Two-Factor Authentication With MemberPress And WP 2FA Plugin

WordPress website security is paramount, especially when operating a membership site. Ensuring the utmost protection and preventing fake registrations is a top priority for keeping the integrity of your platform.

This documentation will explain how to add Two-Factor Authentication (2FA) to MemberPress using the WP 2FA plugin.

What is 2FA?

When enabled, 2FA requires website users to provide two authentication methods to access an online account or application.

This added layer of security protects against password attacks and even prevents fake registrations. It will help safeguard sensitive information, ensure regulation compliance, and foster user trust.

WP 2FA Plugin Features

WP 2FA has a rich feature set that provides a streamlined Two-Factor Authentication setup for your membership sites. These include:

• Multiple Authentication Methods: Offers various authentication options, including TOTP and email-based verification;
• User Role Customization: Allows specification of which user roles require 2FA, providing role-based security customization;
• Backup Codes: Users can generate backup codes for secure login alternatives if primary 2FA fails;
• Logging and Reporting: Provides detailed logs and reports to monitor user activity and 2FA usage;
• Integration Compatibility: Seamlessly works with other WordPress plugins, themes, and membership systems, such as Memberpress, for a unified user experience.

How To Set Up WP 2FA?

Before you start, make sure you have the following setup in place:

1. An active WordPress installation with admin access.
2. A fully operational membership website powered by the Memberpress plugin.

If you still haven’t built your membership site, check the “Getting Started With MemberPress” article to help you get started.

Installation

To enable Two-Factor Authentication, you will need to install the WP 2FA plugin by MelaPress. This user-friendly plugin simplifies implementing 2FA on your membership websites.

Go to your WordPress dashboard, navigate to Plugins > Add New, and type WP 2FA in the search bar. 

Next, install and activate the WP 2FA plugin.

Configuring the WP 2FA plugin

After a successful plugin activation, you’ll be directed to a wizard to configure two-factor authentication on your website.

This onboarding wizard walks you through a series of steps that help you set up 2FA without any difficulty, even for non-technical users. Everything set up with the help of the wizard can be changed or reconfigured from the plugin’s settings.

Click the “Let’s Get Started” button to start the wizard, and follow the steps to configure the plugin:

1. In the first step, you can select the authentication methods you wish to use on your site. There are two options and we suggest you use both:
   1. One-time code via 2FA App (TOTP) – this method will allow your members to use any supported authentication mobile app (Authy, Google Authenticator, Microsoft Authenticator, Duo Security, Lastpass, FreeOTP, or Okta Verify) for 2FA authentication and verification. This option is especially important in cases where your members lose access to their email and can’t use the second (email) method; 
   2. One-time code via email (HOTP) – with this method, your members will be able to get their 2FA codes over an email.

2. In addition to primary authentication methods, WP 2FA offers secondary options such as Backup Codes. You can enable this in the second step.
3. Next, the 2FA policies in the plugin allow you to choose whether to enforce 2FA and for whom:
   1. All users – this will enforce 2FA to all of your users including all Administrator users;
   2. Only specific users and roles – here you can enforce 2FA for specific users, or for all of your users with a certain user role assigned (e.g. by default, all your members will have the “Subscriber” user role);
   3. Do not enforce on any users – this option will allow your users a decide if they want to enable 2FA.

4. In the fourth step, you can also exclude individual users or user roles from the 2FA option you chose in the previous step. 
5. You can also provide a grace period for users to enable 2FA in the final step:

   1. Users have to configure 2FA straight away – this option will not allow users to access any page or post on your site after they log in, without setting the 2FA first;

   2. Give users a grace period to configure 2FA – this option will give users a set period to configure 2FA. In the meantime, your users will have access to your content (based on their membership). With this option, you can also select if members should have access to the dashboard. In addition, you can choose where the 2FA setup notification should be displayed, reminding them to set 2FA.

Click the “All Done” button to finish the setup. 

Creating 2FA Configuration Page For Members

Since typically members do not have access to the default WordPress dashboard, administrators can set the 2FA configuration page. This page is available to members on the front end and allows them to enable 2FA for their accounts.

This page should be configured from your dashboard:

1. Navigate to Dashboard > WP 2FA > 2FA Policies.
2. Scroll down to the “Frontend 2FA settings page” option and set it to Yes.
3. Provide a URL for the page where users can configure 2FA.

The plugin will automatically generate the page, which can be customized like any other WordPress page. On the same page, you can configure where your members should be redirected after they configure the 2FA setup.

Membership Registrations And 2FA

When a member registers for a membership or logs in, they will be automatically redirected to the Frontend 2FA settings page. On this page, they will be presented with the “Configure 2FA” button. 

This button will start an easy-to-follow wizard guiding them through the 2FA setup.

Adding 2FA To Custom Pages

Though the default WP 2FA configuration page is available out of the box, it might not always fit your needs. In this case, you might want to create a custom page and add a 2FA configuration option there. This could be a custom members area page or any other page you created for your members. 

WP 2FA plugin facilitates this feature by providing shortcodes. These shortcodes enable users to access the 2FA wizard on the custom front-end settings page. 

To do this, you can simply add the following shortcode to your custom page: 

[wp-2fa-setup-form]

Also, this should be the page to which MemberPress redirects members upon logging in (the “URL to direct member to after login” option at Dashboard > MemberPress > Settings > Account tab).

Preventing Fake Registrations

Fake registrations created for malicious activity (e.g. card testing) can create additional work and clutter in your backend. Two-factor authentification can also help you as an additional layer of protection against fake registrations. 

By default, once the membership registration form is submitted by a new user, MemberPress will create a WordPress user account. Also, it will at the same time assign a transaction and a subscription to that user.

To prevent transactions and subscriptions from being created for every fake user registration, you can split your registration process.

With this workaround, you would protect all your membership registration pages making them available only to existing users. Then, you would create a user flow that will ask a user to register for a WordPress account first. Once registered and logged in, your users will need to go through two-factor authentification.

They will be able to access the membership registration pages after that, as logged-in users.

Follow these steps to create this alternative registration process:

1. Navigate to Dashboard > MemberPress > Rules, and create a rule to protect each of your registration pages. Within Access Conditions for these rules, you should set access only for your default WordPress user role. Unless you change the default settings, this will be the “Subscriber” user role.
2. Next, enable the default WordPress user registration by enabling “Anyone can register” under the “Membership” option. You can find this option by navigating to Dashboard > Settings > General. 
3. Now, you will be able to use the default WordPress registration page. This page has the /wp-login.php?action=register slug (e.g. https://yourdomain.com/wp-login.php?action=register). You should link this page to all your registration buttons, links, and pages.
4. Also, you should set 2FA as mandatory for all users at Dashboard > WP 2FA > 2FA Policies. 

As a part of this flow, you could create a custom member area page. Here, you can add links to the user’s account page, membership registration pages or pricing page, etc. Then, it could serve as the page on which users would land upon finishing the two-factor authentification process. 

You would redirect users to this member area page after logging in. You can alternatively set this redirection to the MemberPress Account page or any page you would use as your members’ welcome page. 

With this workaround, only authorized users will be able to register for memberships. Thus, all subscriptions and transactions in your MemberPress backend will be related to users with confirmed emails.

Wrap Up

Adding the WP 2FA plugin to your MemberPress powdered site enhances your security and helps you maintain your members' trust.

WP 2FA simplifies 2FA implementation with user-friendly options and seamless integration with MemberPress during registration and login for administrators and members.