How To Add 2-Factor Authentication Login To Your WordPress Sites

by Paul G.

iControlWP Logo 250pxA couple of weeks ago we released our brand new security plugin for WordPress.

Today’s upgrade adds the easiest Two-Factor Login Authentication option for WordPress available.

Read on to find out why this rocks, and 3 huge reasons you should have this on your blog today!

What is 2-Factor Authentication login for WordPress?

First, what is 2-factor authentication?

Two-Factor Authentication is where, after you log into a website or service, that service will try to verify that you really are the person you say you are.

This verification can be done in several ways… most common is email-based two-factor authentication.  Typically you’ll log into the web service and they’ll send you an email with a link to verify yourself.  You click this link and you’re in.

And that’s 2-factor authentication in a nutshell.

Would you like to have the same level of protection on your WordPress site?

Now you can, with the WordPress Simple Firewall plugin for WordPress.

Why is 2-Factor Authentication so important for WordPress?

There are couple of big reasons why this is good for you and your websites’ security:

1. Protection against brute force WordPress login account cracking

Brute force attacks work by repeatedly, very quickly, trying to log into an account using a username and a series of guessed passwords.

When 2-factor authentication is put in place, the attacker can never gain access to your WordPress account and will never know if a login was successful or not.  They can of course gain access if they have access to your email account, but by then, you probably have far greater problems to worry about.

2. Ability close any unattended session.

If you log in from 1 location, and leave this signed-in or unattended, simply logging in from another location will cause the other session to be terminated as soon as it’s used.

3. Reduce account sharing and abuse.

Since only 1 IP address may assigned to a given username, and this is in effect assigned to 1 email address, account sharing and abuse, depending on your systems, is reduced.

How 2-Factor Authentication works with the WordPress Simple Firewall plugin

At the time of writing the plugin has 2 main pieces of functionality:

  1. A Firewall.
  2. WordPress Login Protection.

The WordPress Login Protection feature handles the Two-Factor authentication (amongst other things).

It works by linking 2 pieces of information:

  1. WordPress Login Username
  2. Connecting IP Address

It will create a dedicated database table on your site to which it will store the combination of IP addresses and usernames.  When the feature is enabled, all users on the site must have a corresponding and verified IP address.

When a user successfully logs into the site from a new/unrecognised IP address, it will send an email to your registered email address.  This email will contain a verification link that you must click in order to verify the IP address and your username.

Once this is done, any previously registered IP addresses for that username will be invalidated – that is, only one IP address may be associated to a user at any time.

How to activate 2-Factor Authentication on your WordPress site

WordPress Simple Firewall Menu

WordPress Simple Firewall Menu

When you install and activate the plugin, a new menu will appear on your WordPress sidebar called “Simple Firewall”. This will have a sub-menu item called “Login Protect”.

Clicking this will load an options page and you’ll first need to activate the Login Protection feature, and then enable the “Two-Factor Authentication” option, and save.

Immediately, the system will start analysing logged-in users, including you, and log you out of WordPress once it detects that your username doesn’t have a registered IP address.

Simply re-login into your site, click the link in the verification email you receive, and once again, log into your site.

You wont need to verify yourself again until your IP address changes.

Protect your WordPress site today from Brute Force attacks

This WordPress plugin is simple to use, and to protect your site against brute force attacks requires no expertise and no practically ZERO configuration steps. You just turn it on!

← Previous Article:

→ Next Article:

{ 11 comments… read them below or add one }

Keith Davis October 5, 2014 at 10:34 am

Hi Paul
I use the WordPress Simple Firewall plugin and I’m thinking of activating this feature.

I don’t have a dedicated IP address so I’m wondering if this will cause me problems each time I log in or will I simply have to use the email method…

“This email will contain a verification link that you must click in order to verify the IP address and your username.”



Paul G. October 8, 2014 at 7:04 pm

Hi Keith,

Alternatively you can use the Cookie method which will authenticate you and set a cookie on your browser. In this way it doesn’t matter than your IP address changes.

I’m considering how to tweak the 2-factor system in general, but for now it works quite well though there is room to improve it. Select only cookies for now if your IP address changes frequently.

Hope it helps!


Keith Davis October 5, 2014 at 10:41 am

Sorry for second question Paul, but can you try this out on a local install say using XAMPP?


Paul G. October 8, 2014 at 7:05 pm

I think two factor should work with local installations – I can’t see why not, so long as you can locally access your own site.


Mike O'Dell February 4, 2015 at 5:03 am


I turned on two factor, and tried to use the IP address option but when my wife logged into the site using different credentials from the same IP address I was logged out, and we both ended up locked out. I also tried the cookie two factor option and the same behavior occurred.


Paul G. February 4, 2015 at 9:27 pm

Hi Mike,

Sorry for the trouble you’re having here. I’ll take a look at the code and see if there’s any bug in there pertaining to the same IP address.

I assume you were both using different computers (at least different browsers) ?

When you say “locked out” what exactly do you mean? What was happening to lock you out of the site?



Robert February 7, 2015 at 12:05 am


I installed your firewall, and must have activated the “The WordPress Login Protection feature handles the Two-Factor authentication (amongst other things).” without adding a password, etc.

I have used FTP to remove the files, etc, and re-install, but I keep getting the “The WordPress Login Protection feature handles the Two-Factor authentication (amongst other things). coming up, and I cannot login as the administrator. Something is either caching the plugin or I’m not completely removing all files attached to this plugin. Please Help! – Thanks


Paul G. February 7, 2015 at 12:23 am

Hi Robert,

I’m really not sure what’s happening here. That text isn’t even in the plugin… can you confirm what message is being shown? Thanks.


Robert February 7, 2015 at 1:11 am

Hey Paul, I think I realize it was the function originally used that allowed you to rename the admin login page. This is what I’m getting now-

After re-installing plugin

My admin login shows this link:
Pages says. Oops! This link appears to be broken. with a search box that says “america we trust log” inside the search already.

Looks like by renaming the admin login originally the plugin must have removed the original login file for admin or some such thing…


Robert February 7, 2015 at 1:19 am

Paul, does the plugin re-write the .htaccess file when renaming login?


Paul G. February 7, 2015 at 1:23 am

This plugin doesn’t rename any files, or write/touch/look at any .htaccess or WordPress core files (especially admin). I’m not sure what you’ve done, or perhaps there are other WordPress plugins you’ve used or at play interfering here.


Leave a Comment

Take Back Control Of WordPress Today