Skip to content

Restricting site access

Two-factor authentication

Two-factor authentication (also known as multi-factor authentication and 2fa) is a method for securing user accounts. This method requires a user to know something (e.g. a password), and requires a user to possess something (e.g. their mobile device). Requiring multiple forms of verification is a basic way to protect sites against common account breaches due to leaked or guessed passwords. Two-factor authentication options are integrated with all WordPress sites on the VIP Platform.

By default, two-factor authentication is required for all administrators and custom roles with the manage_options capability on the VIP Platform.

Enable two-factor authentication for a single user

A user with an existing WordPress account on a site can enable two-factor authentication by:

  1. Log in to the site to access the WordPress admin dashboard.
  2. From the sidebar, navigate to “Users > Your Profile” to view user profile option settings.
  3. Enable the preferred authentication methods in the section labeled “Two-Factor Options“.
  4. Select the “Update Profile” button to save the updated settings.

Enforce two-factor authentication for user roles and capabilities

To force two-factor authentication for specific roles and capabilities, use the wpcom_vip_is_two_factor_forced filter. This code should be added to a file in the client-mu-plugins directory.

In this code example, two-factor authentication is enabled for all user roles with the edit_posts capability:

add_action( 'set_current_user', function() { 
    $limited = current_user_can( 'edit_posts' );
    add_filter( 'wpcom_vip_is_two_factor_forced', function() use ( $limited ) {
        return $limited;
    }, PHP_INT_MAX );
} );

Enforce two-factor authentication for all users

Set the wpcom_vip_is_two_factor_forced filter to __return_true to enforce two-factor authentication for all users on a site. This code should be added to a file in the client-mu-plugins directory.

add_filter( 'wpcom_vip_is_two_factor_forced', '__return_true' );

Disable two-factor authentication enforcement

Caution

The wpcom_vip_is_two_factor_forced filter should only be set to __return_false if an alternative external auth provider has been added to a site to enforce two-factor authentication.

Enforcement of two-factor authentication can be disabled for all users by setting the wpcom_vip_is_two_factor_forced filter to __return_false. The site’s users will still have the ability to opt-in to two-factor authentication and set options for their individual account. This code should be added to a file in the client-mu-plugins directory.

add_filter( 'wpcom_vip_is_two_factor_forced', '__return_false' );

Reset two-factor authentication for locked out users

Users with an Administrator or Super Admin role for a site are able to assist other users that are locked out of their account for reasons related to two-factor authentication.

Before an Administrator or Super Admin disables or resets two-factor authentication for a user, confirm that the user has indeed lost access to their account. Because emails can be faked, confirm with the individual in person or over the phone.

Once the Administrator or Super Admin have confirmed the user’s identity:

  1. Log into the site to access the WordPress Admin.
  2. Navigate to the Users dashboard from the sidebar.
  3. Search for the locked out user by their email address or username.
  4. Select the user’s username from the search results.
  5. In the “Two-Factor Options” section of the user’s profile, complete one of the following options:
  • Option 1: Deselect all available two-factor methods.
    This will allow the user to login without needing any additional code.
  • Option 2: Enable the Backup Verification Codes option.
    Select the “Generate Verification Code” button to generate a one-time use code.
    Send the backup code to the user to log in to their account.

Once the user regains access to their account, they should make additional updates to their two-factor settings to prevent losing access moving forward (e.g., resetting the phone number). It is also recommended that the user prints out their backup codes to prevent future lockouts.

Last updated: March 01, 2022