How to Add Two-Factor Authentication to WordPress and Other Accounts

Have you ever tried to use an ATM with just your ATM card and not your PIN? How about no ATM card and just your PIN? As I'm sure you know, you wouldn't be able to get your money. That's because your ATM requires you to use something you have (ATM card) and something you know (the PIN). If the ATM only required one or the other, it would be much easier for someone to get your money.

In the same way, if your WordPress site only requires the username and password (things you know) to log in, then if someone captures that info, they’ll be able to log in. But if your site also requires something you have, such as a code from your phone, that makes it much harder for someone to log into your account. This is known as two-factor authentication (sometimes written 2FA). Let's look at how to add another layer of security to your WordPress site.

Note: This page contains affiliate links. Please see Affiliate Disclosure.

Add Two-Factor Authentication to WordPress

So, you've decided to add two-factor authentication to your WordPress site, right? Good! First, you need an authentication plugin. I recommend the Two-Factor plugin. It works with an authenticator app on your phone to add a code that must be entered in addition to your username and password. If you don't have an authenticator app on your phone, I'll tell you how to get it later.

If for some reason you don't like the Two-Factor plugin, there are several other two-factor authentication plugins in the WordPress Plugin Directory. Here are a few to choose from:

  1. miniOrange's Google Authenticator
  2. Two Factor Authentication
  3. Wordfence Login Security
  4. Rublon Multi-Factor Authentication (MFA)

Install and activate the plugin you choose.

Next, you need to add your website to your authenticator app. Here's how to do that with the Google Authenticator plugin. The process is similar for other two-factor authentication plugins.

  1. In WordPress, in the top right corner, click Howdy [your name] to go to your profile.
  2. Scroll down to Google Authenticator Settings.
  3. Check the box for Active.
  4. Enter a Description. I suggest the name of your website, or WordPress (if this is your only WordPress account).
  5. Click Show/Hide QR code.
  6. In your authenticator app, click the plus icon to add an account, and choose Scan a barcode. If your phone can't scan a QR code, then choose Enter a provided key and type in the Secret shown on your profile page.
  7. Save the Secret somewhere secure, in case you need it to add the account to your authenticator app again in the future, and you can't get into your WordPress site. I suggest storing it in a password manager such as BitWarden.
  8. Scroll to the bottom of your profile and click Update.
Google Authenticator settings WordPress

Log into WordPress Using Two-Factor Authentication

Now that you've enabled two-factor authentication for your website, here's how to use it when you log into WordPress.

  1. Open your WordPress login page (usually
  2. Enter your WordPress username and password.
  3. Open your authenticator app, and find your website in the list of accounts.
  4. Type the code shown in your authenticator app into your WordPress login page, in the Google Authenticator code field.
  5. Log in!
Google Authenticator on WordPress login

Additional Tips for Two-Factor Authentication

I recommend that every Administrator account on your WordPress site use two-factor authentication. It wouldn't hurt to use it for other accounts too, but because the Administrator role has the most power, accounts with that role are the most critical to protect.

Don’t activate two-factor authentication for other users; ask them to do it themselves, so they can use their own phones.

If you get a new phone, install your authenticator app and add your WordPress account to it before discarding your old phone, if possible.

While you're at it, you can learn more ways of protecting your WordPress login in our post How to Secure WordPress Login & Admin Area.

How to Add An Authenticator App to Your Phone

I recommend the Authy app.

How to Use Two-Factor Authentication on Other Websites

I highly recommend enabling two-factor authentication for other accounts that are related to your website or online marketing. A few examples:

  • Web host
  • Domain registrar (Hover, etc.)
  • Email marketing (Mailchimp, Constant Contact, etc.)
  • Social media (Facebook, Twitter, etc.)
  • Ecosystems (Google, Apple, Microsoft, etc.)
  • Password manager (BitWarden, 1Password, etc.)
  • E-commerce (Stripe, PayPal, etc.)
  • Content Delivery Network (CDN) (Cloudflare, MaxCDN, etc.)

Really, you should seriously consider using two-factor authentication for any accounts that offer it.

Look in the Security and Privacy sections of your Settings, or under Account or Profile. You see it called two-factor authentication, two-step verification, security codes, 2FA, or multi-factor authentication (MFA). You may see the words code or token.

If one of your accounts doesn't offer it as an option, contact the company and ask them to enable it, for the sake of the security of its users.

Concerned About the Security of Your WordPress Site?

It's an unfortunate reality that WordPress websites are frequently targeted by hackers. You're wise to enable two-factor authentication to increase your site's security. If you'd like the peace of mind of knowing that WordPress experts are taking care of your site's security, contact us!

Filed Under: 
Tagged With: , ,

Want tips to rocket-boost your website?

Simply sign up.

One comment on “How to Add Two-Factor Authentication to WordPress and Other Accounts”

Ready to Blast Off?

Let's talk.

Contact OptimWise