If you’re a WordPress admin who runs a membership site, you probably already know that security is a top priority—and two-factor authentication (2FA) is one of the best ways to keep your site secure.
However, it’s important to understand when and how to use 2FA, as it doesn’t necessarily suit all use cases. In fact, it could even compromise the user experience and inconvenience your members.
So, how do you choose?
In this post, we’ll discuss the benefits of using 2FA on your membership site, when to use it, how to implement it, and the potential issues you could encounter when using 2FA plugins.
We’ll also talk about the importance of choosing the right 2FA plugin, our 2FA plugin recommendations, and how to set it up for specific user roles, including admins.
The Basics of Two-Factor Authentication
Two-factor authentication is a security process that requires users to provide two different forms of identification to access their accounts. Typically, this involves something the user knows (a password) and something the user has (a verification code sent to their phone, email, or an authenticator app).
By requiring two distinct forms of identification, 2FA makes it much more difficult for unauthorized users to gain access to an account. This is especially important for membership site admin accounts, where sensitive member information and payment details may be at risk.
Choosing the Right 2FA Plugin
When it comes to implementing 2FA on your membership site, you have a few options. If you’re looking for a straightforward 2FA plugin, we recommend Two-Factor.
Other popular plugins that offer 2FA, in addition to broader security features, include:
It’s important to choose a high-quality, well-coded 2FA plugin that is compatible with the core WordPress login screen. This will ensure that your chosen plugin works seamlessly with your site and doesn’t cause any issues with the frontend login.
Configuring 2FA for Specific User Roles
One of the key benefits of using a 2FA plugin is the ability to configure it for specific user roles. For example, you might want to require only your administrators to use 2FA, while allowing your members to log in with just a password.
This is why we recommend setting up 2FA for the majority of membership sites we work with at Paid Memberships Pro.
To do this, simply configure your chosen 2FA plugin’s settings to require 2FA for the administrator role, while leaving other roles unaffected. This allows you to enhance the security of your site without inconveniencing your members or negatively impacting the user experience.
In most cases, it’s only necessary to require 2FA for administrators or other high-level users. However, there may be rare instances where you want all of your users to use 2FA.
In such cases, it’s important not to use the Paid Memberships Pro frontend login page. Instead, set your login page setting to ‘use WordPress default’ and delete the page generated by Paid Memberships Pro.
Or, if your 2FA plugin of choice includes a frontend login shortcode or block, you can replace the default PMPro login page shortcode or block with their required content.
Using the Default WordPress Login Screen
Subscriber-role users and any other users that don’t require 2FA can still use the PMPro frontend login page—even if you choose a 2FA plugin that is not compatible with Paid Memberships Pro.
Just remember to use the core WP login page at domain.com/wp-login.php
and make sure your admins are using it as well. This core WordPress login screen is accessible to all users and should work seamlessly with any high-quality 2FA plugin.
Once a user logs in through the default WordPress login screen, they will be redirected to an access-appropriate view on the site. Subscriber-role users will be directed to the Membership Account page, while higher-role users will be directed to the WordPress admin area.
Potential Issues with 2FA Plugins
While 2FA can significantly enhance the security of your membership site, there are some potential issues to be aware of. For example, a poorly-coded 2FA plugin may cause conflicts with other plugins or your site’s theme, resulting in unexpected behavior or broken functionality.
This is why it’s crucial to choose a high-quality, well-coded 2FA plugin from a reputable developer.
Another potential issue is that some 2FA plugins may not be compatible with the frontend login page provided by Paid Memberships Pro. If you encounter this problem, simply switch to using the default WordPress login page, as mentioned earlier.
Lastly, implementing 2FA for all users on your membership site may lead to a negative user experience for your members. Requiring 2FA for every user could result in frustration, especially if they’re not accustomed to using this type of authentication.
It’s generally best to limit 2FA requirements to administrators and other high-level users, unless there’s a specific reason to enforce it site-wide.
A Quick Word About Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) is an advanced security protocol requiring users to verify their identities using at least two different authentication methods before they can access your site.
For example, this could be a combination of:
- a password and a push notification, or
- an SMS text message and Google Authenticator code
MFA significantly reduces the risk of unauthorized access, as it adds an extra layer of security beyond just a username and password.
If you need MFA with a broader range of authentication options that can be selected by the individual user, you might consider using a more robust plugin than those already mentioned in this post. While we don’t have personal experience with multi-factor authentication, we have received recommendations from partners that the WordPress Single Sign-On SSO solution by miniOrange is a good place to start.
To learn more, check out our post on How to Use Single Sign On (SSO) to Enhance the Member Experience.
Conclusion
Two-factor authentication is a powerful security tool that can significantly enhance the protection of your membership site. By carefully choosing a high-quality 2FA plugin and configuring it for specific user roles, you can strengthen your site’s security without negatively impacting the user experience for your members.
In most cases, it’s best to require 2FA for administrators and other high-level users, rather than enforcing it for all members. If you do decide to require 2FA for all users, be sure to use the default WordPress login screen and avoid the Paid Memberships Pro frontend login page.
Download the free ebook: Get 29 insights and ‘aha moments’ for new or veteran membership site business owners. Use these nuggets of wisdom to inspire or challenge you.