Enabling Two Factor Authentication for WordPress

Simple WordPress Security Using Strong Usernames and Passwords and Two-Step Authentication

The most common WordPress hacks result from the use of poor usernames and passwords. To protect your site from brute force attacks (forced log in to your administrative account), you can do the following:

1 – Change your admin username.

Bad Password Example

To do this:

1 – Log in to your site.

2 – Create a new administrative user that does NOT use the word “admin” as the username. You can make this long and use letters and numbers.

3 – Log out of your site.

4 – Log in with the new administrative username.

5 – Delete the old “admin” user but be sure to ASSIGN all posts, pages, etc. to the new user when prompted.

2 – Change your password to something strong (really strong)

Something strong is usually NOT something you can remember. Ideally, you’ll use a random password generator, such as:

If you use strong passwords, you’ll need something to securely keep track of them. I prefer 1Password: http://agilebits.com/products/1Password

3 – Limit login activity

From Matt Mullenweg:

“Most other advice isn’t great – supposedly this botnet has more than 90,000 IP addresses, so an IP-limiting or login-throttling plugin isn’t going to be great (they could try from a different IP [address] a second for 24 hours).”

Many security plugins tout their limiting login capabilities which actually do very little to protect your sites. The WordPress Simple Security Firewall plugin has a cool-down feature which helps prevent brute force hacks as well as a Javascript on the login form that creates a simple checkbox to that a user must click to prove they are human. This is not a fail safe, but better than not having it. Read more about how the Simple Security Firewall handles securing logins here: https://www.icontrolwp.com/2014/05/wordpress-security-simple-firewall-plugin-part-4-login-protection-feature/

4 – Enable Two-Step Authentication


Two-factor authentication means that in addition to your password, you must have to pass a second test to prove that you really are who you say you are. This might be in the form of a code that is sent to your phone or via email. You enter this code into your login page in addition to your username and password. Since only YOU have access to this secondary authentication method via your phone or email account, it’s a fool-proof way to prevent anyone who may have stolen your password from ever being able to log in.

The Simple Security Firewall plugin offers two-factor authentication via email-based authentication or Yubikey. Clef is a two-factor authentication system that does not rely on passwords or tokens but uses magical animated bars to authenticate your login. It’s cool. But, I’m a number person, so I prefer Google Authenticator.

The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.

If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on Gmail/Dropbox/Lastpass/Amazon etc.

The two-factor authentication requirement can be enabled on a per-user basis for your WordPress site. You could enable it for your administrator account, but log in as usual with less privileged accounts (such as Contributor or Editor).

To set up two-step authentication:

  1. Make sure your webhost is capable of providing accurate time information for PHP/WordPress, ie. make sure a NTP daemon is running on the server.
  2. Install and activate the Google Authenticator plugin.
  3. Go to Users and click the user you want to enable authentication for to edit that user’s profile.
  4. Enter a description that will display in the Google Authenticator app on your phone. This is to differentiate Google Authentication for different WordPress installs you may be using this on.
  5. Download the Google Authenticator app to your phone.
  6. Scan the generated QR code on the user page with your phone, or enter the secret manually in the Google Authenticator app on your phone, remember to pick the time based one.
    You may also want to write down the secret on a piece of paper and store it in a safe place.
  7. Remember to hit the Update profile button at the bottom of the page before leaving the Personal options page.
  8. That’s it, your WordPress blog is now a little more secure.

Log out, and you will now notice that you must have a Google Authentication code to log back in.

Note: This feature will soon be released in Jetpack for those of you using Jetpack. Two-step authentication is already built in to blogs on WordPress.com and just needs to be turned on. For instructions to enable this on your WordPress.com account: http://en.blog.wordpress.com/2013/04/05/two-step-authentication/

5 – Limit Who Has Administrative Privileges

It might be a good idea to assign the author of posts and pages to non-administrators to avoid “giving up” the administrator login name via the author archive URL. To do this, set up a user who is a contributor or editor and when you do create posts or pages, assign those to that person. Also, limiting administrative privileges helps control the security (password and authentication above) for that critical user.

6 – Delete unused plugins and themes and UPDATE everything

While not related to this particular attack, staying up to date is critical and deleting an unused themes or plugins is always a good idea to limit vulnerability. Updating and not running old and outdated versions of WordPress or other software on your hosting account is a huge part of not being hacked. If you haven’t updated in a while, read my post on Updating WordPress Themes and Plugins Safely.

7 – If you get hacked

  1. You may not know it for a long time or until your site is blacklisted by Google. Hence, a plugin like Wordfence may alert you if malicious code is found in any files.
  2. Immediately log in to your site and change your password. Also, change your email, hosting, and FTP passwords.
  3. Find someone who can help you restore from your back up or clean up your files. Usually your web host can restore from a recent backup if available very quickly. I sometimes can help people with this or you can contact the good folks at Sucuri.net.
  4. Please read my Nuke it From Orbit post for detailed instructions on completely cleaning your site by starting from scratch (yet retaining your post and page content). This is a slash and burn technique, and you can modify as needed depending on the severity of the hack.


Back-to-basics security measures in the form of strong passwords, unique usernames, two-factor authentication, staying up to date, and keeping your site clean and tidy up are really the only truly effective things you can do at any given point in time. If you are using vulnerable plugins or themes, you are at risk. Use plugins and themes with caution and keep them up to date. Hackers go after low-hanging fruit, typically, so be smart.

Angela Bowman

Front-end WordPress developer since 2007 building highly custom websites for nonprofits and small businesses. Experienced in nonprofit administration, grant writing, and technical writing. Love high altitude hiking and backyard chickens.

View all posts by Angela Bowman

14 comments on “Enabling Two Factor Authentication for WordPress

  1. Some of the recent headline hacks have shown that web security problems start with the users themselves. Passwords such as ‘password’ and ‘1234567’ are still being used across multiple sites. Together with administrator users names like ‘admin’. Hopefully education and awareness will see these diminish, but it will be a slow process.

    While measures such as two-step authentication are really helpful, it is the basics that need to be nailed down first.

    • Hi Graham,

      That is so true. I hope I emphasized the need for strong passwords in this post. What is good about 2 factor is that if your login credentials (regardless of how strong) do get compromised, the hacker won’t be able to gain access to the site even with your all your login information because the two-factor auth will keep them from being able to login. Hence why banks and other financial institutions universally use 2 factor authentication. They know their customers aren’t going to be good at their passwords.

      Security basics are key, because even with a strong username and passwords, so many hacks don’t rely on the login credentials. A large percentage of hacks are the result of exploits to known vulnerabilities in plugins and themes, thus bypassing anything to do with login.

      Security is not hard, but it does require diligence. I’ll write a longer post about that as I do a lot of security presentations in our community. People do miss a lot of “basic” stuff because they simply aren’t aware of the importance of updates and using themes and plugins with caution and keeping ALL their WordPress installations up to date regardless of whether or not the install is “live” or “being used.”

      Thanks for your comment, Graham. Please stay in touch.


  2. Great article–bookmarked! What about using a plugin such as Rename Wp-Login.php to change the name of /wp-admin/? Michael Martinez recommended it on his blog (not sure if it’s OK to post the link). In this same post, btw, he has a link to a site that shows Cloudflare is a very, very bad player.

    • Hi Lorelle, Better WP Security plugin does this as well. I am very conservative with my security advice because people tend to focus on the wrong things and then forgot a lot of basic stuff. Two-step authentication is important for all of the Internet accounts you have that you can use it on because it really does halt bad login attempts in their tracks.

      So, I typically install and set up Wordfence and sometimes the Better WP Security plugin. Wordfence and the two-step authentication are my go to security plugins.

      But, that doesn’t help if you use bad themes or plugins, as those don’t require someone logging in to hack your site, and that’s where I see most hacks come from. Then, of course, weak passwords and not keeping everything up to date.

      Thanks for sharing Michael’s name with me! I’ll look up his article.

  3. Under Google Authenticator, you wrote: “Go to Settings > Users and enter a description on the Profile options page, in the Google Authenticator section.”

    I’m running WP 3.8.1, and I’m not seeing a “users” option under “settings.” Help?

    • What would I do with a brain if I had one?

      Yes, you are correct. The setting to which I am referring is under Users. Edit your User profile, and scroll down to locate the Google Authenticator settings. This will only work on self-hosted WordPress sites. (Not on WordPress.com accounts.)

      Sorry about that! Thank you so much for writing me!

  4. I also just wrote about the botnet attacks as it’s got lots of people worried. Your number 1 point is spot on: don’t use admin as the username! Someone mentioned that Sucuri just came out with a CloudProxy service to helps buffer sites from bot attacks. I only mentioned it in passing as it’s fairly new and I haven’t seen any reviews on it yet.

    • Hi WP Guide,

      I know Cloudflare offers a similar service, but you do have to point your DNS to their servers, which some people are reluctant to do. I don’t think that doing that is necessary to prevent this attack. Having a good username and password and enabling the two-step authentication, keeping up to date, and backing up are the most important things. I think when people get scared, they don’t think rationally and want a “sure fix” and don’t believe in the simple, basic security. I have never seen a site that has been updated and uses basic security practices get hacked (except TimThumb hacks which are also, at this point, basic security measure of avoiding risking plugins and themes). Thanks so much for reaching out. I will check out your site. Love to meet more people in the WP community.

  5. First, Thank you for this great step by step list. As I am going through this process I have run into a problem I am hoping you can answer. What do you do if you cannot – Delete the old “admin” user? Thank you in advance.

    • You cannot delete the admin user when you are logged in as that user. You must log out first then login as the NEW administrative user you created. Only then can you delete the old user.

  6. Thank you, Angela. Beth Hayden turned me on to your article. We’ve been agonizing over this today and debating starting up two new websites in WordPress (or not!).

    • I don’t know what you would use if you didn’t use WordPress as the alternatives are not very user friendly and would be costly to implement and the security updates are not nearly as robust. This is NOT a WordPress vulnerability. The issue has NOTHING TO DO WITH WORDPRESS. It has to do with very bad practices with users who create crappy, hackable passwords which provide low hanging fruit to hackers. Hackers take the path of least resistance, meaning they exploit bad practices among end users: bad passwords being the #1 exploit followed by users who do not keep their websites or plugins up to date and therefore have known vulnerabilities that are not being addressed.

      WordPress core is very secure. If there are any insecurities, the WordPress team patches them quickly. If you are a lazy end user and use lazy passwords and don’t maintain your site, then, yes, you are vulnerable. This would be true for your Paypal and Gmail accounts as well, which I’ve known many more people to have hacked as the result of the same lazy Internet practices.

Leave a Reply

Your email address will not be published.