Search for answers or browse our knowledge base.
The Administrator’s guide to getting started with WP 2FA – Premium edition
Thank you for purchasing WP 2FA. You’re now minutes away from a more secure website, with this guide purposefully written to help you make sure you get there as fast as possible.
You might want to take a few minutes to familiarize yourself with the features included in this edition. This will help you understand what each element is and does – allowing you to decide how to implement 2FA on your WordPress website.
Step 1 – Download and install the WP 2FA plugin
Upon completion of the purchase process, or after you request a WP 2FA plugin trial, you will receive an email that includes a download link for the plugin, as well as your license key. Remember to check your spam folder if you do not find the email in your inbox.
You can also access your account details, including the license key and plugin download link, through the My Account page. To log in, use the email you used during the license key purchase. If you do not have the password, use the forgot password function to reset the password.
Download the plugin through the provided link and install it on your WordPress website like you would with any other plugin.
Once you have installed the plugin, you will need to activate it and enter your premium license key. License keys are sent via email upon confirmation of purchase. If you cannot find the license key in your inbox, make sure you check your Spam folder. If you still cannot find it, click the Can’t find your license key? option in the license prompt or open a support ticket with WP White Security.
Step 3 – Configure your first policy
Once the WP 2FA premium license has been entered, you can proceed to configure your 2FA policies. 2FA policies specify which users use 2FA and how – giving you total control over how 2FA is implemented on your WordPress website.
To get started, click on WP 2FA from the WordPress main menu and then click on 2FA Policies.
Step 3.1: Choose who can set up 2FA
WP 2FA offers you a lot of flexibility in how 2FA is implemented on your WordPress website. You can make 2FA an optional requirement, a mandatory requirement, or remove the option completely on a user and/or role basis.
Enforcing 2FA makes it a non-optional requirement for the user on whom it is enforced. When 2FA is not enforced, it is still available, but it is not mandatory. Excluded users cannot set up 2FA.
- All users – When selecting this option, all users must configure 2FA. The plugin gives you the option to make exclusions as follows:
- Exclude the following users – Users listed here will not be able to configure 2FA. The text field comes with auto-complete functionality.
- Exclude the following roles – Roles listed here will not be able to configure 2FA. This option will include all users who are a member of the role in the exclusion. The text field comes with auto-complete functionality.
- Only for specific users and roles – When selecting this option, 2FA will only be enforced on any users and roles listed while remaining optional for everyone else.
- Users – Enter the usernames you would like to enforce 2FA on
- Roles – Enter the role names you would like to enforce 2FA on
- Do not enforce on any users – When selecting this option, 2FA will not be enforced on anyone and will be optional for everyone.
Step 3.2: Choose between site-wide and role-specific policies
WP 2FA allows administrators and owners to specify 2FA policies per site and per role. Site-wide policies apply to all users, while role-specific policies will only apply to users with that specific role.
Role-specific policies take precedence over site-wide policies. To illustrate this with an example, if you have a site-wide policy and an Administrator policy, admins will receive the Administrator policy while everyone else will receive the Site-wide policy. Available options are the same for both Site-wide and role-specific policies.
Step 3.3 Enable and configure 2FA methods
Here you can choose which 2FA methods the user will be able to configure and use. You need to choose at least one option. When selecting multiple options, the user can choose the method they prefer from the selections you make here
- One-Time code via 2FA App – When selecting this method, users will be able to configure a supported 2FA Authenticator app to receive their OTP
- Link via email – When selecting this method, users will be able to receive a link in their email that acts as their 2FA authentication method without an OTP
- Link will be valid for – Enter how many minutes the link sent in the email will be valid for
- Require users to specify email address before sending
- Yes – Allows users to specify an alternate email address to which WP 2FA will send the 2FA link
- No – WP 2FA will send 2FA link to the email address configured in the user’s WordPress account
- Push notification via Authy – When selecting this method, users will receive a push notification on their Authy App (requires configuration of Authy API key)
- One-time code via SMS (with Twilio) – When selecting this method, users will receive their 2FA OTP as an SMS (requires configuration of Twilio account)
- One-Time code via email – When selecting this method, users will be able to log in using a code received via email
Step 3.4 Enable and configure alternative 2FA authentication methods
Alternative 2FA authentication methods enable users to set up an alternative 2FA method to be used should there be an issue with their primary method such as a broken or dead phone. By enabling and configuring an alternative 2FA authentication method, you can ensure users are still able to log in to WordPress without requiring helpdesk assistance while minimizing user downtime.
- Backup codes – Enable this option to allow users to receive backup codes. Backup codes are one-time use codes that are given to the user in bulk. Once a backup code is used, it cannot be used again.
- Allow users to use email-based 2FA as an alternative 2FA authentication method – Enable this option to allow users to receive an OTP via email. Consider enabling this alternative 2FA authentication method when the primary 2FA method is set to ‘One-time code via 2FA App.
You have now configured a basic 2FA policy for your WordPress website. Take a moment to congratulate yourself – not only did you manage to complete the task, but your website is much safer as a result.