A brute-force attack is the most common hacking attempt on WordPress sites. In this type of attack hackers try to guess your username and password using many (often hundreds or even thousands) of computers, referred to as a botnet. The best defense against a brute-force attack is to use a unique and complicated password and have 2FA enabled.
Two-Factor Authentication (2FA) is an additional login security measure that prompts for a second login credential after you enter your correct username and password. For an attacker to login to a site with 2FA enabled they must have both the password and the user’s One Time Password (OTP). A Wordfence OTP is a random number that changes every 30 seconds and is based on a secret key and the current time.
- You will need a computer and your mobile device.
- Open Authy on your mobile device. If you do not have Authy installed, go to the App Store or Google Play Store on your mobile phone and install it.
(If preferred, you can also use Google Authenticator, FreeOTP, DUO, etc. Most time-based OTP apps are compatible.)
- Follow the on-screen setup instructions. You will be asked for your phone number and email address. Allow all prompts for permission.
- Tap Add Account
- Tap Scan QR Code
- On your computer, open your web browser and login to the WP Admin at https://your-website-here/wp-admin
- Login if prompted
- Click on Profile or Users > Profile in the left menu.
- Scroll down to the bottom of the page and click on Activate 2FA
- Point the phone’s camera at the QR Code displayed on your computer
- Tap Save
- Enter the 6 digit code from Authy into the box under 2. Enter Code from Authenticator App on your computer
- Click Activate
- Download your recovery codes and save them in a safe place. You can use your recovery codes if you forget or lose your phone.
- Logout of WordPress
- Login to WordPress
- When prompted for your 2FA code, enter the 6 digit number displayed in Authy.