Skip navigation

Duo Two-Factor Authentication for WordPress - FAQ

Last Updated: March 28th, 2024


Duo's WordPress plugin enables two-factor authentication for WordPress logins.

Support for the traditional Duo Prompt experience and Duo Prompt delivery via iframe ended on March 30, 2024.

See the update instructions for WordPress to update an existing deployment of the iframe-based WordPress software to the latest release. Authenticating once with the updated Duo software is a required step before you can enable the Duo Universal Prompt for your existing WordPress application.

Please visit the Duo Universal Prompt Update Guide for more information about the traditional Duo Prompt end of support.

Can other WordPress plugins break Duo for WordPress?

Some WordPress plugins cause authentication issues when used in conjunction with Duo for WordPress. Duo Support has observed this specifically in the "Maintenance" plugin from fruitfulcode, AD FS plugins, and Sucuri Scanner's "harden" feature.

We recommend disabling any other plugins that appear to be causing an issue, to allow authentications to function successfully.

Why is Duo unexpectedly prompting some user roles to authenticate to the primary WordPress site?

In a WordPress multisite installation with Duo two-factor authentication configured for "Administrator" role users, users with the "Editor" role (or any role other than "Administrator") may see unexpected prompts for Duo authentication when logging into the primary WordPress site instead of their assigned subdomain site.

This happens because when those "Editor" users log into the primary domain instead of their subdomains the Duo plugin attempts to verify the user's role in the primary domain to determine if two-factor is required for that role. Since the users are not members of the primary domain, Duo is unable find any roles for the user attempting to login and defaults to two-factor authentication.

To correct this, add the subdomain users to the primary domain with their corresponding roles under Network AdminSitesUsers.

Why do I see "Access denied. The server's time may be out of sync." when logging in?

If you can, ssh into the server and use NTP to set the correct time.

If you don't have access to the server (or the permissions needed to run NTP), contact your web host and have them correct the server time.

Note: the WordPress timezone setting is irrelevant here.

How do I enable debug logging for the Duo plugin?

  1. Open the wp-content/plugins/duo/duo_wordpress.php file in a text editor and set $DuoDebug = true; (instead of false).
  2. Reproduce the issue.
  3. Examine the debug output in the wp-content directory.

How do I install Duo's plugin on a multisite WordPress installation?

  1. While logged in as the WordPress network admin, navigate to My SitesNetwork AdminPlugins. Install the Duo two-factor authentication plugin using the directions on the main page and click Network Activate after installation. Proceed with multisite configuration after activating the plugin.

  2. Browse to SettingsNetwork Settings. Scroll down the page to the "Duo Security" section. Copy and paste your integration key, secret key, and API hostname from the Duo WordPress application's page in the Duo Admin Panel. You may select which WordPress user roles need to authenticate using Duo.

    To fully secure your WordPress site Duo recommends that you disable XML-RPC. However, this will prevent use of offline Weblog clients and the WordPress mobile app.

    Plugin Search

    Click Save Changes to complete configuration.

Additional Troubleshooting

Need more help? Try searching our WordPress Knowledge Base articles or Community discussions. For further assistance, contact Support.