Use Two-Factor Authentication to Make Your Site More Secure

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site. Get up to 50% off your first year.

Explore plans
Looking for a way to add an extra layer of protection to your site security? Two-factor authentication (2FA) might be your best bet. 2FA can be used along with your traditional login credentials to make it even harder for unauthorized users to log into your account (even if they have your password).

Let’s review why enabling 2FA will benefit your site security, and how it can stop hackers in their tracks.

Getting hacked has major consequences

With the help of complex algorithms, social engineering, and other tools, hackers are capable of breaking into vulnerable websites to perform malicious acts. These acts can range from blackhat link building (creating backlinks to their own sites) and replacing affiliate links, to adding malicious code, breaking the functionality of any WordPress plugins you have installed, generating spam content, and redirecting your WordPress users to harmful sites.

Most of these activities are hard to detect unless you are constantly monitoring your site with a robust WordPress security plugin. Undetected and unresolved, these vulnerabilities can result in lower search engine rankings and getting blacklisted by anti-virus service providers, effectively blocking off traffic from your content, blog, WooCommerce store, or business website.

You will then have to manually purge the malware and spam from your site while filing an appeal against the ban, or pay an agency to do it for you.

Site security is more than just a good password

As hackers and cybercriminals become more advanced, traditional usernames and passwords are not enough to protect your website (especially if you’re in the habit of recycling passwords for multiple accounts). Even if you’re using strong passwords wherever you log in (and most people aren’t!), password data has to be stored somewhere. If that server is breached, your logins can be laid bare for all to see. Even if the data remains secret, sites that allow unlimited login attempts can give away your password to attackers by sheer brute force. 

Fundamentally, passwords, however strong, are what’s known as “single-step” authentication. You enter your password on the login page and the site lets you in. This creates a single point of failure. 

Adding an additional authentication step adds an extra layer of security. Two passwords are better than one, right? Well, not really, because all the weaknesses are the same for two passwords as one – it just might take a little more time to crack those witnesses. 

To really improve login security in a meaningful sense, we need to start thinking in terms of factors. These are entirely different categories of authentication methods that don’t have overlapping weaknesses, and fall broadly into three definitions:

  • Something you are: factors unique to you, e.g. fingerprints, face ID, even DNA. These are, of course, very difficult to forge, and can never be lost or forgotten.
  • Something you have: traditionally (in a digital sense, anyway) this meant a keychain fob or other dedicated HOTP authentication device, but more commonly now means using something on your mobile phone that can be accessed if you actually have your phone to hand e.g., a phone call, a passcode in a text message, a push notification, or a mobile app like Authy or Google Authenticator. All these will provide users with a one-time password (OTP) that they need to enter within a set period of time to complete the login process. 
  • Something you know: this generally means a password, but also includes those security questions about the name of your first pet, the street you grew up on, and so on. When you think about security in this way you can see that “security questions” don’t actually include that all important second factor, as they’re simply a different kind of password; this is why there has been a large-scale move to 2FA. 

The upshot of this, when it comes to WordPress two-factor authentication (unless you’ve somehow managed to generate and store a customer DNA database on your WordPress website), is that when logging into 2FA-enabled accounts, users will be prompted to input an extra piece of information (generally a TOTP six-digit verification code) generated by a device like their smart phone.

Once you implement 2FA for your user profile, you can choose whether you want to use it every time you log in, or enter it once every 30 days.

Stop the hack before it happens

2FA activation can save you a lot of time, grief, and hard work. The chances of someone else using your WordPress login credentials to take over your site are minimized with 2FA, as no one else can log into your accounts without the verification codes generated by your own device, which will probably be within arm’s reach at all times (especially if it’s your phone).

2FA, combined with Jetpack’s spam filtering and brute force attack protection, will help to keep you and your site visitors safe from a variety of cyberattacks, while guaranteeing that people experience your site the way that you intended them to.

Enable 2FA using Secure Sign On

By activating Secure Sign On, you’re able to register for and log in to self-hosted sites securely and quickly using your credentials.

Jetpack will allow you to add 2-factor authentication to your WordPress site, requiring users to authenticate their logins with a special code or app

Visit the Two-Step Authentication page to configure 2FA on your account. You’ll be asked to provide your phone number in order to verify your identity (via SMS or an authenticator like Duo, Authy, or the Google Authenticator app, all of which are available on both iPhone and Android).

If you choose to verify via SMS, a seven-digit code will pop up on your phone. Enter this number into the appropriate field in the login form and click Enable.

If you choose to verify via an authenticator app, scan the QR code displayed on-screen with your authenticator app. A six-digit code (that automatically refreshes as an added security measure) will then appear. Enter this into the blank space provided and click Enable.

Once you enable 2FA on your WordPress account, you’ll be prompted to save a copy of your backup codes. You can use these codes to log back into your account in case your authenticator app glitches or your device goes missing.

Don’t let your site fall into the wrong hands

If it can happen to Equifax, Uber, and Yahoo!, it can happen to anyone. Prevent your site from falling victim to malicious attacks by enabling two-factor authentication to add an extra layer of protection to the content you’ve worked so hard to build out.

What other security measures have you implemented on your Jetpack site? Share your tips in the comments section!

This entry was posted in Security and tagged , , . Bookmark the permalink.

Antony Agnel profile
Antony Agnel

I love helping people use WordPress and get better at blogging every day. Been doing that for 7+ years now.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site. Get up to 50% off your first year.

Explore plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum


  1. Tom says:

    Hi Antony, I use the DUO plugin for 2FA because it has one big advantage. You can install the DUO app on your mobile and when you login a message is pushed to this app and it opens a screen that lets you choose “Yes” or “No”. So no typing of SMS codes. Recently DUO is bought by Cisco so its future seems pretty sure and if Cisco buys it it must meet their security standards. On other thing, SMS codes are not considered very safe anymore. They show up on your phones lockscreen if you don’t block that and SMS can be spoofed.


  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112.6K other subscribers
  • Browse by Topic

  • %d