2-factor authentication (2FA) is one of the best ways to secure account access - for any platform, WordPress included. It presents an extra obstacle, another layer of complexity to unauthorised account access.
How to set-up Shield's email-based 2FA?
When we talk about the Shield's email-based 2FA settings, it is very important to know the difference between the User Email Address and your WordPress Site Email Address:
- 2FA: User Email Address - Every user name is connected with the specific email address. When you try to login with one username, verification email will always be sent to the email address connected with that user name.
- 2FA: WordPress Site Email Address - Is your site email address. By default, Shield uses that email address for reports sending. If you want be sure what your site email address is, go to your WordPress Dashboard and see Settings => General Settings. If you want to see (or to change) email address Shield uses for reports sending, go to Shield plugin => Dashboard => Plugin Defaults => Report Email and enter an email address you want.
Now, in order to set-up Shield's email-based 2-factor authentication (2FA) properly, please follow these steps:
- Open the Shield's Login Guard module and click on the 2FA-Email feature.
- Click the slider to enable "Enable Email Authentication" option. Note: After enabling this options, your WordPress Dashboard will display the following message: "Before completing activation of email-based two-factor authentication we need you to confirm your site can send emails.Please click the link in the email you received.....". If you want to remove this message from your WordPress Dashboard, click the slider to disable "Email Authentication" option or click the verification link (by proceeding with the next steps).
- Select the users roles you want to be a subject to email authentication. Note: To select multiple users roles, hold the CTRL key.
- Before completing activation of email-based 2FA, Shield will send you an email to confirm your site can send emails. The email subject will be "Email Sending Verification For xxx". Important: Pay attention to the email address Shield points out in the email text. The email address is your WordPress site email, not your user email. The email address of your WordPress site is the right place to look for verification email. If you can't find it in inbox, check the spam folder.
- Copy and open the link provided within verification email to confirm your site can send emails.
- 2FA is now set and next time you try to log into your site, Shield will ask you to verify yourself (user). If you've also enabled "Google Authenticator" along with "Email Authentication" (multi-factor authentication), you will have to enter your user name, your password, and check the box to confirm "You're a human".
- You will also be prompted to enter the Authentication Code. Note: The Authentication Code will be sent to the email address of the user. If it's not in the inbox, check the spam folder.
- Once you enter the code, you will have an access to your WordPress site.
Email-based 2-Factor Authentication seem to be complicated to set-up but once you go through the whole settings process (steps listed above), you'll see how actually easy it is. It worth of your time because Shield's 2FA will keep you safe and protected.
Important: You can also use Walk Through Wizard to setup multi-factor login authentication (using Email and Google Authenticator) and to setup email authentication reliably on your server, verifying that your site can actually send emails.
You can access it by going to the Login Protection module and clicking on the blue Wizard link on the upper right.
Please also read the following help articles:
- What is Login Guard module and how does it work?
- What is 2-Factor Authentication?
- What is 2-Factor Authentication by email?
- How to add 2FA to WordPress site?
- You haven't received user verification email. What should you do?
- 2FA process: You're locked out of your own site. What should you do?