Security Blog
Posted By Gregory

Two-Factor Authentication for WordPress

How to secure user accounts and prevent account takeover with two-factor authentication


Two-Factor Authentication or 2FA provides an additional layer of security requiring a second factor of identification beyond just a username and password. Two-factor authentication has long been used to control access to personal and financial data processed in banks or insurance companies; and today website owners are increasingly using 2FA to protect their users’ accounts from cybercriminals exploiting weak or stolen WordPress passwords and compromised credentials.

When 2FA is enabled on a website, it requires a user to provide an additional verification PIN code when signing into the website. This verification code is generated automatically and sent to the user by email. As an additional security measure, you can specify a separate email address on a per-user basis specifically for delivering 2FA verification codes.

To continue the user has to enter the verification PIN code into the form. If the user didn’t receive the code, they can either try to get another one or cancel the login process.

Two-Factor Authentication form

Two-Factor Authentication form is used to verify the user

How to enable Two-Factor Authentication

You can easily enableĀ 2FA on a per-role basis on the User Policies admin page. WP Cerber Security enables you to configure different 2FA settings for each role. In an Advanced mode, you can specify a set of condition for enforcing two-factor authentication for a certain role. The Advanced mode is available in the Professional version of the plugin.

Note: before you can enable 2FA for administrators’ accounts, you have to complete one successful login with 2FA enabled for any other role on a website.

Two-Factor Authentication policies for WordPress

Two-Factor Authentication policies for WordPress

Per-user 2FA settings

You can customize some 2FA settings on a per-user basis on the user edit page (user profile page). Additionally to per-role 2FA settings, you can disable or enable two-factor authentication for a specific user. You can choose from “Always enabled”, “Disabled” and “Determined by user role policies”.

As an additional security measure, you can specify a separate email address specifically for delivering verification codes.

Two-Factor Authentication for WordPress: per-user settings

Two-Factor Authentication for WordPress: per-user settings in the professional version

Whitelisting IP addresses

All WordPress users that are logging in from IP addresses in the White IP Access List are excluded from being enforced two-factor authentication.

Monitoring two-factor authentication events

When two-factor authentication is enforced for a user, WP Cerber logs this event to the Activity log as “Two-factor authentication enforced”. At this moment a new verification PIN code is generated and sent ot the user. When a user enters the correct verification PIN code the login event is marked as “2FA code verified”.

To monitor user logins made with two-factor authentication, go to the Activity log, select “Two-factor authentication enforced” event from the drop-down list and click the Filter button.

Two Factor Authentication: activity logging

Two Factor Authentication: activity logging

Note that some 2FA features are available in the professional version only.

Features Free Professional
Standard 2FA Yes Yes
Advanced 2FA mode No Yes
Per-user 2FA policies No Yes
Separate email address for 2FA codes No Yes

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments