Secure Your WordPress Site With Two Factor Authentication

These days you can never be too secure online. It seems like some major website is getting hacked almost every week. What hope is there for the small website owner?

The first step to securing your website is preventing the wrong people from logging in.

While a strong password is a good start, that’s still no guarantee that your site won’t get hacked.

There’s actually something that’s more secure than a strong password. It’s called two-factor authentication. By adding two-factor authentication to your site, you’ll ensure that it’s virtually impossible for a hacker to break-in to your WordPress account.

In this tutorial, I explain two-factor authentication, and I show you how to enable it on your own website with a free plugin.

You may already be using two factor with a banking website or Gmail. Today I show you how to bring that same level of security to your WordPress website.


5 thoughts on “Secure Your WordPress Site With Two Factor Authentication”

  1. Good article. One of the most common tricks hackers use is called brute force attacks. By using automated scripts, hackers try to guess username and password to break into a WordPress site.

    If they steal your password or accurately guess it, then they can infect your website with malware.

    So one of the easiest ways to protect your WordPress website against stolen password is to add two-factor authentication.

  2. Hi Kirk. Many thanks for this article, also thank you for all of the news you are sending to my e-mail. All of it 100% useful for me.

    I had a variation of the 2-factor in the form of a recaptcha that came up for one of my WordPress sites. When it first prompted me I didn’t have a clue where it came from however didn’t investigate as I thought it was improved security. The recaptcha was a number code that came up that I had to reproduce. Problem occurred when I moved the Website to a different server by importing the backup of the Website. When the login screen came up I couldn’t see the recaptcha code – it showed as an image it couldn’t find. I almost thought I was going to lose access to the backup, until after a few attempts, I was able to get the Dashboard up and then found that I had a Limit Login plugin (think it was that had the second login ticked by default. Not only did I remove that option, but also deleted the plugin. I’d have hated to lose that backup.

    Do you think the 2-factor plugin could have a similar result if I should decide to import a backup copy of my WordPress site?

    1. Hi Dean,
      The recaptcha is a little different than 2 factor. It’s not really a security plugin, but rather a tool designed to prevent automated login attempts. Two factors creates a time-limited code that gets sent to the authorized user by some other method (app, email, sms, etc.).

      Yes, it’s entirely possible that you could have problems when moving your site. In which chase, it’s easy enough to disable the plugin. You’ll need to have FTP access to your site. Just login, find the plugin folder under /wp-content/plugins/ then rename that folder. The next time you try to login, WordPress will ignore the plugin.

  3. Hi Kirk,

    You can tell I’ve devoted part of today to your saved tutorials! This one is excellent (as always). It should really help with all the failed login attempts I’ve been getting (WP used to send email notices calling them “brute force attacks”; now they call them “failed login attempts”…the same thing, I believe??).

    At the moment I add IP addresses for each failed login to our Cloudflare firewall. As you know, however, the beggars just create new IP addresses! This 2 factor should make these attempts less frequent if not impossible.

    I have installed such authentication in other places before, but always found it such a hassle that I soon disabled it. Have not tried it on our site, however. The captcha I tried last year was equally annoying.

    You are saying in this tutorial (I think) that the extra effort in using this plugin to log in will make our site much more secure. Am I correct?

    Thanks for this,


    1. Hi Linda,

      More secure, yes. But it won’t prevent all of those rogue login attempts. That’s just an impossible task at this point. Also, captcha isn’t really a security tool. It’s designed to prevent bots from posting, but the visual code is not a second factor for security purposes (because it’s published on the page for everyone to see).

Comments are closed.