Add Two Factor Authentication to WordPress Login with Incapsula

We are influencers and brand affiliates.  This post contains affiliate links, most which go to Amazon and are Geo-Affiliate links to nearest Amazon store.

This post is directly aimed at fellow CMS system users, which are those who use WordPress, Joomla or other CMS systems that have a specific administrative or login interface.  Incapsula has always offered some of the best cloud security features for your site and is completely free if you have less than 50GB of bandwidth usage per month, but now they also added their Login Protection package which offers two factor protection and you get various choices depending on your protection plan with Incapsula.


What is Two Factor

First, Two Factor authentication requires 2 components to access a site area this involves something you know and something you have.  The something you know is typically a password, the something you have can be a physical device like a hard token, an email, a phone and typically the something you have is delivered to you via either an SMS token (1 time passcode) or via an app like an iOS or Android app.

Incapsula Login Protection


When you log into Incapsula, and click on the Settings screen you will now see a new Login Protect menu and this allows you to define which URI’s or page areas of your login page require the two-factor authentication.

For WordPress users you would protect your /wp-admin area, which would trigger the two factor after someone authenticates past wp-login.php or if they hit /wp-admin directly.  If you renamed your admin area, make sure you define all your administrative areas that should be protected.  You only want to two factor protect the very specific admin login areas as of your website or application.  But you can add multiple URL’s.

Incapsula Two Factor Choices


Next you would choose which methods and notifications are allowed.  If you are using the free plan you get to have 1 user setup for 2 factor authentication only, and you only get the email authentication method.  This is ideal if you run a website where you are the only one who ever logs in, if others login to your site this is not a good solution as you will lock everybody out except yourself unless you pay for additional people to have access.

If you have the Personal Plan, you get 3 free users and you get both Email and Google Authenticator Application solutions.  Google Authenticator is an app you download for iOS or Android and you scan a QR Code with it and it will setup and configure the application and randomly generate passcodes at periodic intervals for you to use to access the site.  This is really convenient and allows instant access but only if you have a mobile Android or iOS device, using email has a failback in case you don’t have your mobile device on you may be recommended.

Finally the Business Plan or above offers SMS two factor in addition to the above choices for 5 users for free as part of that plan, this means when a user profile is defined they can setup to receive a text message with the access code to be able to access the protected page.

Setup is easy, you just add users and type in the email of the user who you want to grant access to the administrative area of your website.  They receive an email that tells them to register their profile.


Once they click on that email they setup their registration by entering their name, their SMS number (if you have the business or enterprise plan) or register the Google Authenticator app.  It is on this page that they would open up the Google Authenticator iOS or Android app and scan the QR code with the app, it would then register the site and start generating codes you can use to authenticate.

For my experiment with testing Incapsula Login Protect, I protected the /wp-admin part of my WordPress blog and you can see that anyone who hits the wp-admin part now gets prompted by the Incapsula protect before they even get to the login area of the site.  I left it on purpose this way to show you could hit wp-login.php and not see the Incapsula protect until after you login and it tries to load /wp-admin, or you get it right away if you hit /wp-admin directly.


Now, this feature is an excellent way to completely prevent any bad password or user attempts on your WordPress blog but this isn’t ideal for bloggers who open their websites up to guest bloggers and allow them to login, it becomes too expensive to add each user and grant them access.  This is more a security feature for sites that will never allow more than a handful of users to ever login or access a specific area of your site, or if you are the only one who ever logs into your site it provides complete protection.

You can set a 14 day registration token so that your browser will remember this computer for 14 days, this will prevent you from being challenged too frequently from the same machine as well.


Incapsula offers a wide variety of security and protections for your website and/or blog and is easy to setup and free for all smaller sites who pass less than 50GB of data per month.  It is very much worth implementing and by keeping the security and blocking of bots in the cloud this causes less resource utilization and load against your web hosting provider compared to using a WordPress plugin to have to analyze and filter each request.

If you haven’t looked at Incapsula yet, I recommend you do.  They are an excellent service and I have them setup on many of my blogs for more than 6 months now.

We are influencers and brand affiliates.  This post contains affiliate links, most which go to Amazon and are Geo-Affiliate links to nearest Amazon store.