2FAS Prime — Two Factor Authentication


Secure your WordPress Administration area with 2FAS Prime plugin

The 2FAS Prime plugin is a free, simple and very easy to set up WordPress plugin. It guarantees a completely secure login to your WordPress website. Enable two-factor authentication (2FA), the best protection against weak passwords, automated password guessing and brute force attacks.
2FA Prime plugin provides two-factor authentication whenever you log in to the WordPress website ensuring no unauthorised access to it. If you log in as an admin from an untrusted device, you will be requested to provide additional authentication in the form of a one-time token.
2FAS plugin works perfectly with 2FAS Authenticator app but supports also other 2FA apps based on TOTP (Time-Based One-Time Password).

Install & use

You do not need to register, create a special account, log in or take any other additional action to use the 2FAS Prime plugin. All you need to have is 2FA and all you need to do is install plugin and activate it in your WordPress. It is as simple as that. Moreover, the 2FAS Prime plugin does not communicate with any external sites. All data needed to make the plugin work properly are safely stored in the WordPress database.

Free for all users

2FAS’s Two Factor Authentication is available to all users. All you need to do is to install it and configure. It is FREE for all users.

Get instant protection against:

Brute-force attacks

It happens that the encrypted password for the portal is hacked due to outdated software or plugins. It is only a matter of time before the encoded hash password will be decrypted and will appear online. You don’t have to worry about it if you use the 2FAS Prime plugin. Even if the attacker knows your password, he still has to enter the one-time token generated by 2FAS App to gain access to your account.

WordPress takeovers

Many people use the same password or a similar password for many online services. ‘Weak’ and repeatedly used passwords remain a major cybersecurity vulnerability. You effectively reduce that risk when you carefully choose your passwords and enable Two Factor Authentication with the 2FAS Prime plugin.

Phishing and keylogger attacks

Enable the 2FAS Prime to protect your WordPress site and make sure that the devices used by you or other users are completely free of keyloggers and viruses.
Any password discovery attempt is useless with 2FAS. Without your token generated by the 2FAS app or other 2FA app, conventional access to your WordPress site is almost impossible.


For more information, check out our website at https://2fas.com
If you need our support, please contact us at support@2fas.com


  • The first step of the login process — providing the login and the password
  • The second step of the login process — providing the token on an untrusted browser
  • Configuring the Two-Factor Authentication in the 2FAS Prime plugin


  1. Log in to your WordPress administration area and go to the “Plugins” menu option on the left side.
  2. Click the “Add New” button at the top of the page.
  3. Search for “2FAS Prime” and click the “Install Now” button.
  4. When 2FAS Prime successfully installs, click the “Activate” link.
  5. Go to the 2FAS Prime menu option and follow the steps of the plugin wizard (scan the QR code and provide your token in order to verify it).
  6. That’s it! Now your WordPress administration area is protected by 2FAS Prime.

Plugin requirements:

  • PHP 7.0 or newer (PHP 7.4 is recommended)
  • PHP extensions: GD, Multibyte String, OpenSSL, Json
  • WordPress 5.0 or newer
  • JavaScript enabled

If you have any problems with the installation please contact us at support@2fas.com


Why do I need the 2FAS Prime plugin?

2FAS Prime is a FREE, Simple & very easy to set up plugin that keeps your website safe and secure. The 2FAS plugin adds the second factor to the login process. After you enter your username and password, you must enter a specific token provided by a mobile application. It is called two-factor authentication, and it increases the protection level of your website.
Without the token generated by your smartphone, any password discovery attempt will be useless with the 2FAS Prime plugin.

Do I need to enter a token each time I log in to the WordPress admin?

No, it is not necessary. You can mark a browser on your computer or mobile device as trusted. With trusted web browsers and devices, you don’t need to enter a verification code each time you sign in.

What do I need to do to start using the 2FAS Prime plugin?

The most common way to use the 2FAS Prime plugin is to configure your smartphone to generate tokens. You can download 2FAS Authenticator app or any Time-based One-Time Password (TOTP) app.

What should I do when I lose my phone/delete the app?

You may always use our 2FAS Backup. It is a feature of 2FAS Authenticator App that allows you to backup your Secret Keys safely and anonymously on your cloud. This backup method is completely secure and no one except you has access to your keys.

In case you lose or damage your phone you simply install 2FAS App on your new device and turn the 2FAS Backup feature on to get access to your Keys. That way you will never get locked out of your accounts.

Is it free?

Yes, it is completely free.

You can either use it privately or for commercial usage without any fees.


22 March 2021
No need to download another app for your phone. Odds are if you are looking for an authenticator for your WordPress installation, odds are you already have Google Authenticator on your phone. If so, this plugin just works! I've changed my login URL, and added this plugin. Granted, there are other hardening things I've done to my site, but this is so important. 2FA with text messages can be faked/hacked. This is much safer! [ Signature moderated ]
24 December 2020
Really like that you can add multiple users to use tokens and that it's so simple to set up
16 September 2020
2FAS Light - Google Authenticato is a excelent plugin!
Read all 30 reviews

Contributors and Developers

“2FAS Prime — Two Factor Authentication” is open source software. The following people have contributed to this plugin.


Change Log

3.3.1 (Sep. 20, 2021)

  • Tested on version 5.8 of WordPress

3.3 (Jun. 21, 2021)

  • Minimum required PHP version is now 7.2
  • Fixed bug in Time class
  • Update dependencies

3.2.1 (May. 20, 2021)

  • Fixed bug in Trusted Devices Hook

3.2 (Apr. 26, 2021)

  • Added admin settings page (can set 2FA obligatory for user roles and turn off trusted devices feature)

3.1.1 (Apr. 6, 2021)

  • Fixed path in checking conflicted plugins
  • Fixed typo in text

3.1 (Mar. 30, 2021)

  • Minor frontend changes
  • Added backup codes feature
  • Added support for translations
  • Fixed compatibility with WP Cerber

3.0.2 (Jan. 8, 2021)

  • Fixed bug in custom column filter

3.0.1 (Jan. 4, 2021)

  • Fixed bug in custom column filter

3.0 (Dec.21, 2020)

  • Major update of plugin core
  • Dropped support for PHP 5.* Minimum required PHP version is now 7.0
  • Dropped support for WordPress < 4.9 Minimum required version is now 4.9
  • Changed login process – block account after 5 attempts
  • Added last login time to trusted devices

2.0 (Sep. 1, 2020)

  • Dropped support for PHP 5.4, 5.5. Minimum required PHP version is now 5.6
  • Dropped support for WordPress < 4.2 Minimum required version is now 4.2

1.3.0 (Jun. 22, 2020)

  • Added compatibility with Jetpack
  • Added link to plugin settings in plugin list
  • Fixed use plugins_url function

1.2.0 (Oct. 9, 2019)

  • Added compatibility with multisite
  • Minor frontend fixes
  • Fixed issue with deleting all plugin’s data during uninstallation
  • Fixed IP in trusted devices

1.1.5 (Apr. 16, 2019)

  • Fixed compatibility with plugins renaming login page

1.1.4 (Apr. 9, 2019)

  • Added compatibility with WooCommerce

1.1.3 (Mar. 6, 2019)

  • Constant DIRECTORY_SEPARATOR is not used anymore
  • Prevent direct access to twofas_light_init.php file

1.1.2 (Feb. 18, 2019)

  • Fixed setcookie function arguments

1.1.1 (Aug. 9, 2018)

  • Fixed PHP errors and warnings occurring during some actions
  • Added plugin’s requirements check during logging in
  • Review notice is shown to every administrator separately
  • Fixed timezones

1.1.0 (Jun. 18, 2018)

  • New layout
  • Improved TOTP time synchronization
  • Added voluntary plugin review request
  • Fixed trusted device cookie deletion
  • Trusted device deletion must be confirmed