On May 14, 2019, Wordfence updated its WordPress plugin to version 7.3.1. This change added a major upgrade to the security features it offers – Two-Factor Authentication.
Let’s take a look at what this can mean for your site(s) and how you might decide to implement it.
The Hacking Continues
It’s no big secret that there are “bad guys” out there who would like to get control of your website and use it for nefarious purposes. Just because you have a humungous password, that doesn’t mean they’ll stop trying to get in.
And every once in a while, they’ll succeed. (Thankfully, I haven’t had any of my sites invaded. I can tell they’re trying though.)
Two-Factor Authentication (aka 2FA) has been around for a while, but I’ve never bothered with it…until now. Wordfence has made it so simple to use that I just couldn’t resist with this latest plugin update.
You shouldn’t resist (if you had been) anymore either. Resistance isn’t quite futile, but it’s close. (For those who aren’t Star Trek fans, realize that there was a Borg reference there. Never mind….)
One of the reasons I decided to implement 2FA now was that I fairly recently got a new cell phone – one that’s less than 5 years old. I now use it much like the next generation does – as a handheld computer, instead of just for phone calls and text messages.
Using 2FA with the Wordfence plugin requires you to have an authentication app on your phone. Since I am now “with it” phone-usage-wise, this wasn’t nearly so intimidating to me as it would have been a short while ago. (Some of you think of me as a really techie guy, and I am to a point. I’m not bleeding edge tech savvy though.)
Setting Up 2FA on Your Site
After you update Wordfence to version 7.3.1, you’ll see a new submenu item in your WordPress dashboard under Wordfence. (If you don’t see it right away, log out and back into your site.)
It should look similar to the partial screenshot above.
Realize that there are several parts of this implementation that I can’t/shouldn’t show you because this is security stuff that is specific to one of my sites. You’ll just have to trust my description.
After you click “Login Security”, you’ll see a screen with 2 tabs: Two-Factor Authentication and Settings. The Two-Factor Authentication tab shows a huge QR code on the left and a place to enter a one-time use code on the right (along with some words of explanation, if I recall correctly).
It’s this QR code (one of those squares that looks like a poorly-played Tetris screen) that requires you to have an authentication app on your phone so you can scan it.
So let’s back up just a bit.
You may already have downloaded an authentication app to your phone for other reasons. I hadn’t done so, so I chose to use “Google Authentication”. Wordfence suggests this one and several others. It doesn’t matter a whole lot which one you use.
Since I had never used an app like this before, I decided first to try it out on one of my Google accounts. That’s partly why I picked the Google app in the first place.
It worked like a charm. (Actually, I think many of Google’s apps really are magical charms.)
Then I hit the plus sign in the app to add a new account(?) and selected “Scan a barcode” from a popup menu. I pointed my phone at the QR code on my laptop screen. The app immediately recognized it and added “Wordfence (mysite.com (myuserID))” to a list on my phone screen.
A string of 6 large blue numbers appeared along with that description. A 30-second timer also started “ticking” away at the side. Every 30 seconds those 6 numbers change.
On my laptop, I entered those numbers to the right of the QR code and clicked a button. I think it was at this point that Wordfence suggested I download the recovery codes to my computer as a text file. I did so. You would need these codes if for some reason the normal method (the 6 numbers) are unavailable to you at login time.
The Wordfence screen now tells me that 2FA is now active. But we’re not quite done yet.
Setting Up 2FA Settings
When you click over to the Settings tab, you’ll see lots of options. There is a User Summary at the top which quickly tells you how you have decided to use 2FA for the Users registered at your site. Below that are the actual settings you can choose.
There is a box containing all the possible roles on your site. Depending on which other plugins you use, you may have more or fewer roles than another site.
The Administrator role is checked by default, and you can’t uncheck it. You must setup at least this role for 2FA to be of any use. I decided to leave it at that on all my sites. You probably will too.
I checked just 2 boxes among the several that follow. One says, “Require 2FA for all Administrators.” The other says, “Allow remembering device for 30 days.”
I also clicked the “Skipped” button related to XML-RPC because I use the Jetpack plugin on most of my sites. Honestly, I don’t understand what that’s all about, but the accompanying text suggested it, so I clicked it.
Other options, such as whitelisting IPs and implementing reCAPTCHA, I didn’t mess with. You may have reasons for doing so.
Then it came time to test it.
Logging In with 2FA
I logged out of my site and saw the usual userID and password screen. After trying to login as usual, I saw this screen.
“Aha!” said I. (Maybe.) “It appears to be working! Yay.”
I went back to my phone to get the 6-number code, typed it in, clicked the 30 days box, clicked the “Log In” button, and I was back in!
That’s it. Can you see how this makes your site much more secure? (At least, until some whiz kid figures a workaround.)
And since I checked the 30 days box, I’ll only have to use the code from my phone once a month.
Now it’s your turn. Grab an authentication app and get started. Let me know if you have questions about this. I’ll answer as best I can.