WP 2FA – Two-factor Authentication for WordPress



Add an extra layer of security to your WordPress website login page and its users. Enable two-factor authentication (2FA), the best protection against users using weak passwords, and automated password guessing and brute force attacks.

Features | Getting Started | More Info

Use the WP 2FA plugin to enable two-factor authentication for your WordPress administrator user, and to enforce your website users, or some of them to use 2FA. This plugin is very easy to use. It has wizards with clear instructions, so even non technical users can setup 2FA without requiring technical assistance.

Maintained & Supported by WP White Security

WP White Security builds high-quality niche WordPress security & admin plugins such as Password Policy Manager, a plugin with which you can ensure all your users use strong passwords.

Browse our list of WordPress plugins that can help you better manage and improve the security of your WordPress websites and users.

WP 2FA Key plugin features & capabilities

  • Free Two-factor authentication (2FA) for all users
  • Supports TOTP (code from 2FA apps like Google Authenticator and Authy) and OTP (email based codes)
  • Supports 2FA backup codes
  • Very easy to use and wizard driven
  • Use policies to enforce 2FA with a grace period or require your users to instantly setup 2FA upon login
  • Protection against automated password guessing and dictionary attacks

FREE Plugin Support

Support for the WP 2FA plugin is available for free via:

For any other queries, feedback, or if you simply want to get in touch with us please use our contact form.

Related Links and Documentation

From within WordPress

  1. Visit ‘Plugins > Add New’
  2. Search for ‘WP 2FA’
  3. Install & activate the WP 2FA from your Plugins page.


  1. Download the plugin from the WordPress plugins repository
  2. Unzip the zip file and upload the wp-2fa folder to the /wp-content/plugins/ directory
  3. Activate the WWP 2FA plugin through the ‘Plugins’ menu in WordPress


  • The first-time install wizard allows you to setup 2FA on your website and for your user within seconds.
  • The wizards make setting up 2FA very easy, so even non technical users can setup 2FA without requiring help.
  • You can require users to enable 2FA and also give them a grace period to do so.
  • Users can also use one-time codes via email as a two-factor authentication method.
  • You can use policies to require users to instantly set up and use 2FA, so the next time they login they will be prompted with this.
  • It is recommended for all users to also generate backup codes, in case they cannot access the primary device.
  • In the user profile users only have a few 2FA options, so it is not confusing for them and everything is self explanatory.
  • The plugin blocks the accounts of users who are required to have 2FA but fail to enable it within the grace period, so they do not jeopardize the security of your website.


12 February 2021
Despite many other plugins, this one just works and has everything the majority of users may expect.
4 February 2021
Excellent plugin. Lacking some features, but has several unbeatable advantages : - free - supports return redirects properly, so works with SSO plugins, which is a rarity - allows for building frontend user setup experience for 2FA, also very rare - developers are responsive and open to suggestions Main downsides : - no "trust this device" yet - no shortcode for building a custom 2fa auth page yet - no on the fly switch of configured 2FA methods yet Developers are planning these in upcoming releases, so I guess then it will be totally the king of 2FA WP plugins. Looking forward to it.
28 January 2021
This is a great plugin! Suggest adding the user audit function in order to provide the info to the admin who has multiple users from site management perspective. Thank you.
26 January 2021
Just tested 2FA plugin - and it is a pure "poetry", it's great — so simple, so efficient, many integrations, mails delivering quickly... and the wizard! I think wizard is the best part of it: it is obviously guys that you made a big effort in making it very user-friendly: always explain to users what is going on and all the options. 🙂 Really, really liked it, really. Full stop 🙂
Read all 33 reviews

Contributors and Developers

“WP 2FA – Two-factor Authentication for WordPress” is open source software. The following people have contributed to this plugin.


“WP 2FA – Two-factor Authentication for WordPress” has been translated into 3 locales. Thank you to the translators for their contributions.

Translate “WP 2FA – Two-factor Authentication for WordPress” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Change Log

1.5.2 (2021-01-19)

  • Update

    • Improved the “2FA code page” prompt text.
  • Bug fixes

    • Fixed an issue that was locking administrators out of the plugin’s configuration – incorrect user ID stored the plugin settings where saved.
    • Fixed a CSS compatibility issue caused by non-targetted “.disabled” styling.

1.5.1 (2020-12-10)

  • Bug fix
    • Configured 2FA profile for user was reset after first-time install wizard / possibly settings changes.

1.5.0 (2020-12-08)

Release notes: Fully responsive 2FA wizards & more efficient code

  • New features

    • All the 2FA wizards in the plugin are now fully responsive and mobile friendly.
  • Improvements

    • Removed duplicate code and improved the plugin’s efficiency in general (plugin can scale much better now as well on bigger websites).
    • Improved and optimized the creation and handling of user data when saving the 2FA policies and settings.
    • Reduced the overall memory usage when processing settings by switching to direct wpdb queries.
    • Switched to a single validation function when processing settings.
    • Split each background task into smaller individual classes to reduce the load on the website when saving settings / applying policies.
    • New settings overwrite currently queued settings instead of being enqueued when the administrator changes the settings.
    • Added a confirmation step in the wizard for when 2FA setup is completed.
    • Optimized the code that retrieves the email template settings.
    • Unified all email sending functions into one (less code, more efficient, easier to troubleshoot).
    • 2FA method is now separate from backup codes – user does not need to regenerate new backup codes when 2FA config is reset.
    • Users are logged out from session if 2FA is required and administrator resets the 2FA profile.
  • Bug fixes

    • Users were not being redirected to reconfigure 2FA when 2FA was enforced and the admin resets their 2FA profile.
    • Users were unable to reconfigure TOTP 2FA via front-end form in some edge cases.
    • Pressing Enter when a modal is open was sometimes closing it.
    • Awaiting jobs were not being deleted on plugin uninstall.
    • Number of errors were generated when a website visitor visited the shortcode page.
    • In some edge cases, users could still login to website.
    • Addressed a conflict with the session lockout feature of All in One Security plugin.
    • Backup codes were not generated at the end of the wizard in some edge cases.

Refer to the complete plugin changelog for more detailed information about what was new, improved and fixed in previous version updates of WP 2FA.