How to setup two-factor authentication for WordPress

With the constant barrage of sites being hacked, security should be of paramount concern to developers. Especially when using a platform such as WordPress, which is constantly under attack from nefarious bots.

The thing is, the size and popularity of a website doesn’t matter so much. Bots are looking for any WordPress site, regardless of size. So anyone from enterprise to small business needs to take steps to better secure their website.

One of the most common methods bots use are brute-force login attacks. They’re constantly hammering away at sites trying to spread malware, spam, etc. One way to neutralize this is to use two-factor authentication.

Twice as nice

In its simplest form, two-factor authentication is just requiring a second step to log in into a website. You’ve probably used it before. At first, larger entities such as banks, Google and Facebook integrated it into their account login processes. Now, it’s something that is easily added to most websites.

Sometimes it’s simply a matter of picking out a picture and later using it to verify that you’re on a legitimate (and not phished) version of a website. More often, we’re seeing text messages sent to a user’s mobile device or codes automatically generated through a secondary app to confirm identity.

While it can be a bit of a pain (especially if your cell phone gets lost or broken), that extra step should give both site owners and users a little peace of mind. When it comes to WordPress, keeping bots and other ne’er–do–wells from gaining access to an administrator account is especially important.

Adding two-factor authentication to WordPress

Thankfully, adding this extra layer of security is pretty simple. There are a few well-known WordPress plugins that handle two-factor authentication. Note that there are differences in them though, so decide carefully about which to use. You are, after all, adding a (slight) burden to users and/or site admins.

Let’s take a look at a few plugins that offer two-factor authentication:


WordFence is a widely-installed security suite that offers a firewall and regularly scans your site for malware and spam. If you use their premium version, two-factor authentication is one of the perks. WordFence will allow you to manually add users who should use the feature. It will then send out a text message to the user each time they want to login. That code is then added on to the end of the user’s password. I can say from experience that this method works well, but isn’t the most user-friendly.

Google Authenticator

Google Authenticator uses the very same app that, well, Google employs with its services. Install the plugin on your site, install the app on your mobile device and you’ll then get a temporary code to verify selected user logins. Unlike WordFence above, this plugin will add a separate field on your WordPress login screen for a bit more convenience.


Clef is wildly popular and takes a very different approach to two-factor. In fact, there’s no password required. You simply install Clef on your website, and install the companion app on your phone. When logging in to your site you’ll see a “Clef Wave” on your screen that you will scan using the mobile app. The other factor in authentication can either be a fingerprint scan or a pin code. It’s very unique and actually kind of fun to watch. There are both free and paid level services available.

It’s worth the extra step

Unfortunately, it seems like the days of simple password authentication are over. The reality of our world is that bad things can happen to any website—whether it originates from a human or bot. So taking an extra step to verify an account may be a hassle, but it’s also becoming a necessity.

There is no doubt that WordPress has become a big target for brute-force attacks. However, you don’t need to be an enterprise level security expert to tighten things up. The plugins above will make the process relatively easy and will at the very least make your site more difficult to compromise.

Eric Karkovack is a web designer with over 20 years of experience. You can visit his business site here. In 2013 he released his first eBook: Your Guide to Becoming a Freelance Web Designer. He also has an opinion on just about every subject. You can follow his rants on Twitter @karks88. More articles by Eric Karkovack
Home CSS Deals HTML HTML5 Java JavaScript jQuery Miscellaneous Mobile MySQL News PHP Resources Security Snippet Tools Tutorial Web Development Web Services WordPress