Cellphone sign-in

From Wordfence Documentation
Jump to: navigation, search

Cellphone SIgn-In settings are located on a tab of the Tools page on the Wordfence menu.

Wordfence's Cellphone Sign-in uses a technique called "Two Factor Authentication" which is used by banks, government agencies and military World-wide. It is one of the most secure forms of remote system authentication. It's now available from Wordfence for your WordPress website.

This method of signing into your website relies on something you know and something in your possession. That is why it is referred to as two factor - because two factors are involved in authenticating you.

In this case you know your password and you are in possession of your cellphone. If we can verify both of these, then we know that it's OK to allow you to access your website as an administrator.

Wordfence cellphone sign-in is designed to be used mainly by site administrators and those with high level access e.g. with publisher access. Please note that this is a premium feature which means you need to purchase a premium Wordfence key from our website at http://www.wordfence.com to activate cellphone sign-in.

Adding users

On the cellphone sign-in page (Tools menu, Cellphone Sign-In tab), add a user in the box indicated:

Cellphone-sign-in-add-users.jpg


Next choose a method of authentication to use. You can choose:

  • Google Authenticator - This uses the Google authenticator app found in the google play store or Apple's App store for free. Choosing this method opens a new window with a QR code to scan using the google authenticator app that allows you to use it to get a code to login. After scanning the QR code, enter a code from your authenticator app in the "Enter activation code" field to activate 2FA.
    GA-authcode.jpg
    It also includes back up codes that can be used in the event you have a problem with GA working correctly. These codes are one time use only! Make sure to keep them in a safe place.
    This option should work well for users in India whose cellphone carriers restrict their access during certain hours.
    Note : If you are an administrator and setting it up for someone else, you can either screenshot the QR code and email it to the user or provide them with the manual code that they can input into the GA app.
    GA-authcode-closeup.jpg

  • Send code to a phone number - This method uses the traditional method we have employed for 2FA, where a code is generated and sent to your cellphone.
    1. The first step is to enter the username of the user who you want to enable cellphone sign-in for.
    2. Then enter their phone number below the username starting with a plus (+) character to indicate the country code. Separate the country code, area code and number using dashes although this separation is not important, it's mainly to help you read the number correctly. Note that you may have to remove the 0 before the area code.
    3. Click the button to enable cellphone sign-in.
    4. A code will be sent to the user's phone. Ask the user what the code was and enter that code in the text field next to the label "Enter activation code".
    5. Click the 'Activate' button.
    6. Cellphone sign-in will now be activated for that user.

If you want to disable cellphone sign-in for a user, simply hit the 'delete' link next to their username on the cellphone sign-in page to disable cellphone sign-in for that user.
Important note for admins : If you are adding multiple users to cellphone sign in, you have to enter the activation codes in the order that you set the users up. If you add user A, user B, user C you need to enter the codes in that order when activating them (A,B,C).

Note about both methods:
Regardless of which method you sign the user up for, they will be required to provide a code to you after signing up so you can activate the user. If using GA you can use one of the backup codes provided to activate the user. If using the cellphone method the user needs to provide that code back to you within 30 minutes to activate the user. Add the code to the appropriate user in the “Cellphone Sign-in Users” section and click activate.


Using Cellphone Sign-In

Google Authenticator -

  1. Enter your username and password as per normal and hit the login button.
  2. You will be shown a message asking them to re-enter your username and password followed by a space, wf, and the code you were sent.
  3. Re-enter your username.
  4. Retrieve your current Google Authentication code from your phone
  5. NOTE : Before entering your password with the code, make sure and remove the password in your password field if it was saved there as this can sometimes be wrong and cause problems
  6. Enter your password but this time add a space character to the end of your password followed by the code you were sent. For example, if your password was w0rdf3nce#! you would enter w0rdf3nce#! wf123456 (or whatever your code is)
  7. Hit the login the login button and it should sign you in.

Traditional cellphone method -

  1. Enter your username and password as per normal and hit the login button.
  2. A unique code is sent to your phone via SMS. For example wf5246
  3. You will be shown a message asking them to re-enter your username and password followed by a space and the code you were sent.
  4. Re-enter your username.
  5. NOTE : Before entering your password with the code, make sure and remove the password in your password field if it was saved there as this can sometimes be wrong and cause problems
  6. Enter your password but this time add a space character to the end of your password followed by the code you were sent. For example, if your password was w0rdf3nce#! you would enter w0rdf3nce#! wf5246
  7. Hit the login the login button and it should sign you in

Enabling the separate prompt for the code

There is a new option to enable a separate prompt for the two factor or GA code. This will give you a separate prompt after entering the username and password initially.

Sepprompt.jpg

Note : If you theme customizes the login or login process, or if your host disables the output_buffering PHP option, this may not work. In this case the standard method of entering the password, a space, and wfCode will. For example, if your password was w0rdf3nce#! you would enter w0rdf3nce#! wf5246 or w0rdf3nce#! wf123456 if using google authenticator.

Extra Security

There is also a new option to force all admin users to use 2FA. You must have one administrator user currently using 2FA to enable this option.

AdminALL.jpg

Troubleshooting

If using the SMS option and you don't get a code to your phone, try to login normally again. In the few cases where this has happened, trying again results in a new code being sent.

If you need immediate access to the site, please use the cpanel file manager for your site and rename the Wordfence directory usually found in the folder : public_html/wp-content/plugins/wordfence. This immediately deactivates the plugin which would allow you to get in.

Using Recovery Codes

Since version 6.1.11, when setting up Cellphone Sign-in, you will be shown a set of "recovery codes" that you can use in the event that you cannot receive SMS messages, or if you have lost your phone. It is recommended that you save these codes somewhere safe, in case you ever need them. The codes are only shown once, but you can generate a new set of codes by removing the user's cellphone sign-in settings, and following the setup steps again.

To use a recovery code on the login page:

  • Enter your username and password
  • The login screen will refresh
  • Enter your username
  • Enter your password, followed by a space and the letters "wf"
  • Paste or type the entire recovery code

For example, if your password is "MyPassword" and your recovery code is "2ad4 3a8b d727 2938", you would enter: "MyPassword wf2ad4 3a8b d727 2938"

A recovery code expires when it is used. If you use all of the recovery codes, we recommend removing your cellphone sign-in settings for that user, and setting them up again, to get a new set of codes.