Wordfence

The School of Information uses the Wordfence security program across our extensive WordPress infrastructure.  This site is intended to provide support for students and faculty who have Wordfence-related issues or questions when logging into WordPress.

Two-Factor Authentication:   For users who are new to Two-Factor Authentication (2FA), we strongly recommend that you review all of the articles below for instructions on how to set up 2FA for your iSchool WordPress account(s).   2FA is now mandatory for all iSchool WordPress users.

Overview of Two-Factor Authentication (2FA)

The School of Information is now requiring 2FA (Two-Factor Authentication) for all WordPress sites.  Specifically, the security software that we use, called Wordfence, requires “TOTP” authentication (Time-based One-Time Passwords) through one of the following apps:

• Duo
• Google Authenticator
• FreeOTP Authenticator
• 1Password (mobile and desktop versions) See: 1Password help
• LastPass Authenticator
• Microsoft Authenticator
• Authy 2-Factor Authentication
• Any other authenticator app that supports Time-Based One-Time Passwords (TOTP)

If you are already using one of the above apps, then you will be able to use your existing authentication app to log into iSchool WordPress sites using TOTP.  It is very likely that you are, at least, already using Duo for SJSU SSO sign-on, and consequently you can use Duo for iSchool Wordfence sign-on as well.   

CRITICAL NOTE:   We strongly suggest that you utilize the “Backup Code” feature mentioned below, and download a set of backup codes when setting up 2FA for your WordPress account.

What is 2FA? 

“Two-factor authentication” is an additional login security feature that is used by banks, government agencies, and the military worldwide.  It is also increasingly becoming standardized as a “best practice” across all industries.  It is one of the most secure forms of remote system authentication. This method of logging in to your site relies on something you know and something in your possession. That is why it is referred to as “two-factor” because two factors are involved in authenticating you.

In this case, you know your password and you are in possession of your cell phone or another authenticator device. If we can verify both of these, then we know that it is okay to allow you to access your site.

How to enable two-factor authentication

In Wordfence, two-factor authentication uses an authenticator application for better security and reliability, instead of SMS text messages or emails. 

First, choose an authenticator application to use, if you do not already have one installed on a cell phone or tablet.  Choose from the list of TOTP apps mentioned above.   As discussed, if desired you can use Duo for this purpose, since you are already using Duo as part of your SJSU experience.  

After installing your preferred 2FA app on your mobile device, do the following in order to enable 2FA for your iSchool WordPress account:

For Subscribers and Editors:

1.  Log into WordPress in the normal way.

2.  After logging in, you’ll be taken to your user profile page, and you’ll see the following prompt at the top of the page:   

3. To proceed with 2FA configuration, you can either click on the “Configure 2FA” link included in the above prompt, or you can click on the “Login Security” link on the left navigation menu:

4. On the “Login Security” page, you’ll see the following items: 

5.  Open your authenticator application on your mobile device and add a new entry. Most apps have a plus sign symbol or a tiny QR code symbol.

6. Use your authenticator app to scan the QR code on the “Login Security” page:

7. Your authenticator application should then display a six-digit code.   Here is an example of what the entry looks like in the Duo authentication app after you have added an entry for the WordPress site in question: 

8. Next, in the “Download recovery codes” section, click the “Download” button.  This will allow you to download your recovery codes.  Recovery codes can be used if you lose your mobile device that has your authenticator app.   Print or save the file with your recovery codes, and store it in a safe place:

Important Note:   It is very important that you do not skip this step.   Although the recovery code section states that it is optional, we would like to emphasize that it is an extremely important step and we do NOT consider it optional.  

8.  Finally, in the “Activate” field, enter the six-digit code that is currently being shown on your authenticator app, and then click on the “Activate” button.  This completes your Wordfence 2FA enrollment for the WordPress site in question:

9.  From now on, after you successfully log into the WordPress site, you will receive the following additional prompt:  

At that prompt, enter the six-digit code that is showing in your authenticator app, and then click on the Login button.   The six-digit code changes every 30 seconds.   If the code expires, you can enter the next code instead. 

Note:  If this is your first time setting up two-factor authentication on a site then you may want to try logging in to the site in a different browser, or in a private or incognito browser window, to check for any compatibility issues before logging out.

FOR ADMINISTRATORS:

The 2FA enrollment process is the same for administrators, except for the location of the “Login Security” menu.   Administrators will need to click on the “Wordfence” link on the left navigation menu, and then click on the “Login Security” option:

Important Note:    The School of Information IT Team issues administrator privileges to specific faculty and staff with a level of implicit trust.   We ask that administrators DO NOT access or change any of the site-wide Wordfence settings that the School of Information IT Team has configured.   Should you do so, it is grounds for revocation of administrator privileges.   Thank you for respecting this policy.  

How to log in with two-factor authentication

1. Enter your username and password and press the “Log In” button.

2. When the “2FA Code” prompt appears, enter the code from your authenticator application. 

3. If you use two-factor authentication for multiple sites, be sure to pick the correct site.

4.  Press the “Log In” button.

Quick Login

If you prefer a slightly quicker method, or if you do not see the “2FA Code” prompt, you can also enter a two-factor authentication code directly after your password, in the same field:

1. Enter your username and password, but do not press the “Log In” button yet.

2. Immediately after your password, enter the code from your authenticator application.  For example, if your password is w0rdf3nce#! and the code is 233455 then enter w0rdf3nce#!233455

3.  Press the “Log In” button.

How to use recovery codes

The recovery codes that you saved or printed during setup can be used if you ever lose your authenticator device, if you remove the application, or you remove your site’s entry by mistake. Make sure that you store these codes in a safe place.

Because they do not expire, recovery codes are longer than normal codes.  They are 16 letters and numbers instead of only 6 numbers, but each code can only be used once. An example recovery code looks like 5199 5c24 77dc 0ed7.

The log in process is the same as using a code from an authenticator application:

1.Enter your username and password and press the “Log In”.

2. When the “2FA Code” prompt appears, enter a recovery code.  (Remember that recovery codes are longer than regular two-factor authentication code).  

3. In this example, we would enter 5199 5c24 77dc 0ed7.

4.  Press the “Log In” button.

Each recovery code can only be used once. You can generate new recovery codes on the “Login Security” page of your site. This is useful if you have used most of your codes, or if you lose the codes you previously saved or printed. Generating new codes will invalidate the previous codes.

Grace Period and Deactivating 2FA (which is disallowed)

When we initially set up Wordfence for a particular WordPress site, users will be given a 30-day “Grace Period” to activate 2FA on their WordPress account.   If users fail to activate 2FA within the Grace Period, then their account will be automatically locked, requiring administrative intervention.   In such a case, you will need to use the iSchool Tech Support Form to report your issue.   

Because of the overall workload, lower priority will be given to trouble tickets for users who failed to set up 2FA within the 30-day Grace Period.  

Once you have activated 2FA for your WordPress account, you will notice that there is an option to “Deactivate” 2FA.   This is disallowed by policy, as all users need to keep 2FA enabled for their account.   If you attempt to deactivate 2FA after the 30-day Grace Period has ended, then your WordPress account will automatically be locked and will require administrative intervention to unlock.  

What if I lose or change my mobile device with the authenticator app?  

If you lose or change your mobile device that has the authenticator app, then you’ll need to submit the iSchool Tech Support Form and report the issue.  One of the iSchool WordPress IT Administrators will need to temporarily deactivate 2FA on your account, and you’ll then have to re-enroll in 2FA using your new mobile device.  

Obtaining additional support

If the above information does not meet your needs, then please complete the iSchool Tech Support Form and tell us more about what you are experiencing that is not covered in the above instructions.   Please be sure to select the WordPress option on the iSchool Tech Support form to ensure that your ticket is routed appropriately.