Want to add two-factor authentication to WordPress?
WordPress two-factor authentication can help you secure your WordPress site by protecting your own WordPress account, as well as the accounts of other users at your site.
When it comes to setting up two factor auth on WordPress, the freemium WP 2FA plugin offers one of the most polished, flexible solutions. It can work equally well for personal websites as well as large organizations that need custom two-factor policies.
In our WP 2FA review, we’ll start by briefly discussing the plugin’s features. Then, we’ll share a step-by-step guide on how to set up two factor auth on WordPress using the plugin.
Let’s dig in!
We won’t go too in-depth with looking at the features in this first section because you’ll see all of this in the more hands-on section of our WP 2FA review / tutorial.
You can also find all of the features on the WP 2FA website.
But, before we get started, here’s a quick look at the features that make WP 2FA one of the best WordPress two-factor authentication plugins:
The WP 2FA plugin comes from WP White Security, the same team behind the popular WP Activity Log plugin – you can learn more about that in our WP Activity Log review.
Now, let’s get into the step-by-step guide on how to set up WordPress two factor auth using WP 2FA.
For this tutorial, we have the premium version of the plugin installed on our site. However, there’s also a free version of the plugin at WordPress.org and the basic steps will be the same for that version.
That is, you can follow along with this whether you’re using the free version or the paid version.
When you first install and activate the WP 2FA plugin, it will automatically launch a setup wizard to help you complete some important basic configuration steps.
For the first step, you’ll choose your preferred two-factor authentication method(s) from five different options.
You can choose as many or as few options as you want. If you provide multiple methods, users will be able to choose which method to authenticate with.
Some of them – such as sending SMS messages via Twilio – will require some additional setup. More on that later.
On the next step, you can enable alternative methods, such as letting users generate one-time backup codes that they can use if they lose their primary method.
Next, you can choose your 2FA policy – AKA which users should be required to use two-factor authentication. You have three option:
If you choose one of the first two options, the next step will give you an option to manually exclude certain users.
You won’t see this step if you choose not to enforce 2fa for any users.
Finally, the last step lets you configure your grace period. This lets you give new users a certain amount of time to set up two-factor authentication.
For example, you could give them three days before you start enforcing the rule.
Alternatively, you can select the Users have to configure 2FA straight away option to force users to set it up immediately.
And that’s it for the setup wizard!
Once you’ve completed the setup wizard, the next step is to configure two-factor authentication for your own account:
You’ll now see a popup that lets you choose from the available two-factor authentication methods that you chose in the setup wizard:
For example, if you choose the 2FA app option (e.g. Google Authenticator), you’ll be prompted to configure your 2FA app by scanning the QR code:
The plugin will automatically add your site’s domain name and your user account to the two-factor app (if applicable):
The plugin will then ask you to enter the authentication code to validate that you’ve properly configured your app:
After that, the plugin will also prompt you to set up a backup method. For example, you could download some one-time use backup codes in case you can’t generate a code from the app:
You can send the codes via email, print them, or copy them to your clipboard:
And that’s it! Your WordPress admin account is now benefiting from two-factor authentication.
The setup process will be similar for other users at your site – I’ll show you an example a little later on.
While the WP 2FA setup wizard lets you set up basic policies for WordPress two-factor authentication, the plugin’s full settings area gives you even more control.
To access these settings, go to WP 2FA → 2FA Policies.
Here, you can configure sitewide policies. Or, you can also set up completely different policies based on different user roles, which you can select using the drop-down.
Here are some of the new settings that you get that weren’t part of the setup wizard:
Again, you can set one sitewide default but then also adjust these settings for various user roles.
If you want to further configure the plugin, WP 2FA also offers a dedicated settings area. You don’t need to change anything here, but it does offer a few useful options:
For example, when customizing the emails, you get a text editor and a bunch of merge tags to let you insert dynamic information:
For white labeling, you can use the drop-down to customize all different areas of the plugin:
And that’s pretty much it for configuring the plugin!
I already showed you how to set up WordPress two-factor authentication for your own account, but what about other users?
How other users set up two-factor will depend on two variables:
Here are some examples…
If you don’t offer any grace period, users will be automatically redirected to their profile page with the two-factor settings popup open (just like the interface that you used to configure it for your own account).
Users will not be able to access any part of the dashboard until they complete the setup.
If you enable the frontend two-factor settings page, you can add it anywhere on your site using the [wp-2fa-setup-form] shortcode.
Clicking that button will open the same setup prompt from before – the only difference is that everything is happening on the frontend of your site:
Again, you can white label all of this text to further integrate it with your site.
For example, here you can see that I’ve customized the text of the popup for WPKube:
Once users set up their two-factor method, they’ll see some additional options to change their settings or generate backup codes:
To help you see what’s happening on your site, the plugin also includes a reporting tool to quickly assess two-factor usage.
You can access it by going to WP 2FA → Reports.
WP 2FA comes in both a free version at WordPress.org as well as a premium version with more functionality.
In general, the free version should be fine if you just want to protect your own WordPress admin account. It already supports two-factor authentication via smartphone apps, email, and backup codes.
However, if you have other users on your site and you want to set up two-factor authentication policies for those users, I would recommend upgrading to the premium version.
Beyond giving you more control over two-factor policies and behavior, the premium version also adds additional methods like Authy push notifications and SMS messages via Twilio.
Here are some of the biggest features in the premium version:
There are two main variables that affect the price:
The Enterprise plan also offers priority support.
Here’s a pricing screenshot that illustrates the difference:
Again – the user limits only apply to user accounts that have enabled two-factor authentication. If you have 250 users but only 10 of them have two-factor authentication, that only counts as 10 users for billing purposes.
If you want to try the premium features, the plugin has two relevant policies here:
You can also save 20% on any license plan using our exclusive WP 2FA coupon code.
To recap what we’ve discussed in our WP 2FA review, let’s go over some of the pros and cons of using this plugin.
To finish out our WP 2FA review, let’s go over some common questions that you might have about the plugin.
WP 2FA does offer a free version at WordPress.org that should work fine for basic two-factor authentication.
WP 2FA works with any authenticator app that supports the TOTP/HOTP protocols, which includes Google Authenticator, Authy, LastPass Authenticator, Microsoft Authenticator, and so on.
WP 2FA lets users generate offline backup codes. Users can copy, print or email the codes.
WP 2FA lets users receive their one-time verification code using email. To ensure reliability, you should make sure to set up a WordPress SMTP sending service so that the emails make it to users’ inboxes.
The premium version of WP 2FA supports SMS / text message verification. To power this service, it uses an integration with Twilio.
WP 2FA does not support FIDO U2F at this time. If you want to use physical hardware keys as two-factor methods, you’ll need to choose a different two-factor plugin.
Overall, WP 2FA offers a very polished way to set up WordPress two-factor authentication and secure your WordPress website.
I think there are a few areas where the plugin excels:
It does not currently support FIDO U2F, so it’s not the best option if you want to use physical hardware keys like Yubikey. But, outside of that limitation, I think it’s an excellent way to set up WordPress two-factor authentication.
So – if you want to use two-factor methods like email, SMS, and/or authenticator apps, you should definitely give this one a look. Make sure to use our WP 2FA coupon code to save 20% on any license.
You can also pair WP 2FA with the WP Activity Log plugin from the same developer to protect your site even further. You can learn more in our WP Activity Log review and save with our WP Activity Log coupon.
Trying to figure out how to start an online course so that you can share…
Considering using LearnDash to create online course content with WordPress? LearnDash is a popular WordPress…
WordPress XML files see a lot of use for me as a content creator, and…
If you’re looking for a way to deliver an online course, complete with all the…
Search Engine Optimization (SEO) is crucial for any website that wants to maximize its traffic…
Kinsta is a notable brand in the WordPress hosting space. The standout aspect of the…