Enabling Two-Factor Authentication in iThemes Security Pro
iThemes Security supports multiple WordPress two-factor authentication methods so that users can use the method that works the best for them.
- Mobile app – iThemes Security supports two-factor authentication apps such as Google Authenticator, Authy, Toopher and FreeOTP. These mobile apps are to be installed on a smartphone or tablet, and generate a time-sensitive code that must be supplied when logging in.
- Email – Time-sensitive codes are supplied via email to the email address associated with the user’s account. Note: Your WordPress site must support sending emails for this method to work (for example, sending WordPress-generated emails such as password reset and new account emails).
- Backup codes – Provides a set of one-time use codes that can be used to login in the event the primary two-factor method is lost. Note: These codes are intended to be stored in a secure location.
NEW! Simplified Two-Factor Authentication Settings
We’ve simplified the Two-Factor Authentication Setup by providing recommended settings for the Authentication Methods Available to Users Section. The “All Methods” setting is recommended so that users can use the method that works the best for them.
Using the drop-down in this section, you can customize the authentication methods available to users.
NEW! WordPress User Level Two-Factor Authentication (User Type Protection)
iThemes Security Pro now provides a way to require WordPress user accounts of specific roles to use two-factor if the account doesn’t already do so. The “Privileged Users” setting is highly recommended as this forces all users that can change site settings, software, or content to use two-factor authentication for their account login.
You can also customize which user roles are required to use two-factor. Just use the “Select Roles Manually” option from the drop-down.
NEW! Vulnerable User Protection and Vulnerable Site Protection
You can now enforce two-factor authentication for “vulnerable users” and for all users if iThemes Security detects that the site is vulnerable. To enable these two settings, simply check the box next to the setting to activate.
- Vulnerable User Protection – Requires WordPress user accounts that are considered vulnerable, such as having a weak password or for recent brute force attacks, to use two-factor if the account doesn’t already do so. Enabling this feature is highly recommended.
- Vulnerable Site Protection – Requires all WordPress users to use two-factor when logging in if iThemes Security detects the site is vulnerable (such as running outdated or software known to be vulnerable). Enabling this feature is highly recommended.
WordPress Two-Factor Authentication Setup
Once two-factor authentication is enabled with the iThemes Security Pro plugin, affected individual users can complete two-factor setup from WordPress dashboard.
Individual users can then complete their two-factor authentication setup by visiting the Users > Your Profile page.
From this screen, they can configure the two-factor mobile app of their choice, set their primary authentication method and get their backup codes.