attributes WP

Get Started

Two-Factor Authentication Configuration (Pro)

Version: 1.2.1 ProLast Updated: November 2025Difficulty: IntermediateTime Required: 20 minutes

Overview

This guide walks you through configuring Two-Factor Authentication (2FA) in Attributes User Access Pro, from initial setup to role-based requirements.

Before You Start

    • Verify Pro license: Ensure Pro version is activated
    • Test email delivery: Confirm emails arrive reliably
    • Create backup admin: Have secondary admin account as fallback
    • Plan rollout: Decide which roles require 2FA first
Important: Do not enable 2FA site-wide until you’ve tested email delivery and confirmed it works correctly!

Step 1: Access Security Settings

Navigate to settings:


WordPress Admin → Settings → Attributes User Access → Security

Find 2FA section:

Scroll to “Two-Factor Authentication” panel

Step 2: Test Email Delivery

Why Test First?

Critical: If emails don’t arrive, users with 2FA enabled will be locked out. Always test first!

Send Test Email

Steps:

  • In Security settings, find “Email Testing” section
  • Enter your email address
  • Click “Send Test Email”
  • Check your inbox within 2 minutes

What to verify:

  • ✅ Email arrives within 1-2 minutes
  • ✅ Email not in spam/junk folder
  • ✅ Email content displays correctly
  • ✅ Sender address looks professional

Troubleshooting Test Emails

Email not received:

Solutions:

    • Check spam/junk folder
    • Wait 5 minutes (some servers delay)
    • Verify WordPress email settings
    • Check SMTP configuration (if using SMTP plugin)
    • Test with different email provider
    • Contact hosting support

Email in spam:

Solutions:

    • Configure SPF/DKIM records
    • Use proper sender name/address
    • Install SMTP plugin (WP Mail SMTP recommended)
    • Use transactional email service (SendGrid, Mailgun)

Step 3: Enable Two-Factor Authentication

Global Enable

Toggle 2FA on:

Enable Two-Factor Authentication: [ON]

Configuration:

2FA Method: Email (default)

Code Length: 6 digits (fixed)

Code Expiration: 10 minutes (fixed)

Click: Save Changes

Note: Enabling 2FA globally doesn't immediately require it for all users. You must configure role requirements next.

Step 4: Configure Role-Based Requirements

Select Roles Requiring 2FA

Available checkboxes:

☐ Require for Administrators

☐ Require for Editors

☐ Require for Authors

☐ Require for Contributors

☐ Require for Subscribers

☐ Require for Customers

Recommended Configurations

Configuration 1: High Security (Recommended)

For: Corporate, healthcare, financial sites

☑ Require for Administrators

☑ Require for Editors

☑ Require for Authors

☐ Require for Contributors

☐ Require for Subscribers

☐ Require for Customers

Rationale: Protect all users who can publish content or access sensitive data.

Configuration 2: Admin Only (Conservative)

For: Initial rollout, testing phase

☑ Require for Administrators

☐ Require for Editors

☐ Require for Authors

☐ Require for Contributors

☐ Require for Subscribers

☐ Require for Customers

Rationale: Start small, test thoroughly, then expand.

Configuration 3: All Staff (Maximum Security)

For: High-security environments, compliance requirements

☑ Require for Administrators

☑ Require for Editors

☑ Require for Authors

☑ Require for Contributors

☐ Require for Subscribers

☑ Require for Customers (if handling financial data)

Rationale: Maximum protection for all users with elevated privileges.

Configuration 4: E-Commerce Focus

For: Online stores, WooCommerce sites

☑ Require for Administrators

☑ Require for Shop Managers

☐ Require for Customers (optional—see below)

Customer 2FA considerations:

  • Pros: Protects order history, payment methods, personal data
  • Cons: May reduce conversion rates, adds friction
  • Recommendation: Optional or for high-value customers only

Step 5: Configure Excluded Roles (Optional)

When to Use Exclusions

Common scenarios:

  • Support staff needing quick access
  • Service accounts for integrations
  • Emergency access accounts
  • Testing accounts
Security Risk: Each exclusion reduces overall security. Only exclude when absolutely necessary and document the reason.

Add Excluded Roles

Steps:

  • In 2FA settings, find "Excluded Roles" section
  • Check roles to exclude from 2FA
  • Add notes explaining why (for documentation)
  • Save changes

Example:

☑ Support Staff - Quick troubleshooting access

☑ API Service Account - Integration requirement

☐ Emergency Admin - Keep secured

Step 6: Configure Email Settings

Sender Information

From Name:

Default: WordPress site name

Recommended: Your company/site name

Example: "Acme Corp Security"

From Email:

Default: wordpress@yourdomain.com

Recommended: noreply@yourdomain.com or security@yourdomain.com

Email Template

Subject Line:

Default: "Your verification code for [Site Name]"

Customizable: Yes

Email Body:

Customize the verification email content

Include branding, helpful instructions

Keep code prominent and easy to find

Example template:

Hello [Username],

Your verification code is: [CODE]

This code will expire in 10 minutes.

If you didn't request this code, please contact support immediately.

Best regards,

[Site Name] Security Team

Step 7: Test with Real Account

Create Test User

Steps:

  • Create new user account
  • Assign role that requires 2FA (e.g., Editor)
  • Use real email address you can access
  • Note username and password

Test Login Flow

Complete login:

  • Log out of admin account
  • Go to login page
  • Enter test user credentials
  • Submit login form
  • Verify: Redirected to 2FA verification screen
  • Check email for verification code
  • Enter code on verification screen
  • Verify: Successfully logged in

Verify Email Receipt

    • Email arrived: Within 1-2 minutes
    • Code visible: Easy to read and copy
    • Not in spam: Arrived in inbox
    • Professional: Proper sender name and branding

Step 8: Configure Additional Security

Failed Attempt Limits

Prevent brute force attacks on verification codes:

Maximum Failed Attempts: 5

Lockout Duration: 30 minutes

How it works:

  • User gets 5 attempts to enter correct code
  • After 5 failures, account locked for 30 minutes
  • User must wait or contact admin for reset

Resend Cooldown

Prevent code spam:

Resend Cooldown: 60 seconds

How it works:

  • User can't request new code immediately
  • Must wait 60 seconds between resend requests
  • Prevents email flooding

Step 9: User Communication

Notify Users in Advance

Email announcement (1 week before):

Subject: Important: Two-Factor Authentication Coming Soon

Dear [User],

Starting [Date], we're implementing Two-Factor Authentication

to enhance security for your account.

What this means:

  • When logging in, you'll receive a verification code via email
  • Enter this code to complete login
  • Adds an extra security layer to protect your account

What you need to do:

  • Ensure your email address in your profile is current
  • Add [sender-email] to your contacts
  • Check spam/junk folder if you don't receive codes

This change affects: [List roles]

Questions? Contact [support-email]

Thank you,

[Site Name] Team

Login Page Notice

Add notice to login page:

"Two-Factor Authentication is now required for [roles].

You will receive a verification code via email."

Create Help Documentation

Provide to users:

  • Step-by-step login guide with screenshots
  • Troubleshooting common issues
  • Support contact information
  • FAQ about 2FA

Step 10: Monitor and Support

Check Audit Logs

Monitor 2FA activity:

Tools → Audit Log → Filter by "2FA"

Watch for:

  • High failure rates (indicates user confusion)
  • Repeated lockouts (may need training)
  • Email delivery failures
  • Unusual patterns

Prepare Support Team

Common support requests:

  • "I didn't receive the code"

- Check spam, wait 2 minutes, resend code

  • "Code expired before I could enter it"

- Request new code, enter immediately

  • "I lost access to my email"

- Admin must reset 2FA or update email

  • "It's taking too long"

- Balance security with user experience

- Consider feedback for improvements

Configuration Examples

Example 1: Small Business


2FA Enabled: Yes
Required Roles:
  - Administrators
  - Editors
Code Expiration: 10 minutes
Failed Attempts: 5
Exclusions: None
Email: SMTP plugin configured

Example 2: Healthcare (HIPAA)


2FA Enabled: Yes
Required Roles:
  - All roles with patient data access
Code Expiration: 10 minutes
Failed Attempts: 3 (stricter)
Exclusions: None (compliance requirement)
Email: Transactional service (SendGrid)
Audit Logging: Required, retained 7 years

Example 3: E-Commerce Store


2FA Enabled: Yes
Required Roles:
  - Administrators
  - Shop Managers
  - Editors
Code Expiration: 10 minutes
Failed Attempts: 5
Exclusions: Customer role (optional)
Email: WooCommerce SMTP

Troubleshooting Configuration

2FA Option Not Visible

Solutions:

    • Verify Pro version is installed and activated
    • Check license is valid and not expired
    • Clear browser cache and refresh page
    • Check user has Administrator role

Settings Not Saving

Solutions:

    • Check file permissions (wp-content must be writable)
    • Disable caching plugins temporarily
    • Check for JavaScript errors in browser console
    • Try different browser

Emails Not Sending After Configuration

Solutions:

    • Re-test email delivery
    • Check SMTP credentials haven't changed
    • Verify hosting email limits not exceeded
    • Check PHP mail() function is working
    • Review server mail logs