This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Cellphone sign-in

From Wordfence Documentation
Revision as of 20:14, 21 June 2016 by WFMattr (Talk | contribs)

Jump to: navigation, search

Wordfence's Cellphone Sign-in uses a technique called "Two Factor Authentication" which is used by banks, government agencies and military World-wide. It is one of the most secure forms of remote system authentication. It's now available from Wordfence for your WordPress website.

This method of signing into your website relies on something you know and something in your possession. That is why it is referred to as two factor - because two factors are involved in authenticating you.

In this case you know your password and you are in possession of your cellphone. If we can verify both of these, then we know that it's OK to allow you to access your website as an administrator.

Wordfence cellphone sign-in is designed to be used mainly by site administrators and those with high level access e.g. with publisher access. Please note that this is a premium feature which means you need to purchase a premium Wordfence key from our website at to activate cellphone sign-in.

Activating Cellphone Sign-in for a user

When activating cellphone sign-in for users in Wordfence, you need to do it for each individual user. NOTE: We strongly recommend that you create a test user on your website and activate cellphone sign-in for that test user. You can use your own cellphone number and the username of the test user to activate cellphone sign-in. Then sign-out and sign-in as that user using cellphone sign-in (see steps below) to verify that cellphone sign-in is compatible with your website. Once you've verified it works, you can activate cellphone sign-in on your administrator account or accounts.

You need to complete the following steps to activate cellphone sign-in.

  1. The first step is to enter the username of the user who you want to enable cellphone sign-in for.
  2. Then enter their phone number below the username starting with a plus (+) character to indicate the country code. Separate the country code, area code and number using dashes although this separation is not important, it's mainly to help you read the number correctly. Note that you may have to remove the 0 before the area code.
  3. Click the button to enable cellphone sign-in.
  4. A code will be sent to the user's phone. Ask the user what the code was and enter that code in the text field next to the label "Enter activation code".
  5. Click the 'Activate' button.
  6. Cellphone sign-in will now be activated for that user.

If you want to disable cellphone sign-in for a user, simply hit the 'delete' link next to their username on the cellphone sign-in page to disable cellphone sign-in for that user.

Important note for admins : If you are adding multiple users to cellphone sign in, you have to enter the activation codes in the order that you set the users up. If you add user A, user B, user C you need to enter the codes in that order when activating them (A,B,C).

How to sign-in using cellphone sign-in once activated

Here is how users who have cellphone sign-in activated need to sign-in:

  1. User enters their username and password as per normal and hits the login button.
  2. A unique code is sent to the user's phone via SMS. For example wf5246
  3. User is shown a message asking them to re-enter their username and their password followed by a space and the code they were sent.
  4. User then re-enters their username.
  5. User enters their password but this time they add a space character to the end of their password followed by the code they were sent. For example, if your password was w0rdf3nce#! you would enter w0rdf3nce#! wf5246
  6. User hits the login button and is signed in.

The reason we use this technique rather than just asking the user to enter a code in a separate form after they sign-in is because it allows you to use your standard website login form for cellphone sign-in instead of having to design a new form that asks for the code sent to the user cellphone. It's a way to very easily drop-in a two factor authentication system into your existing website without any redesign.

Security Options

Require Cellphone Sign-in for all Administrators

If you enable this option, any new admins cannot sign in until Cellphone Sign-in has been set up for their logins. At least one user must have Cellphone Sign-in enabled for this option to take effect. This can help stop attackers who create an admin login in your database outside of WordPress, or through a vulnerable plugin. On multisite installations, the option applies to super-admin accounts, but not regular admins.

Important Information regarding the Limit Login Attempts plugin

If you are running the Limit Login Attempts plugin and are using our Two Factor Authentication, the first login (username and password only) that sends our code is counted against the total that the Limit Login Attempts plugin uses to determine if you will be locked out. This should be addressed in the next Wordfence release.
Please also be aware that the Limit Login Attempts plugin is unsupported, hasn't been updated since 2012, and isn't even listed as compatible with any Wordpress version past 3.3.2. As always, Wordfence would like to remind you that using outdated, unsupported plugins is not recommended and puts your site at risk.

Resending an authorization code
This ONLY works if done within the same hour you tried the normal method.