Skip to contentSkip to main navigation Skip to footer

Two-Factor Authentication

Two-factor authentication (2FA) helps you add an extra layer of security to your WordPress site by requiring both a password and an additional verification step to log in. This verification comes from something that only an authorized user can access, such as an email message or an app-generated code.

Here’s a deeper dive into why 2FA is a valuable addition to your security toolkit.

Strengthens Login Security  

2FA significantly increases security by introducing an additional level of protection. Even if a malicious entity obtains a password, they will still be unable to access the account without the second verification.

Curbs Password Vulnerabilities

Accidental password exposures or leaks are mitigated by 2FA. A potential breach requires more than just the password, making unauthorized access much more challenging.

Deters Cyber-attacks

Implementing 2FA reduces the appeal of your site to hackers. A double authentication mechanism presents an added hurdle for malicious entities, discouraging many attempts.

Efficient and Seamless Integration

While certain security upgrades may seem cumbersome or complex, 2FA manages to find a sweet spot between boosting security and keeping things user-friendly. You’ll likely find the process to be quite natural and intuitive once you get the hang of it.

Now that you’re familiar with some of the key advantages of using 2FA for your website, let’s walk through how to set this up with Hide My WP Ghost.


How to Access the 2FA Feature from Hide My WP Ghost

To use the 2FA feature from Hide My WP Ghost, you’ll need the “Hide My WP Ghost – Advanced Pack” plugin. 

The plugin gets installed/activated automatically with a single click, doesn’t cost you anything extra, and uses the same account.

Here’s what you need to do:

1️⃣ Log in to your WordPress site and activate the feature Hide My WP > Overview > Features > 2FA.

Click on Start Feature Setup to get to 2FA Login. Or refresh the page and go to Hide My WP > 2FA Login.

2️⃣ When you click on “2FA Login,” it will open the panel as displayed in the screenshot below.

Simply click on the “Install/Activate Hide My WP Ghost – Advanced Pack” button.

3️⃣ That’s all there is to it!

The Hide My WP Ghost – Advanced Pack plugin is now activated for your website, and you’ll find it listed among your Plugins.


Activate Two-factor Authentication

To reach this option, go to Hide My WP > 2FA Login > Settings

On this page, you’ll find a toggle labeled “Use 2FA Authentication.”

Slide the toggle to the right to enable this feature, and you’ll be ready to begin configuring it for your site.

Once you enable the “Use 2FA Authentication” toggle, the following options will become visible:


Select Your Preferred Two-Factor Authentication (2FA) Method

Begin by selecting the Two-Factor Authentication (2FA) method you wish to set up for your website. You can choose from the following options:

2FA Code: One-time code generated by a 2FA App

When using this method, you’ll need to set up an authenticator app like Google Authenticator or Authy to generate a one-time code.

Once verified, whenever you log in, you’ll be asked for the code currently generated and displayed by your authenticator app. You will need to enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.

This second verification method will be enforced for all users trying to login, regardless of their role.

Email Code: One-time code sent via email

With this method, you will receive a one-time code through email to use during the two-factor verification process.

Before choosing this method, ensure that your WordPress site can send emails reliably. You can improve email delivery by using a free email plugin like WP Mail SMTP by WPForms.

Once you set this up, a unique, one-time code will be sent to the specified email address every time you try to log in. You’ll have to enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.

This second verification method will be enforced for all users trying to login, regardless of their role.


2FA Code: Setting up Two-factor Authentication by 2FA Code

If you have chosen 2FA Code as your preferred two-factor authentication method, follow these steps:

Start by clicking on the “Add Two-Factor Authentication” button displayed below. If the button is not visible, click the “Save” button first.

When you click on the “Add Two-Factor Authentication” button, you will be directed to a section in your User Profile where you can configure 2FA using a QR code.

To accomplish this, you will first need to download and open the authenticator app of your preference. You have the option to select from the following apps: Google Authenticator, Authy, Microsoft Authenticator, or LastPass Authenticator.

For more details:

You will need one of these authenticator app to scan the QR code provided by Hide My WP Ghost and connect your account.

Please be aware that certain authenticator apps may only permit manual entry of the text version. You can locate the text version in step 2, as illustrated in the screenshot below.

Once you scan the provided QR code or enter the text version with your chosen authenticator app, the app will start generating a series of rotating codes. To complete the setup on your WordPress page, simply type in the current code displayed in your authenticator app.

Then, click on “Submit” to complete the setup.

If you have correctly entered the one-time code provided by your chosen authenticator app, you will see the following message:

Once verified, every time you log in, you’ll be asked for the code currently generated and displayed by your authenticator app. You will need to enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.

🚨 Best Practice Tip:

Don’t forget to create and safely store some backup codes. They’re your safety net in case you can’t access your authenticator app.

Click “Generate Backup Codes” to create your one-time-use recovery codes (each code can be employed only once).

Want to keep them on your computer? Just hit “Download Codes“.

Once you’re set, click “Finalize” to complete the process.


Reset Key Option

If you ever encounter issues with your authenticator app or want to start the sync process again, this option allows you to reset the connection key.


Settings for 2FA Code 

To reach this option, go to Hide My WP > 2FA Login > Settings 

Let’s now take a look at the customization settings that are available for 2FA Code. 

Max fail attempts: Block IP on login page

This setting determines how many times a user can enter an incorrect 2FA code before their IP is blocked.

By default, this is set to ‘5’, meaning a user will be blocked after 5 incorrect attempts. Adjust this number if needed.

Ban duration: No. of seconds

This setting allows you to customize the duration (in seconds) that an IP will be banned after exceeding the max fail attempts.

By default, this is set to ‘900’ seconds, which is 15 minutes. Change this duration if needed.

Failed Attempts Message: Show alert message for a specific user when there were fail attempts on his account.

This is an automatic, pre-configured notification that alerts users of their login attempts where they failed to provide a valid 2FA code. 

The message will be customized for each user with the following built-in variables: 

  • {count}: Indicates the number of times that particular user didn’t provide a correct code.
  • {time}: Shows the duration since the user’s last failed login attempt.

Lockout Message: Show message instead of the login form.

This is an automatic, pre-configured notification that will show instead of the WordPress login form when a user experiences a lockout.

The message will be customized for each user with the following built-in variables: 

  • {time}: indicates the number of seconds users must wait before entering a new verification code to attempt logging in again.

Delete 2FA Data on Plugin Uninstall

Activate this option if you want all 2FA-related data to be deleted when the Hide My WP Ghost – Advanced Pack plugin is uninstalled.

When you are satisfied with your settings, click on “Save” to save them.


Email Code: Setting up Two-factor Authentication By Email Code

If you have chosen Email Code as your preferred two-factor authentication method, follow these steps:

Start by clicking on the “Add Two-Factor Authentication” button displayed below. If the button is not visible, click the “Save” button first.

When you click on the “Add Two-Factor Authentication” button, you will be directed to a section in your User Profile where you can specify the email address where you’d like to receive the authentication codes during the login process.

Write down your preferred email address and click on “Submit” to complete the setup.

Once you set this up, a unique, one-time code will be sent to the email address you provided here every time you try to log in. You’ll have to enter this code on the login page to confirm your identity and gain access to your WordPress dashboard.

To ensure your emails always get delivered, consider using a free email plugin, such as WP Mail SMTP by WPForms.

🚨 Best Practice Tip:

After submitting your email address, don’t forget to create and safely store some backup codes. They’re your safety net if you ever can’t access the email address you’ve registered with.

Click “Generate Backup Codes” to create your one-time-use recovery codes (each code can be employed only once).

Want to keep them on your computer? Just hit “Download Codes“. Once you’re set, click “Finalize” to complete the process.

Reset Email Address Option

This handy feature lets you change the email address where the authentication codes are sent during the login process. If you ever switch email accounts or just prefer a different one for receiving codes, simply use this option to update your details.

It ensures you always have access to your authentication codes, no matter where you’d like them sent.


Settings for Email Code 

  • To reach this option, go to Hide My WP > 2FA Login > Settings 

Let’s now take a look at the customization settings that are available for Email Code.  

Max fail attempts: Block IP on login page

This setting determines how many times a user can enter an incorrect email code before their IP is blocked.

By default, this is set to ‘5’, meaning a user will be blocked after 5 incorrect attempts. Adjust this number if needed.

Ban duration: No. of seconds

This setting allows you to customize the duration (in seconds) that an IP will be banned after exceeding the max fail attempts.

By default, this is set to ‘900’ seconds, which is 15 minutes. Change this duration if needed.

Failed Attempts Message: Show alert message for a specific user when there were fail attempts on his account.

This is an automatic, pre-configured notification that alerts users of their login attempts where they failed to provide a valid email code. 

The message will be customized for each user with the following built-in variables: 

  • {count}: Indicates the number of times that particular user didn’t provide a correct code.
  • {time}: Shows the duration since the user’s last failed login attempt.

Lockout Message: Show message instead of the login form.

This is an automatic, pre-configured notification that will show instead of the login form when a user experiences a lockout.

The message will be customized for each user with the following built-in variables: 

  • {time}: indicates the number of seconds users must wait before entering a new verification code to attempt logging in again.

Delete 2FA Data on Plugin Uninstall

Activate this option if you want all 2FA-related data to be deleted when the Hide My WP Ghost – Advanced Pack plugin is uninstalled.

When you are satisfied with your settings, click on “Save” to save them.

All done! If you followed the steps from this tutorial, you’ve now got Two-factor Authentication (2FA) up and running on your WordPress site. Great job!


Monitor 2FA Logins

To reach this option, go to Hide My WP > 2FA Login > 2FA Logins

Once you configure 2FA for your website, you will be able to monitor your 2FA Logins from a centralized panel.

Here is the information you will be able to view in this section:

  • Email: Shows the email address used for the 2FA login attempt.
  • Last Access: This timestamp indicates the most recent time a user logged in using 2FA. This is helpful in monitoring the activity patterns of users and identifying any unusual access times.
  • Mode: Indicates whether the 2FA login attempt was successful or failed. Monitoring failed login attempts can help in identifying and preventing unauthorized access attempts.
  • Login: Displays the method of 2FA used for the login – either ‘2FA Code’ or ‘Email Code’.

Adding 2FA not only amplifies the security of your site but also offers peace of mind by ensuring that only authorized users can gain access. Always ensure you’re regularly checking the 2FA login monitor for any unusual activity.


A Few Extra Tips for You:

  • Don’t overlook the importance of backup codes: Don’t forget to generate and keep backup codes somewhere safe. Those will come in handy in case you lose access to your authentication app or registered email address.
  • Test your 2FA: Validate the functionality of your 2FA. You want to be certain it’s working as it should and that you can access your site with these enhanced security measures in place.
  • Update your plugins regularly: Make sure to always keep your plugins, including Hide My WP Ghost, up-to-date, as updates often address vulnerabilities and enhance overall performance.

By using Hide My WP Ghost, you can easily add two-factor authentication to your WordPress sites. Whether you go with 2FA code or email code verification, it’s a big step up for your site’s security.

Give it a try today to further reduce the risk of unauthorized users gaining access to your site!