I help manage a WordPress website for a family member, and he recently forwarded an email message to me that he’d received from Wordfence (the security plugin we’re using on the site).
At the top of the message, he wrote:
I did NOT log in from Indonesia. I haven’t logged in from anywhere recently.
And in the email, it did in fact say that a user with his username (and administrator access) had signed in to the WordPress site. And yup, the user’s location was Bekasi, Indonesia. (Nowhere close to the typical (legit) New Jersey and Pennsylvania logins for the site.)
Luckily, the security plugin let us know. Unfortunately, because the stranger had (somehow?) actually signed into the site, the security plugin hadn’t blocked it.
Alarming? Yeah. Just a bit. But it was also a wakeup call, pushing me to get another layer of security set up on the account.
That extra layer? It’s called 2FA. That stands for two-factor authentication.
You’ve probably run into 2FA when you’ve tried to login to certain accounts (maybe your bank, your credit card, or other systems with sensitive information). When you login, you can’t get in without providing a second bit of information—something a little less easily hacked than a password.
There are a variety of ways to set up what that second authenticating factor is, and also how you use it.
The way I’m going to talk about is with the help of what’s called an authenticator application (or app). It’s really a simple process to set up and use an authenticator application.
Basically, you set up the website you want to protect so it uses 2FA, you set up the authenticator application, and then you connect the site you want to protect to that authenticator app.
Then each time you want to access the site you want to protect, as part of your login, you’ll also open up the authenticator app to get a secret code (what’s called a 2FA account token), and use that (when prompted) as a second part of your login.
There are many of these authenticator applications available for mobile phones, tablets, and computers.
The one I’m going to talk about is called Authy.
I found out about Authy from a post on the Wordfence website. I liked this particular option because it didn’t require me to use a mobile device in order to access the authenticator app. (When I’m accessing websites, I’m mostly doing so from my desktop computer, so it’s more convenient for me to have the option to use a desktop program.) But Authy is available as a free app for mobile devices, too.
There are 2 main sections below to help you get started with using 2FA on your website. The first one is something you’ll need to do one time—set up 2FA. The second one is what you’ll do each time you want to login to your website—authenticate your login using your 2FA account token.
Section 1: Setting Up 2FA
For the example here, I’m going to walk you through how I set things up using WordPress with Wordfence and Authy. (This assumes you already have the Wordfence plugin installed—if not, you’ll want to do that first.) You’re going to do this one time.
Step 3: Set Up An Account on Authy
Open Authy, and click the + icon on the top right to add a new account.
In the Enter code given by this website field, paste in the long line of letters and numbers you copied from Wordfence in Step 1 above.
Click the Add Account button.
Give the account a name (in the Account Name field).
Choose an icon from the list of icons.
Choose a Token length from the options—Authy suggests only changing the default length if you’re having problems using the token.
Select the Save button.
You’ll now see a token displayed in Authy every 30 seconds.
Step 4: Connect Authy Back To Your Website
Back in Wordfence, select the DOWNLOAD button in section 2 (Enter Code from Authenticator App).
This will save 5 recovery codes that can be used if you lose access to your authenticator device. (Each recovery code can only be used once.)
Then go back to Authy, copy the current token (there’s a copy icon, or you can highlight the text and copy it, or you can write it down, or you can memorize it), and then enter that code back in section 2 of Wordfence, to verify and activate 2FA for your account.
Click on the ACTIVATE button. (If you forgot to do the optional download of the 5 recovery codes, you’ll be prompted now to download them or to skip this.)
Section 2: Using 2FA to Login to Your Website
Now that you have 2FA set up on your website (with Wordfence and Authy) each time you login to your site you’ll add that extra piece of information to authenticate your login by following the simple steps below.
Step 2: Enter a 2FA Code
You’ll see a new field once you select that Log In button. It says 2FA Code.
Open up Authy, go to the proper account for the site you’re logging in to (you might eventually have more than one account set up with 2FA, so you have to choose the right one), copy the token (or write it down, or memorize it), and go back to the WordPress screen and enter it in the 2FA Code field.
And that’s it!
If you haven’t tried it yet, I know it probably feels a bit overwhelming at first. But after you set it up and start using it, I think you’ll see it’s not all that complicated.
If you have any questions or run into any stumbling blocks getting this set up, please let me know (comment below or send me a message) and I’ll try to help you out.