How to configure 2FA policies to make 2FA mandatory for website users

You are here:
  • Home
  • WP 2FA
  • How to configure 2FA policies to make 2FA mandatory for website users

All your WordPress website users should use two-factor authentication (2FA) for it to be an effective security solution. If it is not possible, at least users who have privileges to make changes on the website, such as users with administrator, editor and author roles should use 2FA.

With the WP 2FA plugin you can configure policies to make 2FA compulsory. This document explains how you can configure the policies and enforce 2FA on your WordPress website.

Make 2FA mandatory for all your WordPress site users

Once you install the WP 2FA plugin:

  1. Navigate to Settings > Two-factor authentication in the WordPress dashboard.
  2. Select the option All users in the Enable 2FA on setting.

Enforce 2FA on all WordPress users

  1. Scroll down and configure if the users are required to setup 2FA the next time to login, or if they should have a grace period in the Grace period setting. When a grace period is used, the users have to configure two-factor authentication within the grace period, otherwise they won’t be allowed to login to the website.
  2. Click Save Changes to save the plugin settings.

Once you enable two-factor authentication, your users receive an email and also get a notification when they login to the website, as explained in how can 2FA be enforced on WordPress sites.

Require only WordPress users with a specific role or specific to use 2FA

Once you install the WP 2FA plugin:

  1. Navigate to Settings > Two-factor authentication in the WordPress dashboard.
  2. Select the option Only for specific users and roles in the Enable 2FA on setting.
  3. Specify the roles of the users and the usernames who must enable two-factor authentication in their respective fields.

The 2FA user policies in the WP 2FA plugin

 

  1. Scroll down and configure how long the grace period should be in the Grace period setting. Users have to configure two-factor authentication within this grace period, otherwise they won’t be allowed to login to the website.
  2. Click Save Changes to save the plugin settings.

Once you enable two-factor authentication, your users receive an email and also get a notification when they login to the website, as explained in how can 2FA be enforced on WordPress sites.

Do not enforce 2FA on WordPress users

Although it is not recommended, it is also possible to simply not enforce 2FA. This is the default option. When the setting Enable 2FA on is set to Do not enforce 2FA on any users users won’t get any notification to configure and use 2FA. However, users can still configure 2FA from their profile page.

Add an extra layer of security to your WordPress site; download WP 2FA today!

What happens when you enable the 2FA policies?

1.  Users are notified to configure two-factor authentication

When the administrator makes 2FA compulsory on a website, the plugin sends an email to the users notifying them to setup 2FA.

Email notification to user to enable 2FA

Users are also notified every time they login to the WordPress dashboard each time they login to the website:

2FA notification in dashboard

Users also have a grace period until they can configure two-factor authentication for their WordPress user accounts.

2.  Users have to set up & use 2FA

Once the users are notified they should setup two-factor authentication (2FA) by clicking the  Configure 2FA now button in the dashboard notification. Users can also configure 2FA by clicking Configure Two-factor authentication (2FA) in their user profile page.

Users can launch the 2FA wizard from their profile page

Configuring two-factor authentication for your WordPress user is really simple. It just takes a few seconds.

What happens if WordPress users do not configure two-factor authentication?

Users are given a grace period to configure two-factor authentication. The grace period is configured by the site administrator. If someone does not configure 2FA within the grace period, their WordPress user is locked and they cannot login to the website.

WordPress users locked

When the site administrator unlocks the locked WordPress user, the user can log back into the website and the grace period is reset.

Add an extra layer of security to your WordPress site; download WP 2FA today!