How To Add 2-Factor Authentication Login To Your WordPress Sites

By 26th July 2013 April 21st, 2020 Shield Security

A couple of weeks ago we released our brand new security plugin for WordPress.

Today’s upgrade adds the easiest Two-Factor Login Authentication option for WordPress available.

Read on to find out why this rocks, and 3 huge reasons you should have this on your blog today!

What is 2-Factor Authentication login for WordPress?

First, what is 2-factor authentication?

Two-Factor Authentication is where, after you log into a website or service, that service will try to verify that you really are the person you say you are.

This verification can be done in several ways… most common is email-based two-factor authentication.  Typically you’ll log into the web service and they’ll send you an email with a link to verify yourself.  You click this link and you’re in.

And that’s 2-factor authentication in a nutshell.

Would you like to have the same level of protection on your WordPress site?

Now you can, with the WordPress Simple Firewall plugin for WordPress.

Why is 2-Factor Authentication so important for WordPress?

There are couple of big reasons why this is good for you and your websites’ security:

1. Protection against brute force WordPress login account cracking

Brute force attacks work by repeatedly, very quickly, trying to log into an account using a username and a series of guessed passwords.

When 2-factor authentication is put in place, the attacker can never gain access to your WordPress account and will never know if a login was successful or not.  They can of course gain access if they have access to your email account, but by then, you probably have far greater problems to worry about.

2. Ability close any unattended session.

If you log in from 1 location, and leave this signed-in or unattended, simply logging in from another location will cause the other session to be terminated as soon as it’s used.

3. Reduce account sharing and abuse.

Since only 1 IP address may assigned to a given username, and this is in effect assigned to 1 email address, account sharing and abuse, depending on your systems, is reduced.

How 2-Factor Authentication works with the WordPress Simple Firewall plugin

At the time of writing the plugin has 2 main pieces of functionality:

  1. A Firewall.
  2. WordPress Login Protection.

The WordPress Login Protection feature handles the Two-Factor authentication (amongst other things).

It works by linking 2 pieces of information:

  1. WordPress Login Username
  2. Connecting IP Address

It will create a dedicated database table on your site to which it will store the combination of IP addresses and usernames.  When the feature is enabled, all users on the site must have a corresponding and verified IP address.

When a user successfully logs into the site from a new/unrecognised IP address, it will send an email to your registered email address.  This email will contain a verification link that you must click in order to verify the IP address and your username.

Once this is done, any previously registered IP addresses for that username will be invalidated – that is, only one IP address may be associated to a user at any time.

How to activate 2-Factor Authentication on your WordPress site

WordPress Simple Firewall Menu

WordPress Simple Firewall Menu

When you install and activate the plugin, a new menu will appear on your WordPress sidebar called “Simple Firewall”. This will have a sub-menu item called “Login Protect”.

Clicking this will load an options page and you’ll first need to activate the Login Protection feature, and then enable the “Two-Factor Authentication” option, and save.

Immediately, the system will start analysing logged-in users, including you, and log you out of WordPress once it detects that your username doesn’t have a registered IP address.

Simply re-login into your site, click the link in the verification email you receive, and once again, log into your site.

You wont need to verify yourself again until your IP address changes.

Protect your WordPress site today from Brute Force attacks

This WordPress plugin is simple to use, and to protect your site against brute force attacks requires no expertise and no practically ZERO configuration steps. You just turn it on!

Join the discussion 13 Comments

  • Keith Davis says:

    Hi Paul
    I use the WordPress Simple Firewall plugin and I’m thinking of activating this feature.

    I don’t have a dedicated IP address so I’m wondering if this will cause me problems each time I log in or will I simply have to use the email method…

    “This email will contain a verification link that you must click in order to verify the IP address and your username.”


    View Comment
    • Paul G. says:

      Hi Keith,

      Alternatively you can use the Cookie method which will authenticate you and set a cookie on your browser. In this way it doesn’t matter than your IP address changes.

      I’m considering how to tweak the 2-factor system in general, but for now it works quite well though there is room to improve it. Select only cookies for now if your IP address changes frequently.

      Hope it helps!

      View Comment
  • Keith Davis says:

    Sorry for second question Paul, but can you try this out on a local install say using XAMPP?

    View Comment
  • Mike O'Dell says:


    I turned on two factor, and tried to use the IP address option but when my wife logged into the site using different credentials from the same IP address I was logged out, and we both ended up locked out. I also tried the cookie two factor option and the same behavior occurred.

    View Comment
    • Paul G. says:

      Hi Mike,

      Sorry for the trouble you’re having here. I’ll take a look at the code and see if there’s any bug in there pertaining to the same IP address.

      I assume you were both using different computers (at least different browsers) ?

      When you say “locked out” what exactly do you mean? What was happening to lock you out of the site?


      View Comment
  • Robert says:


    I installed your firewall, and must have activated the “The WordPress Login Protection feature handles the Two-Factor authentication (amongst other things).” without adding a password, etc.

    I have used FTP to remove the files, etc, and re-install, but I keep getting the “The WordPress Login Protection feature handles the Two-Factor authentication (amongst other things). coming up, and I cannot login as the administrator. Something is either caching the plugin or I’m not completely removing all files attached to this plugin. Please Help! – Thanks

    View Comment
    • Paul G. says:

      Hi Robert,

      I’m really not sure what’s happening here. That text isn’t even in the plugin… can you confirm what message is being shown? Thanks.

      View Comment
      • Robert says:

        Hey Paul, I think I realize it was the function originally used that allowed you to rename the admin login page. This is what I’m getting now-

        After re-installing plugin

        My admin login shows this link:
        Pages says. Oops! This link appears to be broken. with a search box that says “america we trust log” inside the search already.

        Looks like by renaming the admin login originally the plugin must have removed the original login file for admin or some such thing…

        View Comment
  • Hi Paul.

    I am not receiving emails (I tried two different email ids) when I try to login from a new source.

    I keep getting this message : “Login is protected by 2-factor authentication. If your login details were correct, you will have received an email to complete the login process.”, without actually getting the email.

    Can you please help me in this regard?

    Thanks and Best Regards
    Anshul Sukhwal

    View Comment
    • Paul G. says:

      I’m not sure what you mean by “different email ids”… what is this?

      The email will be sent to the email address registered for the given user you’re trying to login as.

      If the email is not sent, your WordPress site has issues with sending emails and you should look into this. The plugin simply uses the native WordPress wp_mail() function and if this doesn’t work, then your site hosting has email sending problems.

      I hope this helps you narrow down the problem.

      View Comment

Leave a Reply

x Logo: ShieldPRO
This Site Is Protected By