Enable WordPress Two-Factor Auth
Add two-factor authentication to WordPress logins to block password-based attacks.
What this covers: Add two-factor authentication to WordPress logins to block password-based attacks, including choose a 2fa plugin, authenticator apps.
Who it’s for: WordPress site owners and administrators who need to secure their site against common threats.
Key outcome: You’ll have logging out and back in requires a 2fa code, and your backup codes are saved somewhere safe (not on your phone).
Time to read: 5 minutes
Part of: Security + Infrastructure series
Security audit says every admin account needs two-factor authentication. Here’s how to set it up in under 30 minutes.
Why it matters: Weak and stolen passwords are the #1 cause of WordPress hacks. 2FA stops these attacks completely—even if the password is compromised, attackers can’t get in without the second factor.
Choose a 2FA Plugin
Option 1: Wordfence (Recommended)
Wordfence is a security plugin with 2FA included in the free version.
To set up:
- Install and activate Wordfence from Plugins → Add New
- Go to Wordfence → Login Security
- Enable Two-Factor Authentication
- Scan the QR code with your authenticator app
- Enter the code to verify setup
Option 2: WP 2FA (Dedicated Plugin)
WP 2FA focuses solely on 2FA if you don’t want a full security suite:
- Install and activate WP 2FA
- Run the setup wizard
- Choose which user roles require 2FA
- Users complete setup on their next login
Option 3: Google Authenticator
Google Authenticator plugin – Simple and lightweight, individual user setup.
Authenticator Apps
Users need an authenticator app on their phone to generate codes:
- Google Authenticator – Simple, widely used
- Authy – Syncs across devices, has cloud backup
- Microsoft Authenticator
- 1Password – If you already use it for passwords
All work the same way: scan a QR code, get 6-digit codes that change every 30 seconds.
Enforcing 2FA for All Admins
Don’t make 2FA optional. In Wordfence or WP 2FA settings:
- Require 2FA for all administrator and editor accounts
- Set a grace period (7 days) for users to complete setup
- Lock out users who don’t set it up after the grace period
Recovery Codes: Critical Step
What if someone loses their phone? 2FA plugins generate recovery codes:
- Single-use codes that bypass 2FA in emergencies
- Usually 10 codes generated at setup
- Store these somewhere safe (password manager, printed in a safe)
Important: Make sure users save recovery codes BEFORE they need them. Losing phone access without recovery codes = locked out of WordPress.
Beyond 2FA: Password Hygiene
- Use a password manager: Generate random, unique passwords for every account
- Limit login attempts: Wordfence blocks IPs after failed attempts
- Change the admin username: Don’t use “admin” or your domain name
- Consider hiding wp-admin: WPS Hide Login changes the login URL
Recovery Options When Locked Out
Losing 2FA access happens more often than people plan for. Here are your recovery paths, from easiest to most disruptive:
- Recovery codes: Use one of the single-use codes generated during setup. This is why saving them matters.
- Another admin: Have a second administrator log in and disable 2FA on your account from the Users screen.
- FTP/SSH access: Rename the 2FA plugin folder in
wp-content/plugins/(e.g.,wordfencetowordfence-disabled). This disables the plugin and removes the 2FA requirement. Log in, fix your 2FA setup, then rename the folder back. - Database edit: As a last resort, delete the 2FA user meta from the
wp_usermetatable. This requires phpMyAdmin or WP-CLI access and knowledge of which meta keys your plugin uses.
Prevention is easier than recovery. Store recovery codes in your password manager, not on your phone. Ensure at least two admin accounts have 2FA configured independently. Test your recovery process before you need it.
Plugin Comparison
| Feature | Wordfence | WP 2FA | Google Auth |
|---|---|---|---|
| Free 2FA | Yes | Yes | Yes |
| Role-based enforcement | Yes | Yes | No |
| Recovery codes | Yes | Yes | No |
| Grace period | Yes | Yes | No |
| Email fallback | No | Yes (paid) | No |
| Includes firewall/security | Yes | No | No |
| Best for | Sites needing full security | Dedicated 2FA control | Single-user simplicity |
Our recommendation: Wordfence if you do not already have a security plugin. WP 2FA if you want granular 2FA controls without the overhead of a full security suite. Google Authenticator only for single-admin sites where simplicity matters most.
Sources
- Wordfence
- WP 2FA
- Google Authenticator plugin
- Google Authenticator
- Authy
- Microsoft Authenticator
- 1Password
- WPS Hide Login
Two-Factor Auth Questions Answered
Which 2FA method is most secure for WordPress?
Hardware security keys (FIDO2/WebAuthn) are most secure, followed by authenticator apps (TOTP). SMS-based 2FA is the weakest option due to SIM-swapping attacks. For most WordPress sites, authenticator apps like Google Authenticator or Authy provide the best balance of security and usability.
What happens if I lose my 2FA device?
Use the backup/recovery codes generated during 2FA setup. Store them in a password manager or printed in a secure location. If you’ve lost both your device and recovery codes, you’ll need FTP/SSH access to disable the 2FA plugin by renaming its folder in wp-content/plugins/.
Should I require 2FA for all WordPress users or just admins?
At minimum, enforce 2FA for Administrator and Editor roles—these accounts can modify site content and settings. For sites handling sensitive data (e-commerce, memberships), require 2FA for all user roles. Most 2FA plugins let you enforce per-role.
Does 2FA slow down the WordPress login process?
It adds 5-10 seconds per login. Authenticator apps require opening the app and typing a 6-digit code. Hardware keys are faster—just tap the key. The minor friction is negligible compared to the cost of a compromised admin account.
✓ Testing Your Two-Factor Login
- Logging out and back in requires a 2FA code
- Your backup codes are saved somewhere safe (not on your phone)
- All admin users have 2FA enabled (check Users list for 2FA status)
Test it: Log out completely, log back in. If it only asks for password, 2FA isn’t active. Complete the full 2FA prompt to verify.