2FA and reCaptcha

Hi @hampalm1, thanks for getting in touch.

Wordfence 2FA settings, when enabled and correctly configured, should appear for all enabled user roles in their Edit Profile page where they can modify display name & contact details etc., which can be accessed by all signed in user levels at /wp-admin/user/profile.php even if they cannot see the admin dashboard.

Don’t forget to also enable 2FA for the appropriate user roles if you haven’t already by using the checkboxes at Wordfence > Login Security > Settings > Enable 2FA for these roles

Wordfence offers 2FA as a general solution that can be added to a number of authenticator applications. Google Authenticator and Authy are two popular mobile solutions, but a number of password managers and Authy’s desktop application can be used to store 2FA details on laptops and other non-mobile devices.

Let me know how you get on!

Peter.

Thanks for getting back to me. Since usgin Wordfence I do feel more secure however, I do have to say I wish your 2FA solution was more user-friendly It’s fine for me as the admin and I use it. But I’ve recently had a number of freelance developers trying to access my site using credentials I give them but Wordfence 2FA just creates a roadblock for them and I have to turn it off. I would love to have 2FA enforced for all roles but I cant expect everyone to have or want to have an app on their phone. So at the moment I’m not sure Wordfence 2FA is a suitable solution for me but correct me if I am missing anything about this feature.
Thanks

Hi @hampalm1,

The most critical recommendation I would make is that 2FA and reCAPTCHA should be enabled for anybody with administrative access to your site, along with encouraging strong unique passwords – a password manager can naturally help here. I’d be very surprised if developers aren’t already using 2FA applications anywhere else on the web at all, but this may not be the specific issue you’re having.

If you have any feedback on options you’d like to see to make things easier from your point of view, by all means put them forward and I will be more than happy to discuss them with the rest of the team for possible inclusion in future releases of Wordfence.

Thanks again,

Peter.

I always set their accounts up, so they have strong passwords although they can obviously always change them. Unfortunately I’ve found wordfence 2FA has caused me problems everytime I’ve had diferent developers investigate issues on my site. Every time I’ve had to turn it off. I guess its the fact it assumes the user has an authenticator app doesn’t help. but I think from what they’ve told me it doesnt even ask them for a code, I think it just tells them they are locked out.

Hi @hampalm1,

If the external developers are not administrators, they should be able to set up 2FA optionally from the profile page I mentioned before. If they are set as administrators, and “Require 2FA for all administrators” is checked, the initial sign-in may be blocked as you have experienced unless a grace period is also set in Wordfence > Login Security > Settings so that they can log in at least once without the 2FA code. Just add a future date and instruct the developer that they need to configure this ASAP.

Thanks again,

Peter.

OK, thanks Peter