 2FA. This option is suggested against unless you absolutely have no other way to get into your WordPress admin tools.