Two-factor authentication for WordPress
Two-factor authentication (also known as multi-factor authentication and 2FA) is a method for securing user accounts. This method requires a user to know something (e.g. a password), and requires a user to possess something (e.g. their mobile device). Requiring multiple forms of verification is a basic way to protect sites against common account breaches due to leaked or guessed passwords. Two-factor authentication options are integrated with all WordPress sites on the VIP Platform.
By default, two-factor authentication is required on the VIP Platform for all WordPress user accounts with an Administrator role or custom roles with the manage_options
capability.
Enable two-factor authentication for a single user
For a user who has an existing WordPress account on a site to enable two-factor authentication:
- Access the WordPress admin dashboard by logging in with a username and password.
- From the sidebar, navigate to “Users > Your Profile” to view the user profile option settings.
- Enable the preferred authentication method(s) in the section labeled “Two-Factor Options“.
- Select the “Update Profile” button to save the updated settings.
Enforce two-factor authentication for user roles and capabilities
To force two-factor authentication for specific roles and capabilities, use the wpcom_vip_is_two_factor_forced
filter. This code will only work as expected if added to a file within the client-mu-plugins
directory.
In this code example, two-factor authentication is enabled for all user roles with the edit_posts
capability:
add_action( 'set_current_user', function() {
$limited = current_user_can( 'edit_posts' );
add_filter( 'wpcom_vip_is_two_factor_forced', function() use ( $limited ) {
return $limited;
}, PHP_INT_MAX );
} );
Enforce two-factor authentication for all users
Set the wpcom_vip_is_two_factor_forced
filter to __return_true
to enforce two-factor authentication for all users on a site. This code will only work as expected if added to a file within the client-mu-plugins
directory.
add_filter( 'wpcom_vip_is_two_factor_forced', '__return_true' );
Reset two-factor authentication for locked out users
Users with an Administrator or Super Admin role for a site are able to assist other users that are locked out of their account for reasons related to two-factor authentication.
Before an Administrator or Super Admin disables or resets two-factor authentication for a user, confirm that the user has indeed lost access to their account. Because emails can be faked, confirm with the individual in person or over the phone.
Once the Administrator or Super Admin have confirmed the user’s identity:
- Log into the site to access the WordPress Admin.
- Navigate to the Users dashboard from the sidebar.
- Search for the locked out user by their email address or username.
- Select the user’s username from the search results.
- In the “Two-Factor Options” section of the user’s profile, complete one of the following options:
- Option 1: Deselect all available two-factor methods.
This will allow the user to login without needing any additional code. - Option 2: Enable the Backup Verification Codes option.
Select the “Generate Verification Code” button to generate a one-time use code.
Send the backup code to the user to log in to their account.
Once the user regains access to their account, they should make additional updates to their two-factor settings to prevent losing access moving forward (e.g. resetting the phone number). It is also recommended that the user prints out their backup codes to prevent future lockouts.
Disable two-factor authentication enforcement
Caution
The wpcom_vip_is_two_factor_forced
filter should only be set to __return_false
if an alternative external auth provider has been added to a site to enforce two-factor authentication.
Enforcement of two-factor authentication can be disabled for all users by setting the wpcom_vip_is_two_factor_forced
filter to __return_false
. The site’s users will still have the ability to opt-in to two-factor authentication and set options for their individual account. This code will only work as expected if added to a file within the client-mu-plugins
directory.
add_filter( 'wpcom_vip_is_two_factor_forced', '__return_false' );
Last updated: July 25, 2024