In this article, I’ll be showing you step-by-step how to set up two-factor authentication (2FA) for your WordPress website. I’ll walk you through how to install the Security Optimizer Plugin by SiteGround (formerly known as SG Security Plugin), which is an awesome, free WordPress security plugin that comes with two-factor authentication built-in.

Table of Contents

How to Install SG Security Plugin for WordPress

Navigate to the Plugins Page of the WordPress Admin Area

For starters, once logged into your WordPress website, hover over “Plugins” in the main menu and click the “Add New” submenu option (red arrow in the above image). This will take you to the Plugins Repository where you can browse plugins available for WordPress (as discussed in Lecture 74: Install & Activate a Plugin).

Search for "SG Security" in the WordPress Plugin Search Bar and Click Search

In the work area titled “Add Plugins,” find the Keyword search bar towards the top right (outlined in blue in the above image). Type “SG Security” in the search field, then click the “Search” button (red arrow). Find the “SiteGround Security” plugin (also called “Security Optimizer by SiteGround” for newer versions) from the search results and click “Install” to add the plugin to your site.

Click Activate Button to Activate SiteGround Security Plugin for WordPress

Once the plugin has finished installing, click “Activate” (green arrow) to enable the plugin. (Note: I recommend checking your live site to ensure everything still displays properly. I do this will all new plugins I install on my websites as new plugins can interact with previously installed plugins or themes and break the site).

How to Enable Two-Factor Authentication with Security Optimizer by SiteGround

Navigate to SG Security, Login Security Inside WordPress Admin Area

Once the SG Security plugin is installed and activated, navigate to the Login Security section of the plugin by hovering your mouse over “SG Security” in the main menu and clicking “Login Security.”

Enable 2FA

Click the Toggle Next to Two-Factor Authentication to Enable 2FA

In the “SiteGround Security – Login Security” work area, scroll down to where it says “Two-factor Authentication for Admin & Editors Users (Recommended).” 

IMPORTANT NOTE: Before you toggle Two-Factor Authentication “on” for the next step, make sure you know your site’s admin username and password. You will still be able to login using the WP Admin link via your host (i.e. through SiteGround hosting), but in order to successfully verify your two-factor authentication and finish setting it up, you’ll need to log in to WordPress from the traditional login screen with your username and password.

Now time for the next step!

You’ll see a toggle here (red arrow in the above image) – click the toggle to enable two-factor authentication.

Toggle Enabled for 2FA in SiteGround Security Plugin for WordPress

The toggle will turn purple once it’s enabled (red arrow) and you’ll see a “Success!” message in the upper right portion of your screen (blue arrow).

From this point, if you try to make another change to your site or navigate to another work area, you’ll automatically be logged out of WordPress. This is because you need to finish setting up 2FA using your smartphone.

(Again, as I mentioned above, you can always get back into your site by logging into your host – i.e. Siteground – then clicking the “WP Admin” link to get back to the WordPress Dashboard).

From the login page that appears, use your admin username and password to log back in.

2-Factor Authentication Activation Page with QR Code and Authentication Code WordPress

Upon logging in, you’ll be taken to the screen pictured above labeled “2-factor Authentication” with some instructions (red arrow), a QR code (blue arrow – I blurred mine out for security purposes), a “Secret Key” (yellow arrow – again, blurred out for security), and a text field for an “Authentication code” (green arrow). This information will come in handy once you’ve downloaded the Google Authenticator app to your phone.

WordPress Simplified: How to Build Powerful Websites Course by Davies Media Design

Install the Google Authenticator App on Your Smartphone

Next, download the Google Authenticator app to your phone (via the App Store – the plugin is free. Simply search for “Google Authenticator” and click the “Get” or “Download” button to download the app to your phone).

Once the app is downloaded to your phone, click the app icon to open it (or click the “Open” button from the app store once it finishes downloading).

Once the app is open on your phone, click the small “Get Started” link towards the bottom of the screen. Next, you can choose to either “Scan QR Code” or “Enter a Setup Key.” Scanning the QR code is faster/easier, so I recommend choosing this option – but either option will work.

If you selected the “Scan QR Code” option, the app will access your camera (make sure to give it permission to do so if prompted). With the camera open, center the QR code from the “2-factor Authentication” page (pictured above) inside the green square that displays on your phone’s screen.

Enter Your Authentication Code

Authentication Code and Timer Generated by Google Authenticator

After scanning the QR code, you’ll now see your website property listed in the app, along with a set of randomly generated numbers (red arrow in the above image) and a circular timer animation (yellow arrow). Type the numbers you see on your phone screen into the “Authentication Code” field displaying on the “2-factor Authentication” page (pictured below).

The numbers inside the Google Authenticator app expire and refresh every 20-30 seconds. The animated timer will start to turn red when the numbers are close to expiring. You can always wait for a new set of numbers to generate to give yourself more time to type the code into the Authentication Code field. 

Enter Google Authentication Code and Click Authenticate in WordPress

Once you’ve added your code, click “Authenticate.”

Save Your Backup Codes (Important)

Save Your 2FA Backup Codes to a Document

You’ll then be taken to a page labeled “Save the Backup Codes.” This step is VERY IMPORTANT and will prevent you from getting locked out of your site should you ever lose your smartphone or somehow lose access to the Google Authenticator app. You will see a list of several numbers displayed on this page (red arrow in the image above – again, I blurred the numbers out for security reasons). I highly recommend either writing these numbers down on a sheet of paper, taking a screenshot of the screen and saving the image on your computer where you can easily find it later, or copy and paste the backup codes to a Word doc and save the document.

Confirm Saving 2FA Backup Codes and Click Continue to Finish Setup

Once you’ve copied the backup codes, check the box labeled “I have saved my backup codes” (red arrow in the above image). I highly recommend that you DO NOT SKIP SAVING YOUR BACKUP CODES as most of the negative reviews for the Google Authenticator App are from people who lost access to the app, didn’t save their backup codes, and lost access to their accounts that were linked to the app. Once this box is checked, click “Continue” (green arrow). 

You should then be taken back to the “SiteGround Security – Login Security” work area. That’s it! You’ve successfully set up two-factor authentication and made your login process safer.

That’s it for this tutorial. If you enjoyed it, you can check out my other WordPress tutorials on my site, or enroll in my WordPress course on Udemy.