Two-Factor Authentication (2FA)
Two-factor authentication (2FA) requires two distinct proofs of identity to log in: your password plus a second factor, such as a time-based code from an authenticator app or an SMS message. Even...
Two-Factor Authentication (2FA)
For: WordPress site owners, freelancers managing client logins, and anyone using wp-admin — particularly on shared hosting where login attacks are constant.
Affiliate disclosure: Some links on this page are affiliate links. We earn a commission at no extra cost to you.
Two-factor authentication (2FA) is a login security method that requires two separate forms of verification before granting access — typically something you know (a password) and something you have (a one-time code from your phone).
Answer capsule
Two-factor authentication (2FA) requires two distinct proofs of identity to log in: your password plus a second factor, such as a time-based code from an authenticator app or an SMS message. Even if an attacker has your password, they cannot access your account without the second factor.
Why it matters for WordPress sites
WordPress admin accounts are brute-forced thousands of times per day. We see this pattern on nearly every new client site we audit — within 48 hours of going live, the login page is already under automated attack. A strong password alone is not enough.
2FA blocks credential-stuffing attacks entirely. The attacker may crack or buy your password, but they cannot generate your authenticator app’s rotating code. According to Microsoft’s own research, enabling 2FA stops over 99.9% of automated account attacks.
The three 2FA factors
Authentication factors fall into three categories:
| Factor | Type | Example |
|---|---|---|
| Password or PIN | Something you know | wp-admin password |
| Authenticator app / SMS code | Something you have | Google Authenticator TOTP |
| Fingerprint / Face ID | Something you are | Biometric device unlock |
WordPress 2FA implementations almost always use the first two: password + a time-based one-time password (TOTP) generated by an app like Google Authenticator or Authy.
How to enable 2FA on WordPress
The Two Factor plugin on WordPress.org is the most widely used free option — 100,000+ active installs, rated 4.8/5 across 204 reviews, and last updated March 2026 (tested up to WordPress 6.9.4). It supports email codes, TOTP apps, and backup codes with no paid tier required.
Basic setup:
- Install and activate the Two Factor plugin.
- Go to Users → Profile.
- Scroll to the Two-Factor Options section.
- Enable TOTP, scan the QR code with your authenticator app, and verify with a generated code.
- Save backup codes somewhere offline.
On client sites, we enforce 2FA at the administrator and editor level by default. The setup takes under three minutes per user.
One gotcha most guides skip
Time-based codes expire every 30 seconds. If your server clock drifts by more than 30 seconds — common on cheap shared hosting — valid codes will be rejected. If 2FA suddenly stops working after a server migration, check your server’s NTP time sync before blaming the plugin.
Related terms
- Brute force attack — the login attack 2FA is specifically designed to stop
- WordPress login security — broader hardening beyond 2FA
- SSL certificate — encrypts credentials in transit; pairs with 2FA
- WordPress user roles — limit which roles require 2FA enforcement
- Security plugin — tools like Wordfence and MalCare include 2FA as a feature
Additional reading
- How to harden WordPress login security
- Best WordPress security plugins compared
- FTC guidance on two-factor authentication
Last verified: April 2026