Enabling two-factor authentication, or 2FA, is one of the most important steps you can take to prevent account compromise.


Enabling two-factor authentication, or 2FA, is one of the most important steps you can take to prevent account compromise. Two-factor authentication is an additional login security feature that is used by banks, government agencies, and the military worldwide. It is one of the most secure forms of remote system authentication.


This method of signing into your Wordfence Central account relies on something you know and something in your possession. That is why it is referred to as two-factor, because two factors are involved in authenticating you. In this case, you know your password, and you are in possession of your cell phone. If we can verify both of these, then we know that it is OK to allow you to access your Wordfence Central account.


Most TOTP (Time based One Time Password) based authenticator apps should work with Wordfence two-factor authentication. We have tested the following apps available for Android, iOS and Windows devices, which worked at the time they were tested:


  • Google Authenticator (recommended and easy to use)
  • Microsoft Authenticator (recommended and easy to use) 
  • Authy
  • FreeOTP
  • LastPass Authenticator
  • Duo Mobile


Enabling two-factor authentication:

1. Go to the Wordfence “Login Security” page.

For admins, this is on the main Wordfence menu.

For other users, this is a separate menu item with a Wordfence logo.

You also access the setting by browsing, domainname.com/wp-admin/profile.php

Note: replace domainname.com with the website domain

2. Open your authenticator application and add a new entry. Most apps have a plus sign symbol or a tiny QR code symbol.

3. Scan the QR code on the “Login Security” page. Your authenticator application should then display a six-digit code.

If you are accessing a site on a phone or tablet and obviously cannot point the camera at its own screen, you can copy the line of letters and numbers below the QR code, and paste that in an application, using the application’s “manual” setup option.

In the “Download recovery codes” section, click the “Download” button.

Recovery codes can be used if you lose your device.

Print or save the file, and store it in a safe place.

Enter the six-digit code that appears in your authenticator application.

This code changes every 30 seconds.

If the code expires, you can enter the next code instead.

Click the “Activate” button.

If this is your first time setting up two-factor authentication on a site then you may want to try logging in to the site in a different browser, or in a private or incognito browser window, to check for any compatibility issues before logging out.


How to log in with two-factor authentication

Steps to log in:


1. Enter your username and password and press the “Log In” button.

2. When the “2FA Code” prompt appears, enter the code from your authenticator application.


3. If you use two-factor authentication for multiple sites, be sure to pick the correct site.

4. Press the “Log In” button.

If you use another incompatible plugin or theme that modifies the login page and you cannot see the “2FA Code” prompt, or 5. if you prefer a slightly quicker method, you can also enter a two-factor authentication code directly after your password, in the same field:

6. Enter your username and password, but do not press the “Log In” button yet.

7. Immediately after your password, enter the code from your authenticator application.

If you used the old Wordfence two-factor authentication, note that you no longer need to enter a space or letters

For example, if your password is w0rdf3nce#! and the code is 233455 then enter w0rdf3nce#!233455.

8. Press the “Log In” button


How to use recovery codes

The recovery codes that you saved or printed during setup can be used if you ever lose your authenticator device, if you remove the application, or you remove your site’s entry by mistake. Make sure that you store these codes in a safe place.


Because they do not expire, recovery codes are longer than normal codes.  They are 16 letters and numbers instead of only 6 numbers, but each code can only be used once. An example recovery code looks like 5199 5c24 77dc 0ed7.


The log in process is the same as using a code from an authenticator application:


1. Enter your username and password and press the “Log In”.

2. When the “2FA Code” prompt appears, enter a recovery code.

Remember, recovery codes are longer than regular two-factor authentication codes.

In this example, we would enter 5199 5c24 77dc 0ed7.

3. Press the “Log In” button.

Each recovery code can only be used once. You can generate new recovery codes on the “Login Security” page of your site. This is useful if you have used most of your codes, or if you lose the codes you previously saved or printed. Generating new codes will invalidate the previous codes.