Two-Factor Authentication Configuration (Pro)

Version: 1.2.1 Pro Last Updated: November 2025 Difficulty: Intermediate Time Required: 20 minutes

Overview

This guide walks you through configuring Two-Factor Authentication (2FA) in Attributes User Access Pro, from initial setup to role-based requirements.

Before You Start

Verify Pro license: Ensure Pro version is activated

Test email delivery: Confirm emails arrive reliably

Create backup admin: Have secondary admin account as fallback

Plan rollout: Decide which roles require 2FA first

Important: Do not enable 2FA site-wide until you’ve tested email delivery and confirmed it works correctly!

Step 1: Access Security Settings

Navigate to settings:


WordPress Admin → Settings → Attributes User Access → Security

Find 2FA section:

Scroll to “Two-Factor Authentication” panel

Step 2: Test Email Delivery

Why Test First?

Critical: If emails don’t arrive, users with 2FA enabled will be locked out. Always test first!

Send Test Email

Steps:

In Security settings, find “Email Testing” section

Enter your email address

Click “Send Test Email”

Check your inbox within 2 minutes

What to verify:

✅ Email arrives within 1-2 minutes

✅ Email not in spam/junk folder

✅ Email content displays correctly

✅ Sender address looks professional

Troubleshooting Test Emails

Email not received:

Solutions:

Check spam/junk folder

Wait 5 minutes (some servers delay)

Verify WordPress email settings

Check SMTP configuration (if using SMTP plugin)

Test with different email provider

Contact hosting support

Email in spam:

Solutions:

Configure SPF/DKIM records

Use proper sender name/address

Install SMTP plugin (WP Mail SMTP recommended)

Use transactional email service (SendGrid, Mailgun)

Step 3: Enable Two-Factor Authentication

Global Enable

Toggle 2FA on:

Enable Two-Factor Authentication: [ON]

Configuration:

2FA Method: Email (default)

Code Length: 6 digits (fixed)

Code Expiration: 10 minutes (fixed)

Click: Save Changes



<div class="attrua-info-box"><strong>Note:</strong> Enabling 2FA globally doesn't immediately require it for all users. You must configure role requirements next.
</div>

<h2>Step 4: Configure Role-Based Requirements</h2>

<h3>Select Roles Requiring 2FA</h3>

<strong>Available checkboxes:</strong>

<p>☐ Require for Administrators
</p>
<p>☐ Require for Editors
</p>
<p>☐ Require for Authors
</p>
<p>☐ Require for Contributors
</p>
<p>☐ Require for Subscribers
</p>
<p>☐ Require for Customers
</p>

<h3>Recommended Configurations</h3>

<h4>Configuration 1: High Security (Recommended)</h4>

<strong>For:</strong> Corporate, healthcare, financial sites

<p>☑ Require for Administrators
</p>
<p>☑ Require for Editors
</p>
<p>☑ Require for Authors
</p>
<p>☐ Require for Contributors
</p>
<p>☐ Require for Subscribers
</p>
<p>☐ Require for Customers
</p>

<strong>Rationale:</strong> Protect all users who can publish content or access sensitive data.

<h4>Configuration 2: Admin Only (Conservative)</h4>

<strong>For:</strong> Initial rollout, testing phase

<p>☑ Require for Administrators
</p>
<p>☐ Require for Editors
</p>
<p>☐ Require for Authors
</p>
<p>☐ Require for Contributors
</p>
<p>☐ Require for Subscribers
</p>
<p>☐ Require for Customers
</p>

<strong>Rationale:</strong> Start small, test thoroughly, then expand.

<h4>Configuration 3: All Staff (Maximum Security)</h4>

<strong>For:</strong> High-security environments, compliance requirements

<p>☑ Require for Administrators
</p>
<p>☑ Require for Editors
</p>
<p>☑ Require for Authors
</p>
<p>☑ Require for Contributors
</p>
<p>☐ Require for Subscribers
</p>
<p>☑ Require for Customers (if handling financial data)
</p>

<strong>Rationale:</strong> Maximum protection for all users with elevated privileges.

<h4>Configuration 4: E-Commerce Focus</h4>

<strong>For:</strong> Online stores, WooCommerce sites

<p>☑ Require for Administrators
</p>
<p>☑ Require for Shop Managers
</p>
<p>☐ Require for Customers (optional—see below)
</p>

<strong>Customer 2FA considerations:</strong>
<ul>
<li><strong>Pros:</strong> Protects order history, payment methods, personal data</li></ul>

<ul>
<li><strong>Cons:</strong> May reduce conversion rates, adds friction</li></ul>

<ul>
<li><strong>Recommendation:</strong> Optional or for high-value customers only</li></ul>

<h2>Step 5: Configure Excluded Roles (Optional)</h2>

<h3>When to Use Exclusions</h3>

<strong>Common scenarios:</strong>
<ul>
<li>Support staff needing quick access</li></ul>

<ul>
<li>Service accounts for integrations</li></ul>

<ul>
<li>Emergency access accounts</li></ul>

<ul>
<li>Testing accounts</li></ul>

<div class="attrua-warning-box"><strong>Security Risk:</strong> Each exclusion reduces overall security. Only exclude when absolutely necessary and document the reason.
</div>

<h3>Add Excluded Roles</h3>

<strong>Steps:</strong>
<ul>
<li>In 2FA settings, find "Excluded Roles" section</li></ul>

<ul>
<li>Check roles to exclude from 2FA</li></ul>

<ul>
<li>Add notes explaining why (for documentation)</li></ul>

<ul>
<li>Save changes</li></ul>

<strong>Example:</strong>

<p>☑ Support Staff - Quick troubleshooting access
</p>
<p>☑ API Service Account - Integration requirement
</p>
<p>☐ Emergency Admin - Keep secured
</p>

<h2>Step 6: Configure Email Settings</h2>

<h3>Sender Information</h3>

<strong>From Name:</strong>

<p>Default: WordPress site name
</p>
<p>Recommended: Your company/site name
</p>
<p>Example: "Acme Corp Security"
</p>

<strong>From Email:</strong>

<p>Default: wordpress@yourdomain.com
</p>
<p>Recommended: noreply@yourdomain.com or security@yourdomain.com
</p>

<h3>Email Template</h3>

<strong>Subject Line:</strong>

<p>Default: "Your verification code for [Site Name]"
</p>
<p>Customizable: Yes
</p>

<strong>Email Body:</strong>

<p>Customize the verification email content
</p>
<p>Include branding, helpful instructions
</p>
<p>Keep code prominent and easy to find
</p>

<strong>Example template:</strong>

<p>Hello [Username],
</p>

<p>Your verification code is: [CODE]
</p>

<p>This code will expire in 10 minutes.
</p>

<p>If you didn't request this code, please contact support immediately.
</p>

<p>Best regards,
</p>
<p>[Site Name] Security Team
</p>

<h2>Step 7: Test with Real Account</h2>

<h3>Create Test User</h3>

<strong>Steps:</strong>
<ul>
<li>Create new user account</li></ul>

<ul>
<li>Assign role that requires 2FA (e.g., Editor)</li></ul>

<ul>
<li>Use real email address you can access</li></ul>

<ul>
<li>Note username and password</li></ul>

<h3>Test Login Flow</h3>

<strong>Complete login:</strong>
<ul>
<li>Log out of admin account</li></ul>

<ul>
<li>Go to login page</li></ul>

<ul>
<li>Enter test user credentials</li></ul>

<ul>
<li>Submit login form</li></ul>

<ul>
<li><strong>Verify:</strong> Redirected to 2FA verification screen</li></ul>

<ul>
<li>Check email for verification code</li></ul>

<ul>
<li>Enter code on verification screen</li></ul>

<ul>
<li><strong>Verify:</strong> Successfully logged in</li></ul>

<h3>Verify Email Receipt</h3>

<ul class="attrua-checklist">
<ul>
<li><strong>Email arrived:</strong> Within 1-2 minutes</li></ul>

<ul>
<li><strong>Code visible:</strong> Easy to read and copy</li></ul>

<ul>
<li><strong>Not in spam:</strong> Arrived in inbox</li></ul>

<ul>
<li><strong>Professional:</strong> Proper sender name and branding</li></ul>

</ul>

<h2>Step 8: Configure Additional Security</h2>

<h3>Failed Attempt Limits</h3>

<strong>Prevent brute force attacks on verification codes:</strong>

<p>Maximum Failed Attempts: 5
</p>
<p>Lockout Duration: 30 minutes
</p>

<strong>How it works:</strong>
<ul>
<li>User gets 5 attempts to enter correct code</li></ul>

<ul>
<li>After 5 failures, account locked for 30 minutes</li></ul>

<ul>
<li>User must wait or contact admin for reset</li></ul>

<h3>Resend Cooldown</h3>

<strong>Prevent code spam:</strong>

<p>Resend Cooldown: 60 seconds
</p>

<strong>How it works:</strong>
<ul>
<li>User can't request new code immediately</li></ul>

<ul>
<li>Must wait 60 seconds between resend requests</li></ul>

<ul>
<li>Prevents email flooding</li></ul>

<h2>Step 9: User Communication</h2>

<h3>Notify Users in Advance</h3>

<strong>Email announcement (1 week before):</strong>

<p>Subject: Important: Two-Factor Authentication Coming Soon
</p>

<p>Dear [User],
</p>

<p>Starting [Date], we're implementing Two-Factor Authentication 
</p>
<p>to enhance security for your account.
</p>

<p>What this means:
</p>
<ul>
<li>When logging in, you'll receive a verification code via email</li></ul>

<ul>
<li>Enter this code to complete login</li></ul>

<ul>
<li>Adds an extra security layer to protect your account</li></ul>

<p>What you need to do:
</p>
<ul>
<li>Ensure your email address in your profile is current</li></ul>

<ul>
<li>Add [sender-email] to your contacts</li></ul>

<ul>
<li>Check spam/junk folder if you don't receive codes</li></ul>

<p>This change affects: [List roles]
</p>

<p>Questions? Contact [support-email]
</p>

<p>Thank you,
</p>
<p>[Site Name] Team
</p>

<h3>Login Page Notice</h3>

<strong>Add notice to login page:</strong>

<p>"Two-Factor Authentication is now required for [roles]. 
</p>
<p>You will receive a verification code via email."
</p>

<h3>Create Help Documentation</h3>

<strong>Provide to users:</strong>
<ul>
<li>Step-by-step login guide with screenshots</li></ul>

<ul>
<li>Troubleshooting common issues</li></ul>

<ul>
<li>Support contact information</li></ul>

<ul>
<li>FAQ about 2FA</li></ul>

<h2>Step 10: Monitor and Support</h2>

<h3>Check Audit Logs</h3>

<strong>Monitor 2FA activity:</strong>

<p>Tools → Audit Log → Filter by "2FA"
</p>

<strong>Watch for:</strong>
<ul>
<li>High failure rates (indicates user confusion)</li></ul>

<ul>
<li>Repeated lockouts (may need training)</li></ul>

<ul>
<li>Email delivery failures</li></ul>

<ul>
<li>Unusual patterns</li></ul>

<h3>Prepare Support Team</h3>

<strong>Common support requests:</strong>
<ul>
<li>"I didn't receive the code"</li></ul>

<p>   - Check spam, wait 2 minutes, resend code
</p>

<ul>
<li>"Code expired before I could enter it"</li></ul>

<p>   - Request new code, enter immediately
</p>

<ul>
<li>"I lost access to my email"</li></ul>

<p>   - Admin must reset 2FA or update email
</p>

<ul>
<li>"It's taking too long"</li></ul>

<p>   - Balance security with user experience
</p>
<p>   - Consider feedback for improvements
</p>

<h2>Configuration Examples</h2>

<h3>Example 1: Small Business</h3>

<pre><code class="language-yaml">
2FA Enabled: Yes
Required Roles:
  - Administrators
  - Editors
Code Expiration: 10 minutes
Failed Attempts: 5
Exclusions: None
Email: SMTP plugin configured

Example 2: Healthcare (HIPAA)


2FA Enabled: Yes
Required Roles:
  - All roles with patient data access
Code Expiration: 10 minutes
Failed Attempts: 3 (stricter)
Exclusions: None (compliance requirement)
Email: Transactional service (SendGrid)
Audit Logging: Required, retained 7 years

Example 3: E-Commerce Store


2FA Enabled: Yes
Required Roles:
  - Administrators
  - Shop Managers
  - Editors
Code Expiration: 10 minutes
Failed Attempts: 5
Exclusions: Customer role (optional)
Email: WooCommerce SMTP

Troubleshooting Configuration

2FA Option Not Visible

Solutions:

Verify Pro version is installed and activated

Check license is valid and not expired

Clear browser cache and refresh page

Check user has Administrator role

Settings Not Saving

Solutions:

Check file permissions (wp-content must be writable)

Disable caching plugins temporarily

Check for JavaScript errors in browser console

Try different browser

Emails Not Sending After Configuration

Solutions:

Re-test email delivery

Check SMTP credentials haven’t changed

Verify hosting email limits not exceeded

Check PHP mail() function is working

Review server mail logs