Two-Factor Authentication for WordPress
How to secure user accounts and prevent account takeover with two-factor authentication
Two-Factor Authentication or 2FA provides an additional layer of security requiring a second factor of identification beyond just a username and password. Two-factor authentication has long been used to control access to personal and financial data processed in banks or insurance companies; and today website owners are increasingly using 2FA to protect their users’ accounts from cybercriminals exploiting weak or stolen WordPress passwords and compromised credentials.
When 2FA is enabled on a website, it requires a user to provide an additional verification PIN code when signing into the website. This verification code is generated automatically and sent to the user by email. As an additional security measure, you can specify a separate email address on a per-user basis specifically for delivering 2FA verification codes.
To continue the user has to enter the verification PIN code into the form. If the user didn’t receive the code, they can either try to get another one or cancel the login process.
How to enable Two-Factor Authentication
You can easily enable 2FA on a per-role basis on the User Policies admin page. WP Cerber Security enables you to configure different 2FA settings for each role. In an Advanced mode, you can specify a set of condition for enforcing two-factor authentication for a certain role. The Advanced mode is available in the Professional version of the plugin.
Note: before you can enable 2FA for administrators’ accounts, you have to complete one successful login with 2FA enabled for any other role on a website.
Per-user 2FA settings
You can customize some 2FA settings on a per-user basis on the user edit page (user profile page). Additionally to per-role 2FA settings, you can disable or enable two-factor authentication for a specific user. You can choose from “Always enabled”, “Disabled” and “Determined by user role policies”.
As an additional security measure, you can specify a separate email address specifically for delivering verification codes.
Whitelisting IP addresses
All WordPress users that are logging in from IP addresses in the White IP Access List are excluded from being enforced two-factor authentication.
Monitoring two-factor authentication events
When two-factor authentication is enforced for a user, WP Cerber logs this event to the Activity log as “Two-factor authentication enforced”. At this moment a new verification PIN code is generated and sent ot the user. When a user enters the correct verification PIN code the login event is marked as “2FA code verified”.
To monitor user logins made with two-factor authentication, go to the Activity log, select “Two-factor authentication enforced” event from the drop-down list and click the Filter button.
Note that some 2FA features are available in the professional version only.
|Advanced 2FA mode||No||Yes|
|Per-user 2FA policies||No||Yes|
|Separate email address for 2FA codes||No||Yes|