Two-factor authentication
Two-factor authentication (also known as multi-factor authentication and 2fa) is a method of securing accounts which not only requires a user to know something (e.g. a password) but also to possess something (e.g. their mobile device). This method of requiring multiple forms of verification is an easy to way to protect your sites against common account breaches due to leaked or guessed passwords. Two-factor authentication is integrated with all WordPress sites on the VIP Platform.
Enabling two-factor authentication
If you have a WordPress account, to enable two-factor authentication, visit Users > Your Profile and enable your preferred authentication methods in the Two-Factor Options section.
Enforcing two-factor authentication
Two-factor authentication is required on VIP Go for all administrators and custom roles with the manage_options capability. If you’d like to force two factor authentication for other roles, you can use the wpcom_vip_is_two_factor_forced filter. For example, to enable it for all users that can edit posts:
add_action( 'set_current_user', function() {
$limited = current_user_can( 'edit_posts' );
add_filter( 'wpcom_vip_is_two_factor_forced', function() use ( $limited ) {
return $limited;
}, PHP_INT_MAX );
} );Or, to enable it for all users on the site:
add_filter( 'wpcom_vip_is_two_factor_forced', '__return_true' );Disable two-factor authentication enforcement
If you’re using an external auth provider that already enforces two-factor authentication, you can choose to disable enforcement for users on the site. You can add this to a file inside your client-mu-plugins folder. (Note that with this snippet, the built-in two factor options will still be available to users).
add_filter( 'wpcom_vip_is_two_factor_forced', '__return_false' );If you’d like to remove the built-in two-factor options completely, you can add the following snippet to a file inside your client-mu-plugins folder:
add_filter( 'wpcom_vip_enable_two_factor', '__return_false' );Caution
These filters will not work properly if placed in the theme.
Resetting two-factor authentication for locked out users
There are two primary methods available for both admin and super admin user roles to disable two-factor authentication for users that are locked out of their account.
Prior to disabling two-factor authentication, we highly recommend confirming that the user has indeed lost access to their account. Since emails can be faked, we recommend confirming with the individual in person or over the phone.
To disable two-factor authentication, you can do either of the following from the Dashboard under Users > Edit > Two-Factor Options:
- Deselect all available two-factor methods. This will allow the user to login without needing any additional code.
- Enable the Backup Codes option. Then, you can send a backup code to the user that they can use to login to their account.
Once the user regains access to the account, they can adjust any two-factor settings to prevent losing access moving forward (e.g., resetting the phone number). We also recommend having them print out backup codes to prevent future lockouts.