How to Setup Two Factor Authentication on WordPress


Build your own WordPress Support Plan

Expert, yet affordable WordPress support & maintenance plans.
View our pricing

Configuring Two-Factor Authentication (2FA) adds an extra layer of security to your WordPress website by requiring users to provide a second form of verification in addition to their password. This significantly improves the overall security of your site, making it more difficult for unauthorised individuals to gain access.

Two-Factor Authentication (2FA) for your WordPress website is an excellent tool to protect your site from unauthorized access. 2FA adds a layer of security by requiring users to provide a second form of authentication, typically a one-time code, in addition to their regular username and password. In this tutorial, we will see the step-by-step guide to configure 2FA for your WordPress website properly.

WordPress 2FA is a security feature that adds an extra layer of security to your login page and your password. It will prevent hijacking your site, even if they have your password guessed and bot to break into your login page.

When you enable WordPress 2FA, you must still log in with your username and password. However, you will require additional information to confirm that it is you. Usually, this is:

  • An OTP sent to a device that only you would have access to
  • A time-based OTP sent via email
  • An additional password or PIN

Why Do I Need Two-Factor Authentication?

Two-factor authentication (or two-step authentication) helps prevent bad actors from gaining access to your sites and potentially hurting your business. It’s a second line of defence to help keep the bad guys out and ensures that even if your password is compromised, your account will remain secure as long as that second factor stays out of reach for an attacker.

The reason why you should use WordPress 2FA is that the password you use can be hacked in a million different ways. Installing 2FA on your site is not a substitute for a strong password. You should still create a really strong password to protect your site. Let us help you set up WordPress 2FA for your site now that you understand what it is and how it works.

How Does 2FA for WordPress Work?

On a typical (i.e. non-2FA) WordPress login page, the user enters a username and password and is automatically granted access to the website’s back end. This means anyone who figures out your username and password can easily gain access to all aspects of your website.

As mentioned above, 2FA can help prevent this from happening. So how does it work in WordPress? With 2FA set up (we’ll cover how to do this in a moment), when you enter your password and username on the login page, a notification will be sent to your phone or email address. This notification will contain a one-time pin or possibly a link or QR code.

To access the website, you must do as the text message or email instructs – such as clicking on the link or entering the PIN on your site.

This example from Google demonstrates how 2FA works on your website.

Popular WordPress 2FA Plugins

Here are some of the best plugins that can add an extra layer of security to your website.

  1. iThemes Security Pro
  2. Google Authenticator
  3. WP 2FA

Method to use 2FA in WordPress

1. Install and activate the 2FA plugin.

First, you need to install and activate the Two Factor plugin.


2. Plugin configuration

After activating the plugin, you must visit the Users » Profile page in the WordPress admin area and scroll down to the Two-Factor Options section.

2fa wp settings

From this screen, you need to choose a two-factor login option. The plugin lets you use email, the authenticator app, and FIDO U2F Security Keys methods.

We at wphelper recommend using the authenticator app method. You just need to download an authenticator app like Google Authenticator, Authy, or LastPass Authenticator and scan the QR code shown on the screen.

3. Scan the code in your phone

mobile auth apps

Once you have scanned the QR code, the app will show you a verification code that you need to enter into the plugin options and click on the Submit button.

The plugin will now set the secret key. You can reset this key anytime from the settings page to rescan the QR code.

wp-2fa auth

4. Ready to use 2FA in your WordPress site

Now each time you log in to your WordPress website, you will be asked to enter the authentication code generated by the app on your phone.



1. How do I login if I don’t have access to my phone?

If you are using an authenticator app with a cloud backup option like Authy, then you can install the app on your laptop as well. This gives you access to the authentication codes even when you don’t have your phone. It also allows you to quickly restore your secret keys when you buy a new phone.

2. How to log in without any codes?

If you don’t have access to your phone, laptop, or backup codes, you can only log in by disabling the plugin.

3. Do I still need to password-protect the WordPress admin folder?

Website security works best when you have multiple layers of security to protect your website, starting with the basics like using HTTPS and secure WordPress hosting. The 2-factor verification makes your WordPress login secure, but you can make it even more secure by password-protecting the WordPress admin area.


In conclusion, implementing two-factor authentication (2FA) on your WordPress website is highly recommended for improved security. By enabling 2FA, users are required to provide an additional verification code or a second factor, typically generated on their mobile device, in addition to their usual username and password. This helps protect against unauthorized access even if the login credentials are compromised.

The benefits of using 2FA in WordPress include:

  1. Enhanced Security: 2FA adds an extra barrier for attackers trying to gain unauthorized access to your website.
  2. Reduced Risk of Brute-Force Attacks: Even if someone attempts a brute-force attack on login credentials, they would still need the second factor to succeed.
  3. Protection Against Password Reuse: Many users tend to reuse passwords across different websites, making them vulnerable to credential-stuffing attacks. 2FA mitigates this risk.
  4. Compliance: In some cases, compliance requirements may mandate the use of 2FA for certain types of websites.
  5. User Confidence: Enabling 2FA demonstrates that you take security seriously, which can increase user trust and confidence in your website.

To implement 2FA on your WordPress site, you can use various plugins available in the WordPress Plugin Repository, or you can opt for a third-party authentication service that supports 2FA.

Always make sure to keep your WordPress core, plugins, and themes up to date, as well as maintain strong password policies, to enhance the overall security of your website further. Additionally, consider other security measures like using a reputable web hosting provider and regular backups.

Need help with WordPress? Take a look at our support & maintenance plans designed specifically to keep your site running while you focus on the things you do best.

Written By
Founder of WP Helper.
You will also like these articles

Relax Knowing Your WordPress Site Is Secure & Running Smoothly 24/7

Let us manage your WordPress site, everything from security to updates will be taken care of. Support plans also come with dedicated support so we can do anything from adding content to customising your site for you.

Same Day Professional WordPress Support

Get WordPress Support Today

Need help with a single WordPress problem, today? We can help with anything from adding analytics tracking code to site hack recovery. Full money back guarantee on all jobs.

1. Submit a Support Request

Use our support ticket form below to send details of your problem to our developers.

2. Get a Quote

We will review your request and provide a quote within 24 hours (but usually within a few hours).

3. We fix your WordPress problem

Our team will begin fixing your WordPress problem the same day.

4. 100% Money Back Guarantee

If we can’t fix the problem for the amount quoted we will refund you 100%.

  • Do you have a screenshot of the issue or have a copy of the theme or plugin that is at fault? If you want to upload php, html or css please zip first.
    Drop files here or
    Accepted file types: jpg, jpeg, png, pdf, zip, gzip, rar, doc, txt, Max. file size: 15 MB, Max. files: 10.