WordPress Security
WordPress Security

Two-Factor Authentication for WordPress

How to secure user accounts and prevent account takeover with two-factor authentication

Two-Factor Authentication or 2FA provides an additional layer of security requiring a second factor of identification beyond just a username and password. Two-factor authentication has long been used to control access to personal and financial data processed in banks or insurance companies; and today website owners are increasingly using 2FA to protect their users’ accounts from cybercriminals exploiting weak or stolen WordPress passwords and compromised credentials.

When 2FA is enabled on a website, it requires a user to provide an additional verification PIN code when signing into the website. This verification code is generated automatically and sent to the user by email. As an additional security measure, you can specify a separate email address on a per-user basis specifically for delivering 2FA verification codes.

To continue the user has to enter the verification PIN code into the form. If the user didn’t receive the code, they can either try to get another one or cancel the login process.

Two-Factor Authentication form

Two-Factor Authentication form is used to verify the user

How to enable Two-Factor Authentication

You can easily enable 2FA on a per-role basis on the User Policies admin page. WP Cerber Security enables you to configure different 2FA settings for each role. In the Advanced mode, you can specify a set of conditions for enforcing two-factor authentication for a certain role. The Advanced mode is available in the Professional version of the plugin.

Note: Before you can enable 2FA for administrators’ accounts, you have to complete one successful login with 2FA enabled for any other role on the website.

Two-Factor Authentication policies for WordPress

Two-Factor Authentication policies for WordPress

Per-user 2FA settings

You can customize some 2FA settings on a per-user basis on the user edit page (user profile page). Additionally to per-role 2FA settings, you can disable or enable two-factor authentication for a specific user. You can choose from “Always enabled”, “Disabled” and “Determined by user role policies”. This feature is available in the professional version of WP Cerber.

As an additional security measure, you can specify a separate email address specifically for delivering verification codes.

Two-Factor Authentication for WordPress: per-user settings

Two-Factor Authentication for WordPress: per-user settings in the professional version

Whitelisting IP addresses

All WordPress users that are logging in from IP addresses in the White IP Access List are excluded from being enforced two-factor authentication.

Monitoring two-factor authentication events

When two-factor authentication is enforced for a user, WP Cerber logs this event to the Activity log as “Two-factor authentication enforced”. At this moment a new verification PIN code is generated and sent ot the user. When a user enters the correct verification PIN code the login event is marked as “2FA code verified”.

To monitor user logins made with two-factor authentication, go to the Activity log, select “Two-factor authentication enforced” event from the drop-down list and click the Filter button.

Two Factor Authentication: activity logging

Two Factor Authentication: activity logging

How to manage 2FA settings on multiple websites

Do you know that you can monitor and manage 2FA settings on any number of websites remotely? Enable a Cerber.Hub remote management technology to manage all WP Cerber settings and monitor user activity from one WordPress dashboard.

Note that some 2FA features are available in the professional version only.

Features Free Professional
Standard 2FA mode Yes Yes
Advanced 2FA mode No Yes
Per-user 2FA policies No Yes
Separate email address for 2FA codes No Yes
Managing 2FA on multiple websites No Yes

Have any questions?

If you have a question regarding WordPress security or WP Cerber, leave them in the comments section below or get them answered on the community forum.

Spotted a bug or glitch?

We’d love to fix it! Share your bug discoveries with us here: Bug Report.

I'm a software engineer and team lead at Cerber Tech. I started coding in 1993 on IBM System/370 and today software engineering at Cerber Tech is how I make my living.

View Comments