Using 2FA to secure your WordPress website is by far one of the best security measures you can take. It adds an additional layer of security while being very easy to set up. Furthermore, it has a proven track record of stopping the vast majority of login-based attacks, such as brute-force attacks. While many WordPress administrators have already implemented 2FA, several still shy away from this technology. A major reason for this is the misconception about lockouts.
In this article, we will be looking at preemptive steps you can take to avoid lockouts. We will also look at what you can do if you’ve been locked out due to a loss of the 2FA device or a service outage.
Table of contents
- 2FA on WordPress
- How to plan ahead – how to prevent 2FA lockouts
- How to plan afterward – how to log in if you’re currently locked out
- Why do lockouts happen?
- WP2FA – Have the 2FA cake and eat it too
- Frequently asked questions
2FA on WordPress
2FA can easily be implemented on any WordPress website using a WordPress plugin. In most cases, the plugin works independently of any other service and does not require any 3rd party subscription. This reduces the number of ‘moving parts’ in the ecosystem. Some 2FA methods, such as SMS, Whatsapp, and voice, will require a separate subscription to function since these depend on 3rd party networks to deliver the OTP (One Time Password) required for 2FA to function.
In this article, we will be using the WP 2FA plugin to illustrate 2FA recovery options when using 2FA on WordPress. It should be noted that WP 2FA comes with no less than six different authentication channels to choose from, making it one of the most comprehensive WordPress 2FA plugins available on the market today.
How to plan ahead – how to prevent 2FA lockouts
Planning ahead is often the best way to avoid the aches and pains of a 2FA lockout. Whether you’ve already configured 2FA or are still in the research phase, there are steps you can take to avoid lockouts. Not only will this alleviate your and your users’ apprehension about the technology, but it will also avoid downtime and eliminate productivity loss.
Grace period to set up 2FA
One of the issues many WordPress admins face is users not setting up two-factor authentication within the grace period provided. Depending on how the policy is configured, the user account may be blocked, requiring an administrator to unblock them.
While this might be the more secure option, if you’re an administrator managing more than your fair share of absent-minded users, you might want to block access to the dashboard until 2FA is configured instead. This ensures users do set up 2FA without requiring intervention from your end to unblock the account.
Alternative 2FA verification methods
WP2FA offers a selection of alternative 2FA authentication methods to help you preempt lockouts. Since lockouts can happen for various reasons that can be outside of your control – such as a user forgetting or losing their phone – taking preemptive measures is always a smart choice.
Alternative verification methods let you choose an alternative 2FA method should the primary method fail. Here, a user can set up any of the available methods as their primary methods and then pre-configure a secondary method. Let’s illustrate this with an example. A user might have the TOTP Authenticator app set as their primary method and email as their second. Should they ever forget their phone, take it in for repairs, or runs out of battery, they can simply choose to receive their OTP via email instead.
WP 2FA also offers backup codes that users can pre-download to use should they find themselves unable to log in with their primary method.
How to plan afterward – how to log in if you’re currently locked out
If you’re currently locked out and do not have a backup method or secondary method configured, you can still regain access to your WordPress account. However, it will just take a bit more work but shouldn’t take more than a few minutes.
Before going further, you should first check if there is any other admin user that still has access to WordPress. If this is the case, you can ask them to reset your 2FA configuration through the profile page.
If there is nobody that can reset your 2FA configuration, you will need to manually disable the plugin so that you can access WordPress without having to enter your 2FA code. You will need FTP/SFTP or SSH access to rename the plugin folder name. This will effectively deactivate the plugin, allowing you to log in without 2FA.
Why do lockouts happen?
2FA lockouts can happen for a few reasons, depending on the chosen method. Knowing why you’re not receiving a code or why the code is not working can help you troubleshoot issues that much faster.
2FA email authentication
Email authentication is one of the easiest ways users can get their authentication code to log in. While this method works perfectly well, you need to remember that it is dependent on your WordPress website being able to send emails in a timely fashion. It is also dependent on factors outside of your control, such as your hosting provider forwarding any such emails.
WordPress uses the wp_mail function to send emails. The function is based on the PHP mail function, which is not the most reliable option to ensure the delivery of emails. One other thing to consider is your hosting. Some hosting providers ban email outright to avoid their servers being used as spam.
2FA authenticator app authentication
Apps such as Google Authenticator and Authy often provide a no-fuss way to receive the one-time code required for logging in with 2FA. These apps use a time-based algorithm to stay in sync, with the first synchronization done through a QR code.
Apps and servers can run out of sync, so re-syncing your app might fix your issues. If you are changing phones, Google Authenticator allows you to transfer your codes from one phone to another. On the other hand, Authy allows you to take cloud backups of your codes, so all you need to do to retrieve your codes is to log in with your credentials – be it on a new phone or even your PC or laptop.
WP2FA – Have the 2FA cake and eat it too
WordPress security is critical in ensuring the longevity of your website. 2FA is a low-hanging fruit that offers serious bang for your buck. With many big-name companies and experts rallying behind the technology, its effectiveness is indisputable. Yet, many administrators fear users lockouts are more trouble than 2FA is worth. As this article has shown, this is not the case with WP2FA.
With so many ways to avoid user lockouts, there is no reason why WordPress administrators shouldn’t offer 2FA to their users. Planning ahead is always recommended, but we’re all wiser when looking retrospectively. This is why we have also touched upon what you can do to restore access after the fact, giving you all the information you need to make sure your 2FA implementation is a resounding success.
Frequently asked questions
There are many possible reasons why you might not be receiving your 2FA email. In most cases, it might be an issue with WordPress having trouble sending emails or a node in the chain is, for one reason or another, not forwarding the email properly.
WP 2FA comes with a built-in email tester that can allow you to verify that the email is being sent. However, this is not the entire story, and as such, it is worth taking a minute to understand how emails are sent and delivered.
In a nutshell, WP 2FA composes the email and forwards it to WordPress, which then sends the email to the configured SMTP server. WordPress does this by using a function called wp_mail, which is built on the PHP’s mail function. While this tends to work pretty well out of the box, it can be prone to issues.
A plugin such as Check & Log Email is a good tool to have. It logs all sent emails and provides tools for debugging. WP 2FA also allows you to test email delivery which you can access by navigating to WP 2FA > Settings > Email Settings & Templates. If all goes well here, the problem may lay further down the line. You might want to consider opting for an SMTP email plugin to improve email delivery reliability.