Back to blog
Tutorials6 min read

Setting Up Two-Factor Authentication on WordPress with WO Security Shield

September 10, 2024·WO Security Shield Team
2fatotplogin securityauthentication
Setting Up Two-Factor Authentication on WordPress with WO Security Shield

Passwords can be guessed, stolen, or leaked in a data breach. Two-factor authentication (2FA) means that even if an attacker has your exact password, they still can't log in — they also need physical access to your phone. 2FA is your strongest defence against brute force attacks.

WO Security Shield supports two types of 2FA:

  • TOTP (Time-based One-Time Passwords) — 6-digit codes from an authenticator app, valid for 30 seconds
  • Email OTP — one-time codes sent to your email address, valid for 10 minutes

TOTP is more secure (it doesn't depend on email security) and is the recommended option.

What you need

  • WO Security Shield installed and activated
  • An authenticator app: Google Authenticator, Authy, or 1Password (any TOTP-compatible app works)

Setting up TOTP

  1. Log in to WordPress admin
  2. Go to Users → Your Profile
  3. Scroll to the Two-Factor Authentication section
  4. Click Enable TOTP
  5. A QR code appears — scan it with your authenticator app
  6. Enter the current 6-digit code from your app to confirm setup
  7. Save your profile

From your next login, WordPress will ask for your password and then a 6-digit code. You have a 30-second window from when the code appears — it refreshes automatically.

Setting up Email OTP

  1. Go to Users → Your Profile
  2. In the Two-Factor Authentication section, enable Email OTP
  3. On your next login, after entering your password, WordPress will email you a code

Note: email OTP is only as secure as your email account. If your email is compromised, this second factor provides no protection.

Enabling 2FA for all admin users

As a site administrator, you can require 2FA for all users with a specific role. In WO Security Shield settings:

  1. Go to Access & Login
  2. Under Two-Factor Authentication, set the required roles
  3. Users who haven't set up 2FA will be prompted on their next login

What happens if you lose access to your authenticator app?

WO Security Shield generates backup codes when you enable TOTP. Store these somewhere safe (offline, in a password manager). Each code can be used once.

If you've lost both your authenticator and your backup codes, you'll need to disable 2FA via the database or by asking a site admin to reset your 2FA settings.

TOTP technical details

WO Security Shield implements RFC 6238 (TOTP). The algorithm:

  1. Takes the current Unix timestamp divided by 30 (the time step)
  2. Computes HMAC-SHA1 with your secret key
  3. Extracts a 6-digit code from the result

The plugin accepts codes from the current time window ±1 step (60-second tolerance) to account for clock drift between your device and the server.

2FA is just one part of a comprehensive security strategy. Review the full WordPress security checklist and explore additional login page hardening techniques to lock down your site completely. Protect your WordPress admin with 2FA today at wosecurity.com.

Why 2FA Matters More Than Strong Passwords

Even a 32-character random password can be compromised through:

  • Database breaches — if another site where you used the same password gets breached
  • Phishing — a convincing fake login page captures your credentials
  • Keyloggers — malware on your computer records keystrokes
  • Session hijacking — an attacker steals your login cookie over an insecure network

2FA adds a second layer that survives all of these attacks. Even if your password is completely exposed, the attacker still can't log in without access to your second factor.

The numbers speak for themselves

According to Google's security research:

  • SMS-based 2FA blocks 96% of bulk phishing attacks
  • App-based TOTP (like Google Authenticator) blocks 99% of bulk phishing attacks
  • Hardware security keys block 100% of known automated attacks

Choosing the Right 2FA Method

Email Codes (Built into WO Security Shield)

How it works: After entering your password, a one-time code is sent to your email address.

Pros: No app installation needed, works on any device Cons: Relies on email security, slight delay waiting for the email Best for: Sites where not all admins are technical

TOTP Authenticator Apps (Built into WO Security Shield)

How it works: An app generates a new 6-digit code every 30 seconds, synced by a shared secret.

Pros: Works offline, no email dependency, very fast Cons: Requires app installation, lose access if you lose your phone without backup codes Best for: Technical teams, sites requiring frequent logins

Popular TOTP apps:

  • Google Authenticator — simple, reliable
  • Authy — cloud backup of secrets (convenient but less secure)
  • 1Password / Bitwarden — built into your password manager

Setting Up TOTP in WO Security Shield

  1. Go to WO Security → Login Security
  2. In the right sidebar, find Authenticator 2FA
  3. Scan the QR code with your authenticator app
  4. Enter the current 6-digit code to verify
  5. Click Save Authenticator Setup

That's it. Your next login will require both your password and a code from the app.

Enforcing 2FA Across Your Team

Having 2FA on your own account is good. Requiring it for all administrators is essential.

In WO Security Shield:

  • Require 2FA for administrators — forces all admin accounts to set up 2FA
  • Require 2FA for editors — extends the requirement to editor-level accounts

What happens when a user hasn't set up 2FA yet?

When 2FA is required but a user hasn't configured it:

  1. They can still log in with just their password (for now)
  2. They see a prompt to set up 2FA on the Security Shield settings page
  3. Email-based 2FA serves as an automatic fallback — even without TOTP setup, email codes add protection

Recovering From Lost 2FA Access

The most common 2FA problem: "I lost my phone and can't log in."

Prevention

  • Save backup codes when setting up TOTP — store them in your password manager or a secure physical location
  • Register your TOTP secret in two devices — scan the QR code with both your phone and a backup device
  • Use a password manager with TOTP support — 1Password and Bitwarden store TOTP secrets alongside passwords

Emergency recovery

If you're completely locked out:

  1. Use the emergency unlock token from WO Security Shield (set during initial configuration)
  2. Access your site via FTP/SSH and temporarily disable the security plugin
  3. Ask another administrator to disable 2FA for your account
  4. Contact your hosting provider for database-level access as a last resort

Common 2FA Mistakes to Avoid

  1. Using SMS-based 2FA for high-value accounts — SMS can be intercepted via SIM swapping
  2. Not requiring 2FA for all admins — one weak account compromises the entire site
  3. Storing backup codes in an unencrypted file — defeats the purpose
  4. Not testing 2FA before enforcing it — always verify your own setup works before requiring it for others
  5. Forgetting about service accounts — API accounts and automated scripts may need separate authentication handling

WO Security Shield

Is your WordPress site protected?

Run a free malware scan in under 2 minutes. No credit card required.

Start free trialMore articles