red line

Wordfence 2FA For Admins

Making 2FA required for all admins with Wordfence requires you to navigate past a gotcha that can be tricky to debug unless you already know about it. This post will introduce you to this gotcha and explain how to require 2FA for all admins.

Two-factor authentication (2FA) makes your website exponentially harder to hack than if you don’t have 2FA. So, you should make 2FA required for all users, especially admins.

2FA is a second requirement required to gain access to your site. The first requirement is a password, which is something you know. The second part of 2FA is something you have in the form of a 2FA token generated by your mobile phone. So you must know your password and have your mobile to log in with 2FA.

There are many ways to implement 2FA on WordPress. One of the easiest is to use a plugin many of you will already have activated, Wordfence. The one tricky thing about requiring all admins to use 2FA in Wordfence is that Wordfence sets up some guide rails to ensure you are not locked out of your website by enforcing 2FA when no one has 2FA set up. Watch the video or read the description below for more details:

To make 2FA required for a user, you must set a grace period for that user. The grace period allows some time for a user to log in without 2FA in order to set up 2FA.

The first thing you’ll notice if you make 2FA required for all admins and set a grace period is that the list of admins will not show the grace period as active for any admin user. This is because the grace period needed for required 2FA activation must be manually turned on for admin users. This is to prevent accidentally locking users out.

The second thing you’ll notice is that there is no place to manually activate the grace period for any user. The trick to get the grace period activation to show up for users is to activate 2FA for at least one user, so you should activate 2FA for yourself. Requiring at least one admin with 2FA is a safety precaution to ensure that admins don’t get locked out of the site.

So, in short, first activate 2FA for yourself, then require it for all admins, and finally manually set the grace period for all admins.

Related resources