How to Add Two-Factor Authentication in WordPress for Free

15

WordPress powers over 43% of all websites on the internet, making it a prime target for cyber attacks. Every day, millions of brute force attacks attempt to breach WordPress login pages using automated scripts that guess usernames and passwords. If you’re serious about WordPress security, adding Two-Factor Authentication in WordPress isn’t optional—it’s essential.

Cisco DUO offers an enterprise-grade, free solution that transforms your WordPress login from a single point of failure into a fortified security checkpoint. Unlike basic authentication plugins, DUO provides the same level of protection used by Fortune 500 companies, government agencies, and security-conscious organisations worldwide—completely free for up to 10 users.

Why Choose Cisco DUO for 2-Factor Login in WordPress?

Cisco DUO stands apart from other authentication solutions with enterprise-grade security at zero cost. You get the same robust infrastructure that protects major corporations—stopping 99.9% of automated attacks. The Universal Prompt provides a simplified, accessible login experience with enhanced security features and improved usability.

DUO supports multiple authentication methods including push notifications, SMS codes, phone callbacks, hardware tokens, and biometric verification. Users can enrol themselves during their first login in less than two minutes with no technical knowledge required. The platform maintains detailed audit logs of all authentication attempts, making it invaluable for security audits and compliance requirements. DUO operates on a zero-trust security model, verifying every login attempt regardless of the user’s history or location.

Prerequisites for Setting Up 2-Factor Verification

Before implementing DUO’s authentication system, ensure your WordPress installation meets these requirements:

Your WordPress site must be accessible via a valid HTTPS URL. DUO requires secure connections to maintain authentication integrity. The URL must use an RFC-1034-compliant hostname (not an IP address) with a maximum length of 1024 characters.

You’ll also need administrative access to both your WordPress dashboard and the ability to install plugins. If you’re using shared hosting, verify that your hosting provider doesn’t restrict plugin installations or HTTPS access.

Step 1: Create Your Free DUO Account

Navigate to the DUO Security website and sign up for a free account. The registration process is straightforward—you’ll need a valid email address and basic organisational information. DUO’s free tier supports up to 10 users, which is perfect for small businesses, personal websites, and development environments.

After email verification, you’ll receive access to the DUO Admin Panel, where you’ll configure your WordPress application. This centralised dashboard controls all aspects of your authentication security.

Step 2: Configure Your WordPress Application in DUO

Log in to the DUO Admin Panel and navigate to Applications → Application Catalog. This catalogue contains pre-configured integrations for hundreds of applications, including WordPress.

Locate the WordPress entry labelled with “2FA” and click the + Add button. DUO will generate three critical pieces of information:

1. Client ID (previously called Integration key)
2. Client Secret (previously called Secret key)
3. API Hostname

Copy these credentials immediately and store them securely. You’ll need them to configure the WordPress plugin. Treat your Client Secret like a password—never share it via email or store it in plain text.

Grant User Access

By default, new DUO applications don’t allow any users to log in until you explicitly grant access. This security-first approach prevents accidental exposure. Navigate to the User Access settings and choose one of two options:

• Grant access to selected DUO groups
• Grant access to all users

For initial setup and testing, grant access to yourself or a test user account. You can refine these permissions later as you roll out 2-factor login in WordPress across your organisation.

Step 3: Install the DUO Universal Plugin from WordPress

Log in to your WordPress Dashboard with administrator privileges. Navigate to Plugins → Add New in the left sidebar. In the search box, type “Duo Universal” and press enter.

Locate the official Duo Universal plugin in the search results. You’ll recognise it by the DUO Security logo and the developer name. Click Install Now and wait for WordPress to download and install the plugin.

After installation completes, click the Activate Plugin button. WordPress will reload, and you’ll see a confirmation message indicating successful activation.

Step 4: Configure the DUO Universal Plugin

After activation, click the Settings link that appears beneath the DUO plugin name, or navigate to Settings → Duo Universal from the WordPress dashboard menu. Paste the three credentials you copied from the DUO Admin Panel:

• Client ID: Paste your DUO Client ID
• Client Secret: Paste your DUO Client secret
• API Hostname: Paste your DUO API hostname

Configure Failmode Behaviour

The “Failmode” setting determines how the plugin behaves if DUO’s authentication service becomes temporarily unreachable. This is a critical security decision:

Open Failmode (Default): Allows users to log in if MFA is unavailable. This ensures your website remains accessible during service disruptions but temporarily reduces security.

Closed Failmode: Denies all login attempts if DUO cannot be contacted. This maintains maximum security but could lock everyone out during outages.

For most websites, leave this set to open. The risk of a DUO service outage is extremely low, but the potential business impact of a locked website can be significant. If you’re too concerned, change it to closed but ensure you have FTP, SSH or Hosting Panel access to WordPress as a fallback.

Select Protected User Roles

Choose which WordPress user roles require authentication. You have several options:

• Require 2FA only for Administrators
• Require 2FA for Administrators and Editors
• Require 2FA for all user roles

Security best practices recommend enabling 2-factor verification for at least Administrators and Editors, as these roles can make significant changes to your site.

Disable XML-RPC (Recommended)

The plugin offers an option to disable XML-RPC, which is a common attack vector. However, disabling XML-RPC prevents use of offline weblog clients and the WordPress mobile app. If you rely on these tools, leave XML-RPC enabled. Otherwise, disable it for enhanced security. Unless there’s a reason to enable XML-RPC, disable shouldn’t affect your website in anyway.

Click Save Changes to finalise your configuration.

Step 4.5: Set Up DUO Mobile App on Your Phone

Before you can test your setup, you need to install the DUO Mobile app on your smartphone and add your account. This step is crucial for enabling push notifications and generating authentication codes.

Download DUO Mobile

Download the DUO Mobile app from your device’s app store:

• iOS: Search for “Duo Mobile” in the App Store
• Android: Search for “Duo Mobile” in Google Play Store

Install the app and open it on your phone.

Add Your WordPress Account to DUO Mobile

When you first log in to your WordPress site after configuring the plugin, you’ll be prompted to set up 2-factor verification. The screen will display a QR code along with instructions.

Open the DUO Mobile app on your phone and tap the + button or Add Account option. The app will request permission to access your camera—grant this permission so you can scan the QR code.

Tap Scan QR Code and point your phone’s camera at the QR code displayed on your computer screen. The app will automatically recognise and save your WordPress account.

You can customise the account name and logo if desired. Once saved, the DUO Mobile app will start generating time-based one-time passwords (TOTP) for your WordPress site and be ready to receive push notifications.

If you can’t scan the QR code, most screens also display a manual entry code that you can type into the DUO Mobile app instead.

Step 5: Test Your Two-Factor Authentication in WordPress Setup

Testing is crucial to ensure everything works correctly before rolling out authentication to all users. Open a private browsing window (incognito mode) to test without logging out of your current session.

Navigate to your WordPress login page using the full hostname or fully-qualified domain name URL (not an IP address). Enter your username and password as normal.

After successful password verification, WordPress redirects you to the DUO Universal Prompt. This modern, streamlined interface presents your authentication options:

• Send Me a Push: Receive a push notification on your smartphone through the DUO Mobile app
• Call Me: Receive an automated phone call to verify your identity
• Enter a Passcode: Manually enter a code from the DUO Mobile app or a hardware token

Choose your preferred method and complete authentication. The DUO Universal Prompt validates your identity and redirects you back to WordPress, completing the login process.

If authentication succeeds, congratulations—your 2-factor login in WordPress is working correctly!

Troubleshooting Authentication Issues

If you encounter problems with your DUO setup and need to regain access to your site, you can temporarily disable the plugin. Connect to your website via FTP or your hosting control panel’s file manager, navigate to the /wp-content/plugins/ directory, and rename the duo-universal folder to duo-universal-disabled. This will deactivate the plugin and allow you to log in with just your password. Once you’ve resolved the issue, rename the folder back to duo-universal to reactivate protection.

For additional assistance, consult the DUO WordPress documentation or visit the DUO Community discussions. For critical issues, simply disable the plugin.

Why DUO Is Superior to Alternative Solutions

After implementing 2-step verification across dozens of websites including selfhosted sites using Authelia, I found taht DUO was just better than any alternatives. The feel of using a Mobile App that prompts you to ensure you are logging in is unparalled. I did try multiple user accounts and DUO allows upto 10 users for free. It can also protect SSH access, VPN connections, and other platforms (I already mentioned I use Authelia for my selfhosted services).

I guess the combination of enterprise-grade authentication, a very user-friendly Universal Prompt interface on mobile, and zero cost for up to 10 users makes DUO my preferred choice. On top of DUO, I also enabled Google Authenticator so I have like dual two-factor authentication check before I can login. Yes I know it’s a little bit over the top, but I don’t mind and honestly I love getting the mobile prompt from DUO on my phone and SmartWatch.  If you’ve follwed this guide to install DUO’s free authentication solution, let me know how it went.

That’s it, Enjoy!