With the WP Ghost plugin, you can activate 2FA to secure your website’s login path, adding an extra layer of protection to your admin dashboard. This feature ensures that even if a hacker gains access to your password, they won’t be able to log in without the second authentication factor.
Enabling 2FA through WP Ghost protects your website with a more resilient security framework, keeping your admin area secure from potential threats.
Two-Factor Authentication, or 2FA, is like adding a second lock to your door. When you log in to your website, you need more than just your password (the first lock). With 2FA, you also need a second key, like a code sent to your phone or email.
Even if someone steals your password, they can’t log in without the second key. This makes your website much harder for hackers to break into, keeping it safe and secure.
Two-factor authentication (2FA) helps you add an extra layer of security to your WordPress site by requiring both a password and an additional verification step to log in. This verification comes from something that only an authorized user can access, such as an email message or an app-generated code.
Here’s a deeper dive into why 2FA is a valuable addition to your security toolkit.
Now that you know some of the key advantages of using 2FA for your website, let’s walk through how to set this up with WP Ghost.
To use the 2FA feature from WP Ghost, you’ll need the WP Ghost – Advanced Pack plugin. The plugin is installed/activated automatically with a single click, costs nothing extra, and uses the same account.
By default, the 2FA feature is not activated in WP Ghost and is not visible in the menu. To activate the feature and install the advanced pack, follow these steps:
If the WP Ghost Advanced Pack is not yet installed, you will see the option to install it with just one click.
Simply click on the “Install/Activate WP Ghost – Advanced Pack” button.
The WP Ghost – Advanced Pack plugin is now activated for your website and it is listed among your Plugins.
You should start by selecting the Two-Factor Authentication (2FA) method you want to use for your website, or you can enable the “User Choice for 2FA” option and allow each user to choose their preferred 2FA method.
When you allow users to select their own 2FA method, each user will see a dedicated option in their profile where they can choose which method they want to use for Two-Factor Authentication.
If the option to let users choose the 2FA method is not enabled, all users will be required to use the same method selected on the settings page.
When using this method, you must set up an authenticator app like Google Authenticator or Authy to generate a one-time code.
Once verified, you’ll be asked for the code generated and displayed by your authenticator app whenever you log in. You must enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.
Let’s take a look at the customization settings that are available for 2FA Code.
This setting determines how many times a user can enter an incorrect 2FA code before their IP is blocked.
By default, this is set to 5 attempts, meaning a user will be blocked after five incorrect attempts. Adjust this number if needed.
This setting allows you to customize the duration (in seconds) for which an IP will be banned after exceeding the maximum number of failed attempts.
By default, this is set to 900 seconds, which is 15 minutes. Change this duration if needed.
Show alert message for a specific user when there were fail attempts on his account.
This automatic, pre-configured notification alerts users of their login attempts where they fail to provide a valid 2FA code.
Note! This means the user passed the login credentials but not the 2FA process.
The message will be customized for each user with the following built-in variables:
Show message instead of the login form for a blocked user.
This automatic, pre-configured notification will show instead of the WordPress login form when a user experiences a lockout.
The message will be customized for each user with the following built-in variables:
Activate this option if you want all 2FA-related data deleted when the WP Ghost Advanced Pack plugin is uninstalled.
Note! If you activate this option, the users will need to set up 2FA again if you reinstall the plugin and activate the 2FA Authentication feature.
After you configure the 2FA Settings, click on “Save” to apply the changes.
After you saved the 2FA Code settings it’s time to setup 2FA authentication for a user.
Click on the Add Two-Factor Authentication button displayed below. If the button is not visible, click the “Save” button first.
You will be directed to a section in your User Profile where you can configure 2FA scanning a QR code.
To accomplish this, you will first need to download and open the authenticator app of your preference. You can select from Google Authenticator, Authy, Microsoft Authenticator, or LastPass Authenticator.
For more details:
You will need one of these authenticator apps to scan the QR code provided by WP Ghost and connect your account.
Note! Please be aware that certain authenticator apps may only permit manual entry of the text version. As illustrated in the screenshot below, you can locate the text version in step 2.
Once you scan the provided QR code or enter the text version with your chosen authenticator app, the app will generate a series of rotating codes. To complete the setup on your WordPress page, type in the current code displayed in your authenticator app.
Then, click on “Submit” to complete the setup.
If you have correctly entered the one-time code provided by your chosen authenticator app, you will see the following message:
Remember to create and safely store backup codes. They’re your safety net if you can’t access your authenticator app.
Click “Generate Backup Codes” to create your one-time-use recovery codes (each code can be employed only once).
After you click on the Download Codes button to save them on your computer, click on the Finalize button to complete the process.
This option allows you to reset the connection key if you ever encounter issues with your authenticator app or want to start the sync process again.
Now that 2FA is activated on the user profile, it’s time to test the login page and check the Two-Factor authentication (2FA).
Every time you log in, your authenticator app will ask you for the code currently generated and displayed. You must enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.
With this method, you will receive a one-time code through email to use during the two-factor verification process.
Note! Before choosing this method, ensure that your WordPress site can reliably send emails. You can improve email delivery using a free email plugin like Easy WP SMTP.
Once you set this up, a unique, one-time code will be sent to the specified email address whenever you try logging in. You’ll have to enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.
Let’s take a look at the customization settings that are available for 2FA Email Code.
This setting determines how many times a user can enter an incorrect 2FA email code before their IP is blocked.
By default, this is set to 5 attempts, meaning a user will be blocked after five incorrect attempts. Adjust this number if needed.
This setting allows you to customize the duration (in seconds) for which an IP will be banned after exceeding the maximum number of failed attempts.
By default, this is set to 900 seconds, which is 15 minutes. Change this duration if needed.
Show alert message for a specific user when there were fail attempts on his account.
This automatic, pre-configured notification alerts users of their login attempts where they fail to provide a valid 2FA code.
Note! This means the user passed the login credentials but not the 2FA process.
The message will be customized for each user with the following built-in variables:
Show message instead of the login form for a blocked user.
This automatic, pre-configured notification will show instead of the WordPress login form when a user experiences a lockout.
The message will be customized for each user with the following built-in variables:
Activate this option if you want all 2FA-related data deleted when the WP Ghost Advanced Pack plugin is uninstalled.
Note! If you activate this option, the users will need to set up 2FA again if you reinstall the plugin and activate the 2FA Authentication feature.
After you configure the 2FA Settings, click on “Save” to apply the changes.
After you saved the 2FA Email Code settings it’s time to setup 2FA for a user.
Click on the Add Two-Factor Authentication button displayed below. If the button is not visible, click the Save button first.
You will be directed to a section in your User Profile where you can specify the email address where you’d like to receive the authentication codes during the login process.
Write down your preferred email address and click on Submit button to complete the setup.
Once you set this up, a unique, one-time code will be sent to the email address you provided whenever you try to log in. You’ll have to enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.
After you set the email address where you want to receive the unique email code, you will see the following message:
Remember to create and safely store backup codes. They’re your safety net if the SMTP is not working and you don’t receive any 2FA code by email.
Click “Generate Backup Codes” to create your one-time-use recovery codes (each code can be employed only once).
After you click the Download Codes button to save them on your computer, click the Finalize button to complete the process.
If you ever switch email accounts or prefer a different one for receiving codes, you can use this option to update your details.
Now that 2FA is activated on the user profile, it’s time to test the login page and check the Two-Factor authentication (2FA).
Every time you log in, a unique, one-time code will be sent to the email address you provided. You must enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.
With this method, you will use a Passkey (stored on your device, browser, or password manager) to securely confirm your identity during the two-factor authentication process.
Passkeys offer a faster, phishing-resistant authentication method that uses your device’s built-in security (biometrics, PIN, secure hardware). You won’t receive any code by email or SMS. Instead, you will confirm your login instantly using your device.
Note! Before choosing this method, ensure the device you use for logging in supports Passkeys (Windows Hello, Touch ID, Face ID, Android biometrics, or compatible browser password managers).
Once you set this up, you will be prompted to confirm your login using your Passkey whenever you sign in to WordPress. Simply approve the request on your device, and you’ll gain access instantly.
Let’s look at the customization settings available for the 2FA Passkey option.
This setting determines how many times a user can fail authentication before their IP is blocked.
By default, this is set to 5 attempts, meaning a user will be blocked after five unsuccessful Passkey verification attempts. Adjust this number if needed.
This setting allows you to customize how long (in seconds) an IP remains banned after exceeding the maximum number of failed attempts.
By default, this is set to 900 seconds (15 minutes). You can modify this value based on your security needs.
Show alert message for a specific user when there were fail attempts on his account.
This automatic, pre-configured notification alerts users that someone attempted to log in using their account but failed the Passkey verification.
Note! This means the user passed the username/password step but did not successfully complete the 2FA process.
The message will be customized for each user with the following built-in variables:
Show message instead of the login form for a blocked user.
This automatic, pre-configured notification will show instead of the WordPress login form when a user experiences a lockout.
The message will be customized for each user with the following built-in variables:
Activate this option if you want all 2FA-related data deleted when the WP Ghost Advanced Pack plugin is uninstalled.
Note! If you activate this option, the users will need to set up 2FA again if you reinstall the plugin and activate the 2FA Authentication feature.
After you configure the 2FA Settings, click on “Save” to apply the changes.
Once you’ve saved your 2FA Passkey settings, it’s time to configure Passkey authentication for a user.
Click on the Add Two-Factor Authentication button displayed below. If the button is not visible, click the Save button first.
You will be redirected to the Passkey setup section in your User Profile.
Click the Add Passkey button to add a new Passkey for your account. You can add multiple passkeys.
Your browser or device will prompt you to create a Passkey (using Touch ID, Face ID, Windows Hello, or your password manager).
Confirm the device prompt to complete the setup.
Once configured, you can log in by approving the authentication request on your device, no code needed.
If you lose your device, change browsers, or want to switch to a new Passkey, use this option to remove the existing Passkey and register a new one.
Now that 2FA Passkey is activated on the user profile, it’s time to test the login process.
Each time you log in, after entering your username and password, you will be prompted to authenticate using your Passkey. Approve the request on your device to confirm your identity and access your WordPress dashboard.
To see all recent 2FA authentications, go to WP Ghost > 2FA Login > 2FA Logins
After configuring 2FA for your website, you can monitor your 2FA Logins from a centralized panel.
Here is the information you will be able to view in this section:
Adding 2FA not only amplifies your site’s security but also offers peace of mind by ensuring that only authorized users can gain access. Always ensure that you regularly check the 2FA login monitor for any unusual activity.
Using WP Ghost, you can easily add two-factor authentication to your WordPress sites. Whether you use a 2FA code or email code verification, it’s a big step up for your site’s security.
Give it a try today to further reduce the risk of unauthorized users gaining access to your site!
There is a possibility that the application code to offer wrong codes.
Ensure your device’s date and time settings are set to automatic. An incorrect time can cause codes to mismatch.
Verify you are entering the correct current code. Codes are time-sensitive and may expire after 30 seconds.
Make sure you are entering the correct code for the right user. If you have multiple accounts on the same website, you need to use the 2FA code for the specific user you want to log in as. Each user has a different 2FA code.
You can reset the connection key for a specific user by going to All Users > User Edit and using the Reset Key Option. Then, you can re-scan the QR code with your authenticator app.
Use the manual entry option in your authenticator app and input the text-based key provided during setup.
Ensure the QR code is displayed clearly on your screen. If necessary, enlarge it to make scanning easier.
By default, if you fail to enter the correct credentials or the 2FA code five times, your IP will be blocked for a period of time.
During the lockout you will get a message like:
Your IP has been flagged for potential security violations. Please try again in a little while.
Solutions:
Solution 1: Wait for the ban duration to expire (default is 15 minutes).
Solution 2: Access the login page using the Safe URL from your WP Ghost Dashboard (Cloud Account). This will deactivate WP Ghost until you log in to the WordPress dashboard with your credentials.
Solution 3: If you have admin access via File Manager or FTP, disable the WP Ghost plugin by changing the plugin directory hide-my-wp to hide-my-wp1.
After logging in, change the hide-my-wp directory back to re-enable the WP Ghost plugin on your website and clear the blocked IP address from WP Ghost > Brute Force.
There are a few reasons why the 2FA email code is not received by email.
Verify that the correct email address is configured in the user profile settings. Click Reset Email and add the correct email address for that user profile.
Ensure your WordPress site can reliably send emails. Install and configure a plugin like Easy WP SMTP to improve email delivery. Test email functionality after setup.
Check the spam/junk folder in your email inbox. If the email SMTP plugin was not configured correctly, the emails will be sent to spam/junk folder.
Use a reliable SMTP service to ensure faster email delivery. Avoid using shared hosting email servers, as they may experience delays.
Because hackers often use bots to search for security flaws in your website, it is…
The easiest way to change the default media uploads path is to use the WP…
To hide all CSS and JS you need to follow the steps to Combine the…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
When you enable two-factor authentication (2FA) for your WordPress website, it adds an extra layer…