What is Two Factor Authentication?
Two-factor authentication is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. In this case the second state is confirming your identity by entering a unique code sent to your cell phone via SMS when logging into your WordPress website.
Why should I use Two Factor Authentication?
To significantly increase the security of your WordPress website.
How to force Two Factor Authentication in WordPress with Jetpack
- Sign up for a WordPress.com account if you don’t have one already
- Login to your WordPress.com account and navigate to Profile > Security > Two-Step Authentication or just click this link to see the following:
- Click Get Started, enter your cell phone number and click Verify via SMS:
- Enter the code that was texted to your cell phone and click Enable:
- Save the listed Backup Codes somewhere safe, check I have printed or saved these codes click All Finished!
- Install and enable the Jetpack by WordPress.com WordPress plugin
- In your site’s WordPress admin dashboard navigate to Jetpack > Settings > Security, then toggle on the Single Sign On feature
- Next expand the settings for Single Sign On, check Require Two-Step Authentication and click Save Settings:
- Now add the following code to your active theme’s function.php file to force logins to your site through WordPress.com:
// force users to login via wordpress.com add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );
- Now your WordPress login URL should redirect to the following login screen instead of the default one:
- After you enter your WordPress.com credentials you should then be asked for your Verification Code that was texted to your smartphone as follows:
That’s it, your site is now significantly more secure using WordPress.com Two Factor Authentication!
If you don’t see it try clearing your cache, purging your CDN and accessing your WordPress login URL in Chrome’s incognito mode.
What happens when users try to login without Two Factor Authentication Enabled?
Every user will now need their own WordPress.com account with two factor authentication enabled in order to login to your WordPress site. If they attempt to log into their WordPress.com account without two factor authentication enabled they will get the following error message:
Hello Andy, Thank you for explaining the ways to enforce two-factor authentication with jetpack plugin. Definitely, going to apply for my web properties.
Thank you for this tutorial. I wonder if you also have to pay for the SMS messages somehow? Or are they being sent for free?
I use the Google Authenticator Plugin, one thing to note is that on old android phones, there is a glitch that makes the time sequence out of whack, and you don’t have enough time to log in. So If you are planning on implementing any of these plugins in your website, make sure you have a backup done before implementation, so you can recover your account if the plugin locks you out.
Thank you for your insight Mike, that is a great recommendation! Always make a backup first! Apparently it’s especially important if you’re using an old Android device =)
This great if you allow team members/other users to log in to your website, which we don’t.
Question – does anyone know if there an app or plugin you can use to require two factor cell authentication for either our MLS software – or to access the page that software is on? I saw that type system on a firms site that sells realtor websites but think it was custom coded (HTML site) because it was not a WP site. We are trying to eliminate users from providing false log in details when they create an account in our MLS Software.
I have installed the Jetack plugin. Does this work for WordPress.org websites too?
Yes, it works for WordPress.org websites.
Heads-up: there’s a way around this. Try visiting https://YOURSITE/wp-login.php?loggedout=true . When I do this, I’m not redirected. Any way to fix?
Hey, what if we enable it on a woocommerce website? How customers are going to login? Or does it only apply to admin?