Required: Two-factor Authentication

Two-factor authentication (also known as multi-factor authentication) is a method of securing accounts requiring that you not only know something (e.g. a password) to log in but also that you possess something (e.g. your mobile device). The benefit of this approach to security is that even if someone guesses your password, they need to have also stolen your possession in order to break into your account.

Starting Wednesday, July 24, 2019 at 18:00 GMT / 2pm ET, two-factor authentication will be required for all WordPress accounts on VIP Go that have the manage_options capability. To avoid disruption, be sure to log in to your WordPress account and enable two-factor authentication before that time. If you don’t enable two factor authentication before May 29, you’ll have to enable it upon logging in before you can do anything else.

This has been a long standing requirement for our users and we’re bringing that same level of security to VIP Go. Site owners have always had the ability implement two-factor authentication on their sites on VIP Go; the difference is that it will now be required by default.

If you’d like to force two factor authentication for your users before May 29, you can use the wpcom_vip_is_two_factor_forced filter.

For example, to enable for all users that can edit posts:

add_action( 'set_current_user', function() { 
    $limited = current_user_can( 'edit_posts' );
    add_filter( 'wpcom_vip_is_two_factor_forced', function() use ( $limited ) {
        return $limited;
    }, PHP_INT_MAX );
} );

Or, to enable for all users on the site:

add_filter( 'wpcom_vip_is_two_factor_forced', '__return_true' );

To disable enforcement for all users on the site:

add_filter( 'wpcom_vip_is_two_factor_forced', '__return_false' );
add_filter( 'wpcom_vip_two_factor_prep_hide_admin_notice', '__return_true' );

As always, if you have any questions or need help with securing your site, please get in touch.