What the 2FA?

I help manage a WordPress website for a family member, and he recently forwarded an email message to me that he’d received from Wordfence (the security plugin we’re using on the site).

At the top of the message, he wrote:

I did NOT log in from Indonesia. I haven’t logged in from anywhere recently.

And in the email, it did in fact say that a user with his username (and administrator access) had signed in to the WordPress site. And yup, the user’s location was Bekasi, Indonesia. (Nowhere close to the typical (legit) New Jersey and Pennsylvania logins for the site.)

Luckily, the security plugin let us know. Unfortunately, because the stranger had (somehow?) actually signed into the site, the security plugin hadn’t blocked it.

Alarming? Yeah. Just a bit. But it was also a wakeup call, pushing me to get another layer of security set up on the account.

That extra layer? It’s called 2FA. That stands for two-factor authentication.

You’ve probably run into 2FA when you’ve tried to login to certain accounts (maybe your bank, your credit card, or other systems with sensitive information). When you login, you can’t get in without providing a second bit of information—something a little less easily hacked than a password.

There are a variety of ways to set up what that second authenticating factor is, and also how you use it.

The way I’m going to talk about is with the help of what’s called an authenticator application (or app). It’s really a simple process to set up and use an authenticator application.

Basically, you set up the website you want to protect so it uses 2FA, you set up the authenticator application, and then you connect the site you want to protect to that authenticator app.

Then each time you want to access the site you want to protect, as part of your login, you’ll also open up the authenticator app to get a secret code (what’s called a 2FA account token), and use that (when prompted) as a second part of your login.

There are many of these authenticator applications available for mobile phones, tablets, and computers.

The one I’m going to talk about is called Authy.

I found out about Authy from a post on the Wordfence website. I liked this particular option because it didn’t require me to use a mobile device in order to access the authenticator app. (When I’m accessing websites, I’m mostly doing so from my desktop computer, so it’s more convenient for me to have the option to use a desktop program.) But Authy is available as a free app for mobile devices, too.

Using 2FA

There are 2 main sections below to help you get started with using 2FA on your website. The first one is something you’ll need to do one time—set up 2FA. The second one is what you’ll do each time you want to login to your website—authenticate your login using your 2FA account token.

Section 1: Setting Up 2FA

For the example here, I’m going to walk you through how I set things up using WordPress with Wordfence and Authy. (This assumes you already have the Wordfence plugin installed—if not, you’ll want to do that first.) You’re going to do this one time.

Section 2: Using 2FA to Login to Your Website

Now that you have 2FA set up on your website (with Wordfence and Authy) each time you login to your site you’ll add that extra piece of information to authenticate your login by following the simple steps below.

And that’s it!

If you haven’t tried it yet, I know it probably feels a bit overwhelming at first. But after you set it up and start using it, I think you’ll see it’s not all that complicated.

Questions?

If you have any questions or run into any stumbling blocks getting this set up, please let me know (comment below or send me a message) and I’ll try to help you out.