MarckDev
All articles

July 1, 2026 · 4 min read

Two-factor authentication on WordPress and PrestaShop: a quick guide

Two-factor authentication on WordPress and PrestaShop: a quick guide

Most of the compromised sites that land on our support desk have a trivial entry point: an administrator account protected by nothing but a password, often reused on other services. Two-factor authentication on WordPress and PrestaShop is the security measure with the best ratio of effort to benefit: you can set it up in an afternoon and it blocks the vast majority of account attacks. Here is how to do it properly on both platforms.

Why a password alone is not enough

Attacks on a site's login pages are not the work of specialists targeting you personally: they are automated and hit everything indiscriminately. The three most common scenarios:

  • credential stuffing: passwords leaked from breaches of other services get tried in bulk against login panels; if you reuse passwords, you are exposed even with a long one;
  • brute force: repeated attempts against predictable usernames like admin, often spread across many IPs to get around blocking;
  • phishing: a convincing email that takes you to a fake login page, and you hand over the password yourself.

Two-factor authentication adds a second element, usually a temporary code generated by an app on your phone: anyone who steals the password is still locked out without your phone. It is not absolute protection, but it raises the cost of the attack just enough for the bots to move on to the next target.

Enabling 2FA on WordPress

WordPress does not include two-factor authentication in core, so you need a plugin. The options fall into two families: dedicated 2FA-only plugins, lightweight and focused, and full security suites that include it among other features. If you already have a security suite installed, check first whether 2FA is included: better to enable it there than to add a duplicate plugin.

The steps we follow on our clients' sites:

  1. Choose the TOTP method (temporary codes generated by an authenticator app on your phone): it works without depending on SMS or email, which are the weakest channels.
  2. Enable 2FA on your own user first, verify that login works, and only then roll it out to the others.
  3. Make it mandatory for administrators and editors. The roles with the most permissions are the ones that do the most damage if compromised; many plugins let you enforce it by role.
  4. Generate and save the recovery codes somewhere safe, such as a password manager. It is the step everyone skips, and it saves you from panic when you change phones.

Finish the job with two zero-cost measures: delete the user named admin if it still exists, and limit failed login attempts, a feature included in almost every security suite.

Enabling 2FA on PrestaShop

On PrestaShop the concern is the back office, the panel from which you manage orders, prices and customers: a compromised account there means exposed customer data and, in the worst cases, malicious code in the payment pages. Here too the way in is modules: you will find ones dedicated to two-factor authentication on the official marketplace and inside security suites for PrestaShop. The selection criteria are the usual ones: a module updated recently, compatible with your version, with active reviews and support.

Beyond 2FA, on the PrestaShop back office we normally apply three complementary protections:

  • rename the administration folder to something unpredictable, taking the panel out of sight of bots scanning for standard paths;
  • restrict back office access by IP when the office has a fixed address, so the panel does not even respond to the rest of the world;
  • one employee profile per person, with only the necessary permissions: the account shared between three colleagues is convenient until the day you need to figure out who did what.

The rules that apply to both platforms

2FA works best on top of basic access hygiene:

  • one account per person, never shared credentials, and immediate removal of accounts belonging to former collaborators and old suppliers;
  • least privilege: someone who writes articles does not need the administrator role;
  • unique passwords managed with a password manager, because 2FA is the second factor, not a replacement for the first;
  • 2FA on the services around the site too: hosting, domain, email. An attacker who gets into the hosting panel bypasses any protection in the CMS;
  • verified backups, because one hundred percent security does not exist and restore is what separates an incident from a disaster.

One last organisational note: document who has access to what. On the sites we take over, the access map is almost always missing, and it is the first thing we rebuild.

Want access and servers secured by people who do this for a living?

We handle servers and infrastructure: WordPress and PrestaShop hardening, access management, firewalls, tested backups and monitoring. If you are not sure how your site is protected today, book a free call: we take stock of your access setup and tell you what to fix first, starting with two-factor authentication.

Related articles