How to Add 2 Factor Authentication in WordPress

add 2 factor authentication in wordpress

Do you want to secure your WordPress site by adding 2 factor authentication?

With 2 factor authentication, you can add an extra layer of security to your site by sending a secret passcode to your phone for verification. This helps you prevent malicious attacks and security breaches on your website.

In this tutorial, we’ll show you how to easily add 2 factor authentication to your WordPress site.

But first, let’s learn what 2 factor authentication is.

What is 2 Factor Authentication and Why You Need It?

One of the most common attacks on WordPress sites are brute force attacks. Hackers program bots to try thousands of combinations of usernames and passwords to log in to your site. 

By using 2 factor authentication, any one trying to log in will need a one-time password (OTP) that’s generated in real time along with their login credentials.


This OTP can be sent to a user through SMS, email, of authenticator app. All they need to do next is submit the code on the website and the login will be successful. So, this adds two levels of protection to your login page.

And since it’s generated in real-time, hackers won’t be able to log in unless they find a way to get their hands on your mobile device. 

You may already know, Google, Facebook, Twitter, and many other popular sites use this security measure. You can also use this for your WordPress site and prevent it from getting hacked.

The easiest way to add 2-step verification to your site is by using a security plugin. You won’t have to add any code or modify any WordPress files. In the tutorial below, we’re going to show you how to set it up in just a few clicks.

Adding 2 Factor Authentication in WordPress Using Sucuri

You’ll find many tools that help you increase the security of your WordPress site. However, we recommend using Sucuri.


Sucuri is the best cloud-based solution that protects your site from security threats like brute force attacks, malware, and other threats. It monitors your site and blocks bad bots from accessing your site.

Here are some of the features that make Sucuri the best choice for website security:

  • Automatically scans and monitors the website for malicious attacks
  • One-click geo blocking and whitelisting options
  • Detects changes made to DNS (domain name system) and SSL
  • Sends instant alerts via email, SMS, Slack, and RSS
  • Prevents hacking with Virtual Patching and Security hardening features

Along with this, Sucuri offers an easy way to add 2 factor authentication to your WordPress site. With just a few clicks, you can protect your site from hackers. No need to add any coding. So, let’s start!

Step 1: Download and Install Authenticator App

The easiest way to create real-time codes is by using an authenticator app. These apps generate a new code every 30-60 seconds. This means you won’t have to set SMS and emails to be sent to your users.

Instead, they’ll need to download an authenticator app on their phone and use it any time they want to log in. These apps support multiple websites and accounts, so it’s really easy to log in securely anywhere.

Now there are many authenticator apps such as Google Authenticator, Authy, LastPass Authenticator, and more.

Sucuri offers 2 factor authentication option with Google Authenticator so we’ll be using this for our tutorial.

Once you install the Google Authenticator app on your phone, you can set up 2 factor authentication for your WordPress site.

Step 2: Scan your WordPress Site in Sucuri

The first thing you’ll want to do is sign up for a plan with Sucuri. Then you can log in to your account and add your site.

For this, click on the Add Site tab on the dashboard.

Add site in Sucuri

Then, you’ll see a popup where you need to add your website details. Add your website URL, connection type, and FTP credentials.

If you don’t know your FTP credentials, simply connect with your web host and ask them for it.

Connect site to Sucuri

Once you finish adding your site, Sucuri will automatically run the scan and check for any malicious activities.

It will also show the summary of the scan results in the dashboard. You can click on Details to view the full report.

Sucuri dashboard site infected

Now that you have successfully added your site, let’s learn how to add 2 factor authentication to your WordPress login page.

Step 3: Set Up 2 Factor Authentication Settings

To add 2 factor authentication method on your site, navigate to the Firewall tab in the dashboard.

Then, you can see the firewall report for the site you just added. Click on the report to open the settings for that site.


Now, open the Access Control tab and you can all the security settings for:

  • Whitelist IP Addresses
  • Blacklist IP Addresses
  • Whitelist URL Paths
  • Blacklist URL Paths
  • Block User-Agents
  • Block HTTP Cookies
  • Block HTTP Referers
  • Protected Pages
  • Geo Blocking

To add 2 factor authentication to your WordPress login, open the Protected Pages settings.

Here, you can enter your login page URL or any other page URL that you want to protect. Your WordPress website login URL should be something like ‘www.example.com/wp-login.php’ or ‘www.example.com/wp-admin’.


From the drop down menu beside the field, select 2FA with Google Auth option and click on Protect Page.

Once the login page is added, you can see a QR code when you click on it.


Now, open Google Authenticator on your phone and scan the QR code to get the secret code. You need to enter this code to get access to your site.


And there you go! You are all set to protect your site from spam and brute force attacks.

Now to log in to your site, you need to enter your username and password along with the code that’s generate by the Google Authenticator app.

We hope this tutorial helped you add 2 factor authentication to your WordPress site without any trouble.

2FA is a great way of increasing the security of your WordPress site. However, hackers are way more advanced so they find other ways to break into your site.

We recommend using a reliable host like Bluehost that runs on secure servers and has a robust security infrastructure. Next, you need to keep a high-alert security system active on your site. We recommend Sucuri but if that’s out of budget, you can opt for other security plugins like iThemes Security, BulletProof Security, or SiteLock.

For more ways to secure your website, you’ll want to see these helpful resources next:

These posts are packed with tools and methods to strengthen your website security even more. The last one is a beginner’s guide to WordPress security so you can learn how to completely secure your WordPress site with ease.

Comments  Leave a Reply

Add a Comment

We're glad you have chosen to leave a comment. Please keep in mind that all comments are moderated according to our privacy policy, and all links are nofollow. Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

WordPress Launch Checklist

The Ultimate WordPress Launch Checklist

We've compiled all the essential checklist items for your next WordPress website launch into one handy ebook.
Yes, Send Me the Free eBook!