How to Add 2FA to Your Nonprofit's WordPress Website
February 11, 2021
This year, WordPress has passed 40% market share of all websites, up from 35.4% in January 2020. Because of its popularity among CMS (Content Management Systems), WordPress is known to be a target by hackers.
Attackers commonly try to gain access to WordPress through the login page using software to guess your usernames and passwords. Once they’re inside, they can wreak havoc on your website:
- Take your site down and demand a ransom to bring it back online
- Delete pages, blog posts, or your theme
- Steal personal data
Luckily, there’s a way to prevent an attack and it’s by adding a secondary step to the login page with 2FA (Two Factor Authentication).
In this article, you’re going to learn how to set up 2FA and Google Authentication onto your website. Adding this security feature to your website will strengthen it and help prevent attacks from happening in the first place.
Download the Google Authenticator plugin
To begin, you’ll need to download and install the free 2FAS Light – Google Authenticator plugin from the WordPress directory. You can either do it manually or go to the WordPress dashboard and click Plugins > Add New. Once it’s installed, be sure to activate it.
There’s a four-step process that you’ll need to take to get everything working properly:
- Download the authentication app
- Activate the QR code
- Enter a 6-digit token generated by the app
- Verify that 2FA is working properly
2. Scan and activate QR code
Go back to the 2FAS Light – Google Authenticator plugin settings page and scan the QR code you see on the screen with your phone. Once this is complete, the app on your phone will automatically generate a 6-digit token.
3. Enter the 6-digit token
While on the plugin settings page, enter the 6-digit token which was created by the mobile app.
4. Verify 2FA is installed correctly
You should see an alert that says the 2FA token is configured. This means the plugin is set up correctly.
Finally as a last step to verify 2FA works properly, log out of WordPress and then log back into it again. After entering your username and password, you will be directed to a secondary login page where you need to enter the token (from the Google Authenticator app).
That’s it, you’re all set!
Bonus Tip: If you want a plugin that's a bit more robust, try the WP 2FA – Two-factor Authentication for WordPress by WP White Security.
By Chuck Spidell, the Nonprofit WordPress Security Expert who helps communications teams free up their time and lock down WordPress from getting hacked.