If you only do one thing this year to make your WordPress site more secure, set up two factor authentication. It is the single highest leverage security improvement available, and it costs nothing beyond a few minutes per user. Two factor authentication, also called 2FA or MFA, means a password alone is not enough to log in. The user also needs a code from a phone, a hardware key, or another second device that the attacker does not have.
Brute force attacks, credential stuffing, phished passwords. All of them rely on the assumption that the password is enough. 2FA breaks the assumption. Even if your password leaks, the attacker still cannot log in.
The threat without 2FA
WordPress login pages receive constant brute force traffic. Bots try combinations of usernames and passwords drawn from past breaches, often thousands of attempts per hour against any site they can reach. If your password has appeared in any breach anywhere on the internet, it is on a list, and that list is being used.
A strong unique password is good. A strong unique password plus 2FA is enormously better. The second factor is what stops an attacker who has already guessed or stolen the first one.
The types of second factor
There are three main types of second factor in common WordPress use.
Time based one time passwords, or TOTP, are six digit codes that change every thirty seconds, generated by an app like Google Authenticator, Authy, or 1Password. This is the most widely supported, easy to set up, and a good default for most sites and most users.
Hardware security keys, such as YubiKey, are physical USB or NFC devices that sign a challenge from the site. Stronger than TOTP because they cannot be phished, but they require buying the key. Worth it for administrators on high value sites.
SMS codes, sent by text message. The weakest option, vulnerable to SIM swap attacks, but better than nothing. Avoid if other options are available.
Plugin choices
WordPress does not ship with built in 2FA, but several reputable plugins add it. The most established choices are Wordfence Login Security, the WordPress.com Jetpack 2FA module, and the standalone Two Factor plugin maintained by core contributors.
For most business sites, Wordfence Login Security is a sensible choice because it combines 2FA with brute force protection, country blocking, and login attempt limiting. The Two Factor plugin is excellent if you prefer something minimal and lightweight. Whichever you pick, install only one. Stacking multiple security plugins that all try to manage logins is asking for trouble.
The rollout plan
If your site has multiple users, do not turn on mandatory 2FA without warning everyone first. People get locked out. Tickets get raised. Email a clear notice. Tell the team what 2FA is, why you are turning it on, and which authenticator app to install.
Roll out in stages. Start with administrators, who have the most to protect. Add editors and authors next. Subscriber level accounts can usually be left until later. Most plugins let you require 2FA per role rather than for everyone at once.
Setting up a TOTP second factor
The setup flow for most plugins is similar. Log in normally, go to your user profile, find the two factor section, and click enable. The site displays a QR code. Open your authenticator app, scan the QR code, and a new entry appears in the app. Enter the current six digit code from the app to confirm. The site flips the second factor on.
From the next login, after entering the password, the site will ask for the current code. Open the app, type the six digits, log in. The whole process adds about ten seconds to each login.
Backup codes are critical
When you enable 2FA, the plugin will offer you a set of single use backup codes. Save them. Print them and put them somewhere safe. Save them to your password manager. Without backup codes, if you lose your phone, you will be locked out of your own site, and the only recovery path is contacting your host or your developer to manually disable 2FA on your account.
Backup codes are also useful for the case where you are travelling without your phone, or where the authenticator app has been wiped during a device migration.
Application passwords for integrations
Some plugins, mobile apps, or external integrations connect to WordPress over the REST API and cannot complete a 2FA flow. For these, WordPress supports application passwords. The user generates a unique long string from their profile, scoped to a single application. The application uses that string in place of a password, while the human account still has 2FA enabled for browser logins.
Application passwords are safer than disabling 2FA on accounts that need integrations. Each one is revocable individually, and they do not give the integration access to the dashboard.
Rotation and clean up
2FA is not a set and forget feature. Periodically review who has it enabled and on which device. When a staff member or contractor leaves, remove their account entirely. When a phone is replaced, reset their 2FA so the old device cannot still produce valid codes. Audit application passwords annually and revoke any that are no longer used.
2FA on your password manager and email account
WordPress 2FA is great but it is not the whole picture. The same logic applies to your password manager, your email account, and your domain registrar. If any of those is protected only by a password, that is your weak link. Many WordPress compromises start with a phishing email that gets the owner to log in to a fake admin page, or with a domain hijack that pointed the DNS at an attacker controlled server.
Turn on 2FA everywhere it is offered. The combined effect is greater than any single account upgrade.
Need a hand?
If you would like Smart Coding to roll out 2FA across your WordPress site, train your team, and audit the rest of your account security at the same time, get in touch. It is one of the highest value security upgrades we do and we can usually have it in place within a day or two.
