Two-Factor Authentication

With the WP Ghost plugin, you can activate 2FA to secure your website’s login path, adding an extra layer of protection to your admin dashboard. This feature ensures that even if a hacker gains access to your password, they won’t be able to log in without the second authentication factor.

Enabling 2FA through WP Ghost protects your website with a more resilient security framework, keeping your admin area secure from potential threats.

What is Two-Factor Authentication (2FA) in WordPress?

Two-Factor Authentication, or 2FA, is like adding a second lock to your door. When you log in to your website, you need more than just your password (the first lock). With 2FA, you also need a second key, like a code sent to your phone or email.

Even if someone steals your password, they can’t log in without the second key. This makes your website much harder for hackers to break into, keeping it safe and secure.

Two-factor authentication (2FA) helps you add an extra layer of security to your WordPress site by requiring both a password and an additional verification step to log in. This verification comes from something that only an authorized user can access, such as an email message or an app-generated code.

Here’s a deeper dive into why 2FA is a valuable addition to your security toolkit.

Why is it Essential to use Two-Factor (2FA)?

• Strengthens Login Security: 2FA significantly increases security by introducing an additional level of protection. Even if a malicious entity obtains a password, they will still be unable to access the account without the second verification.
• Curbs Password Vulnerabilities: Accidental password exposures or leaks are mitigated by 2FA. A potential breach requires more than just the password, making unauthorized access much more challenging.
• Deters Cyber-attacks: Implementing 2FA reduces the appeal of your site to hackers. A double authentication mechanism presents an added hurdle for malicious entities, discouraging many attempts.
• Efficient and Seamless Integration: While certain security upgrades may seem cumbersome or complex, 2FA manages to find a sweet spot between boosting security and keeping things user-friendly. You’ll likely find the process to be quite natural and intuitive once you get the hang of it.

Now that you know some of the key advantages of using 2FA for your website, let’s walk through how to set this up with WP Ghost.

How to Use Two-Factor with WP Ghost

To use the 2FA feature from WP Ghost, you’ll need the WP Ghost – Advanced Pack plugin. The plugin is installed/activated automatically with a single click, costs nothing extra, and uses the same account.

Activate Two-Factor Authenticator Feature

By default, the 2FA feature is not activated in WP Ghost and is not visible in the menu. To activate the feature and install the advanced pack, follow these steps:

1. Go to WP Ghost > Overview > Features.
2. From features list, switch on 2FA feature to activate the feature options.
3. Click on Start Feature Setup to access 2FA Settings page.

If the WP Ghost Advanced Pack is not yet installed, you will see the option to install it with just one click.

Simply click on the “Install/Activate WP Ghost – Advanced Pack” button.

The WP Ghost – Advanced Pack plugin is now activated for your website and it is listed among your Plugins.

2FA Code Method

You should start by selecting the Two-Factor Authentication (2FA) method you wish to set up for your website.

Activate 2FA Code

When using this method, you must set up an authenticator app like Google Authenticator or Authy to generate a one-time code.

Once verified, you’ll be asked for the code generated and displayed by your authenticator app whenever you log in. You must enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.

1. Go to WP Ghost > 2FA Login > Settings.
2. Click on 2FA Code to activate the Two Factor Authentication by QR Code option.
3. Click Save to apply the changes.

Setup 2FA Code

Let’s take a look at the customization settings that are available for 2FA Code. 

Max fail attempts

This setting determines how many times a user can enter an incorrect 2FA code before their IP is blocked.

By default, this is set to 5 attempts, meaning a user will be blocked after five incorrect attempts. Adjust this number if needed.

Ban duration

This setting allows you to customize the duration (in seconds) for which an IP will be banned after exceeding the maximum number of failed attempts.

By default, this is set to 900 seconds, which is 15 minutes. Change this duration if needed.

Failed Attempts Message

Show alert message for a specific user when there were fail attempts on his account.

This automatic, pre-configured notification alerts users of their login attempts where they fail to provide a valid 2FA code. 

Note! This means the user passed the login credentials but not the 2FA process.

The message will be customized for each user with the following built-in variables: 

• {count}: Indicates the number of times that particular user didn’t provide a correct code.
• {time}: Shows the duration since the user’s last failed login attempt.

Lockout Message

Show message instead of the login form for a blocked user.

This automatic, pre-configured notification will show instead of the WordPress login form when a user experiences a lockout.

The message will be customized for each user with the following built-in variables: 

• {time}: indicates the number of seconds users must wait before entering a new verification code to attempt logging in again.

Delete 2FA Data on Plugin Uninstall

Activate this option if you want all 2FA-related data deleted when the WP Ghost Advanced Pack plugin is uninstalled.

Note! If you activate this option, the users will need to set up 2FA again if you reinstall the plugin and activate the 2FA Authentication feature.

After you configure the 2FA Settings, click on “Save” to apply the changes.

Setup 2FA Code on User Account

After you saved the 2FA Code settings it’s time to setup 2FA authentication for a user.

Click on the Add Two-Factor Authentication button displayed below. If the button is not visible, click the “Save” button first.

You will be directed to a section in your User Profile where you can configure 2FA scanning a QR code.

To accomplish this, you will first need to download and open the authenticator app of your preference. You can select from Google Authenticator, Authy, Microsoft Authenticator, or LastPass Authenticator.

For more details:

• Guide for Google Authenticator
• Guide for Authy
• Guide for Microsoft Authenticator
• Guide for LastPass Authenticator

You will need one of these authenticator apps to scan the QR code provided by WP Ghost and connect your account.

Note! Please be aware that certain authenticator apps may only permit manual entry of the text version. As illustrated in the screenshot below, you can locate the text version in step 2.

Once you scan the provided QR code or enter the text version with your chosen authenticator app, the app will generate a series of rotating codes. To complete the setup on your WordPress page, type in the current code displayed in your authenticator app.

Then, click on “Submit” to complete the setup.

If you have correctly entered the one-time code provided by your chosen authenticator app, you will see the following message:

Remember to create and safely store backup codes. They’re your safety net if you can’t access your authenticator app.

Click “Generate Backup Codes” to create your one-time-use recovery codes (each code can be employed only once).

After you click on the Download Codes button to save them on your computer, click on the Finalize button to complete the process.

Reset Key Option

This option allows you to reset the connection key if you ever encounter issues with your authenticator app or want to start the sync process again.

Test 2FA Code

Now that 2FA is activated on the user profile, it’s time to test the login page and check the Two-Factor authentication (2FA).

Every time you log in, your authenticator app will ask you for the code currently generated and displayed. You must enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.

2FA Email Code Method

With this method, you will receive a one-time code through email to use during the two-factor verification process.

Note! Before choosing this method, ensure that your WordPress site can reliably send emails. You can improve email delivery using a free email plugin like Easy WP SMTP.

Activate 2FA Email Code

Once you set this up, a unique, one-time code will be sent to the specified email address whenever you try logging in. You’ll have to enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.

1. Go to WP Ghost > 2FA Login > Settings.
2. Click on Email Code to activate the Two Factor Authentication by Email option.
3. Click Save to apply the changes.

Setup 2FA Email Code

Let’s take a look at the customization settings that are available for 2FA Email Code. 

Max fail attempts

This setting determines how many times a user can enter an incorrect 2FA email code before their IP is blocked.

By default, this is set to 5 attempts, meaning a user will be blocked after five incorrect attempts. Adjust this number if needed.

Ban duration

This setting allows you to customize the duration (in seconds) for which an IP will be banned after exceeding the maximum number of failed attempts.

By default, this is set to 900 seconds, which is 15 minutes. Change this duration if needed.

Failed Attempts Message

Show alert message for a specific user when there were fail attempts on his account.

This automatic, pre-configured notification alerts users of their login attempts where they fail to provide a valid 2FA code. 

Note! This means the user passed the login credentials but not the 2FA process.

The message will be customized for each user with the following built-in variables: 

• {count}: Indicates the number of times that particular user didn’t provide a correct code.
• {time}: Shows the duration since the user’s last failed login attempt.

Lockout Message

Show message instead of the login form for a blocked user.

This automatic, pre-configured notification will show instead of the WordPress login form when a user experiences a lockout.

The message will be customized for each user with the following built-in variables: 

• {time}: indicates the number of seconds users must wait before entering a new verification code to attempt logging in again.

Delete 2FA Data on Plugin Uninstall

Activate this option if you want all 2FA-related data deleted when the WP Ghost Advanced Pack plugin is uninstalled.

Note! If you activate this option, the users will need to set up 2FA again if you reinstall the plugin and activate the 2FA Authentication feature.

After you configure the 2FA Settings, click on “Save” to apply the changes.

Setup 2FA Email Code on User Account

After you saved the 2FA Email Code settings it’s time to setup 2FA for a user.

Click on the Add Two-Factor Authentication button displayed below. If the button is not visible, click the Save button first.

You will be directed to a section in your User Profile where you can specify the email address where you’d like to receive the authentication codes during the login process.

Write down your preferred email address and click on Submit button to complete the setup.

Once you set this up, a unique, one-time code will be sent to the email address you provided whenever you try to log in. You’ll have to enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.

After you set the email address where you want to receive the unique email code, you will see the following message:

Remember to create and safely store backup codes. They’re your safety net if the SMTP is not working and you don’t receive any 2FA code by email.

Click “Generate Backup Codes” to create your one-time-use recovery codes (each code can be employed only once).

After you click the Download Codes button to save them on your computer, click the Finalize button to complete the process.

Reset Email Address Option

If you ever switch email accounts or prefer a different one for receiving codes, you can use this option to update your details.

Test 2FA Email Code

Now that 2FA is activated on the user profile, it’s time to test the login page and check the Two-Factor authentication (2FA).

Every time you log in, a unique, one-time code will be sent to the email address you provided. You must enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.

Consider using a free email plugin, such as Easy WP SMTP, to ensure your emails always get delivered.

Monitor 2FA Logins

To see all recent 2FA authentications, go to WP Ghost > 2FA Login > 2FA Logins

After configuring 2FA for your website, you can monitor your 2FA Logins from a centralized panel.

Here is the information you will be able to view in this section:

• Email: Shows the email address used for the 2FA login attempt.
• Last Access: This timestamp indicates the most recent time a user logged in using 2FA. It is helpful in monitoring user activity patterns and identifying unusual access times.

• Mode: Indicates whether the 2FA login attempt was successful or failed. Monitoring failed login attempts can help identify and prevent unauthorized access attempts.
• Login: Displays the method of 2FA used for the login – either 2FA Code or Email Code.

Adding 2FA not only amplifies your site’s security but also offers peace of mind by ensuring that only authorized users can gain access. Always ensure that you regularly check the 2FA login monitor for any unusual activity.

Recommendations

• Don’t overlook the importance of backup codes: Remember to generate and keep backup codes somewhere safe. They will come in handy in case you lose access to your authentication app or registered email address.
• Test your 2FA: Validate the functionality of your 2FA. You want to be sure it’s working as it should and that you can access your site with these enhanced security measures.
• Update your plugins regularly: Always keep your plugins, including WP Ghost, up-to-date, as updates often address vulnerabilities and enhance overall performance.

Using WP Ghost, you can easily add two-factor authentication to your WordPress sites. Whether you use a 2FA code or email code verification, it’s a big step up for your site’s security.

Give it a try today to further reduce the risk of unauthorized users gaining access to your site!

Troubleshooting

Authenticator App Not Generating Valid Codes for 2FA

Unable to Scan the QR Code

Use the manual entry option in your authenticator app and input the text-based key provided during setup.

Ensure the QR code is displayed clearly on your screen. If necessary, enlarge it to make scanning easier.

Getting Locked Out After Exceeding Max Fail Attempts

By default, if you fail to enter the correct credentials or the 2FA code five times, your IP will be blocked for a period of time.

During the lockout you will get a message like:

Your IP has been flagged for potential security violations. Please try again in a little while.

Solutions:

Solution 1: Wait for the ban duration to expire (default is 15 minutes).

Solution 2: Access the login page using the Safe URL from your WP Ghost Dashboard (Cloud Account). This will deactivate WP Ghost until you log in to the WordPress dashboard with your credentials.

Solution 3: If you have admin access via File Manager or FTP, disable the WP Ghost plugin by changing the plugin directory hide-my-wp to hide-my-wp1.

After logging in, change the hide-my-wp directory back to re-enable the WP Ghost plugin on your website and clear the blocked IP address from WP Ghost > Brute Force.

Not Receiving the 2FA Email Code