Advice for CMS users
1 – Download the Google Authenticator App for your IOS mobile device or for your Android mobile device.
2 – On your laptop login into your CMS.
3 – In the CMS look for the Two Factor Authentication plugin settings, in the left hand side of the CMS you will see the link “Two Factor Authentication”.
4 – Once the page in the CMS loads you will see a QR code displayed on the page.
5 – On your mobile device using the Google Authenticator app scan the bar-code.
5 – Check to make sure this website has been added to you Google Authentication device, look for your website name in the Google Authenticator App.
6 – Now you have checked to see your website is listed in the Google Authenticaor app on your mobile device, you can safely turn on MFA. You can do this in the CMS by clicking the option “Enabled” to enable MFA and then click “Save Changes”.
Logging in with MFA enabled for CMS users
Next time you login you will also need the device you used to set up MFA with you.
1 – Log in to your CMS, with your usual username and password.
2 – Open Google Authentication on the device you used to register MFA.
3 – Type in the code for your website from Google Authenticator into the field in the CMS screen.
4 – You should not be logged in.
Advise for web masters installing the plugin.
Install the plugin across the network.
https://wordpress.org/plugins/two-factor-authentication/
Consider using the pro version of the theme.
https://www.simbahosting.co.uk/s3/product/two-factor-authentication/
Advise for web masters adding MFA to all profiles.
Notify users of planned work and provide instructions for setting up MFA.
After a given period view all users, and set all users without MFA to subscribers.
/wp-admin/users.php
Ask subscriber users to notify you if and when they have set up MFA and then escalate the privileges.
Check periodically to see MFA is still enabled.
Advise for web masters with a user who has lost an MFA device, using the free version of the plugin.
- Request a config change to de-activate MFA.
- Get user to log in, and set up MFA.
- Request a config change to re-activate MFA.
Advise for web masters with a user who has lost an MFA device, using the pro version of the plugin.
1 – Visit the plugin settings page /wp-admin/options-general.php?page=two-factor-auth
2 – Look for the user settings
3 – Find the user who is locked out.
4 – Deactivate 2FA
5 – Get the user to login and enable MFA and notify you.
6 – Find the user again and re enable MFA.