Skip to main content
How Can We Help?
< All Topics
Print

Require a second factor at login

Posted
Updated
Byadmin

WARNING: Enabling MFA can prevent users from logging in if they lose access to their second factor. Make sure you have at least one recovery method available before you require MFA for critical roles.
WARNING: Only one MFA system should protect a login flow at a time. If you already enforce MFA with another plugin or external identity provider, leave this MFA feature disabled and mitigate the finding instead, noting which solution you use.
WARNING: In community Edition – all features are best effort support only. This feature affects logon flow within WordPress.

Description

Use Require a second factor at login to enable multi‑factor authentication (MFA) for selected user roles. When enabled, users in those roles must complete an additional verification step (authenticator app or email code) when they sign in.

This control is part of the Authentication & Accounts → Multi‑Factor Authentication (MFA) card.

Procedure

  1. In WordPress admin, open Posture Management.
  2. Select Authentication & Accounts.
  3. In the Multi‑Factor Authentication (MFA) card, turn on Require a second factor at login by enabling Enable MFA.

Choose an MFA method (site‑wide)

  1. Under MFA method site‑wide, select one of:
    • Authenticator app (recommended)
    • Email one‑time code (lower security)

Configure email code delivery (if using email)

  1. In Email Code Delivery, choose:
    • AJAX (recommended), or
    • Fallback link action for restrictive environments.
  2. If your site blocks admin-ajax.php or a WAF interferes with AJAX requests, use Fallback link action.

Configure the MFA setup page

  1. Create a WordPress page that contains the MFA setup shortcode (for example, the text “MFA is not required for your account.” will be replaced by the setup UI).
  2. In MFA Setup Page, select the page you just created from the dropdown.

Configure self‑service MFA reset (optional)

  1. To allow users to reset MFA themselves, enable Allow Self Service MFA Reset.
  2. Select the recovery methods you want to allow. Username/password plus at least one of these recovery methods will be required to reset MFA.
  3. Create a WordPress page for self‑service reset and add the reset shortcode (for example, the placeholder “Self-service MFA reset is not enabled. Contact your administrator.” will be replaced by the reset UI).
  4. In the self‑service reset dropdown, select the page you just created.

Require MFA for specific roles

  1. In Require MFA for roles, select the roles that must use MFA when logging in.
  2. To satisfy the scanner requirement, ensure Administrator is selected at minimum.
  3. Review all MFA settings (method, email delivery, setup page, reset page, and roles).
  4. Click Save Authentication Settings.

Validation

If Allow Self Service MFA Reset is enabled, visit the reset page, follow the reset flow with a test account, and confirm that MFA can be reset using the allowed recovery methods.

Sign out, then sign in with a test user whose role is included in Require MFA for roles.

Confirm that the user is prompted to configure or use MFA during login.

If Authenticator app is selected, verify that an app‑generated code is accepted and completes the login.

If Email one‑time code is selected, verify that the code is delivered and accepted.

Table of Contents