What is Two Factor Authentication?
Two-factor authentication is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. In this case the second state is confirming your identity by entering a unique code sent to your cell phone via SMS when logging into your WordPress website.
Why should I use Two Factor Authentication?
To significantly increase the security of your WordPress website.
How to force Two Factor Authentication in WordPress with Jetpack
- Sign up for a WordPress.com account if you don’t have one already
- Login to your WordPress.com account and navigate to Profile > Security > Two-Step Authentication or just click this link to see the following:
- Click Get Started, enter your cell phone number and click Verify via SMS:
- Enter the code that was texted to your cell phone and click Enable:
- Save the listed Backup Codes somewhere safe, check I have printed or saved these codes click All Finished!
- Install and enable the Jetpack by WordPress.com WordPress plugin
- In your site’s WordPress admin dashboard navigate to Jetpack > Settings > Security, then toggle on the Single Sign On feature
- Next expand the settings for Single Sign On, check Require Two-Step Authentication and click Save Settings:
- Now add the following code to your active theme’s function.php file to force logins to your site through WordPress.com:
// force users to login via wordpress.com add_filter( 'jetpack_sso_bypass_login_forward_wpcom', '__return_true' );
- Now your WordPress login URL should redirect to the following login screen instead of the default one:
- After you enter your WordPress.com credentials you should then be asked for your Verification Code that was texted to your smartphone as follows:
That’s it, your site is now significantly more secure using WordPress.com Two Factor Authentication!
If you don’t see it try clearing your cache, purging your CDN and accessing your WordPress login URL in Chrome’s incognito mode.
What happens when users try to login without Two Factor Authentication Enabled?
Every user will now need their own WordPress.com account with two factor authentication enabled in order to login to your WordPress site. If they attempt to log into their WordPress.com account without two factor authentication enabled they will get the following error message: