Why doesn’t 2FA work? Just installed…

  • Resolved cmeurer

    (@cmeurer)


    3 years ago

    I just installed this plugin based on so many great reviews. My MAIN goal was to use 2FA since we’ve been getting a ton of failed login attempts lately (yes I changed the password). So I set up the plugin and had my sister try to login. She could, no problem! No 2FA required. WHY?!? I have every single type of user checked (just tried to upload my screenshot here but getting this error, and have no more patience left to figure it out “File uploading is disabled. Please use an image block and an external image URL.”)

    Thanks for any help 🙂

    • This topic was modified 3 years ago by cmeurer.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    3 years ago

    Hi @cmeurer

    2FA required to set up by each user so they can scan barcode to generate code by app for each login.

    If you have too many failed logins enable WP Security > Brute force > Rename login page – it will provide a new login url so bot can not keep trying on wp-login.php

    Also if stop user enumeration not on It might be the reason your admin username exposed – WP Security > Miscellaneous > User enumeration tab check there
    XML RPC call of wp_getUsersBlogs is trying to authenticate the user. – WP Security > Firewall > Basic firewall rules tab > Completely block access to XMLRPC , Disable pingback functionality from XMLRPC Please check both and Save.

    Regards

    Thread Starter cmeurer

    (@cmeurer)

    3 years ago

    Thank you! A few more questions:

    2FA required to set up by each user so they can scan barcode to generate code by app for each login. Where do I find this barcode?

    If you have too many failed logins enable WP Security > Brute force > Rename login page – it will provide a new login url so bot can not keep trying on wp-login.php Great! But this message worries me and so I am afraid to do it as I have no idea what this means or if my host (Bluehost) does this: If you are hosting your site on WPEngine or a provider which performs server caching, you will need to ask the host support people to NOT cache your renamed login page

    Also if stop user enumeration not on It might be the reason your admin username exposed – WP Security > Miscellaneous > User enumeration tab check there Ok I checked that box

    XML RPC call of wp_getUsersBlogs is trying to authenticate the user. – WP Security > Firewall > Basic firewall rules tab > Completely block access to XMLRPC , Disable pingback functionality from XMLRPC Please check both and Save. Done

    I do have Limit Login Attempts Reloaded installed which has many of the same settings as your plugin, in Login Lockout Options. Will they conflict? Should I delete that one?

    Thank you so much for your help!

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    3 years ago

    Hi @cmeurer

    WP security > Two factor auth have below like barcode ( QR code) to scan which should be scanned in app like google authenticator so it will give new OTP every seconds to input as 2FA code.

    https://snipboard.io/fd26AG.jpg

    Please cross check if renamed login page is cached it should be allowed to exclude.

    Yes you should either enable login attempt or loging lockout only .

    Regards

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Why doesn’t 2FA work? Just installed…’ is closed to new replies.