Skip to content
Security
6 min readBy Kshitiz Saxena

How to Add Two-Factor Authentication to WordPress

Two-factor authentication stops most WordPress account takeovers cold. Here’s how to set it up in under 15 minutes.

Your WordPress password alone is not enough. Hackers run automated scripts that guess thousands of passwords per minute, and if yours is ever exposed in a data breach, your site is one login away from being compromised. Two-factor authentication (2FA) — a second verification step required after your password — blocks the vast majority of these attacks even when your password is known. This guide walks you through adding 2FA to WordPress using a free, well-maintained plugin, with no technical experience required.

Why 2FA Matters for WordPress Sites

WordPress powers a huge share of the web, which makes it a constant target. Brute-force attacks (automated login attempts using lists of stolen passwords) are among the most common threats site owners face. A strong password helps, but 2FA adds a second layer: even if an attacker has your password, they still need a one-time code from your phone or email to get in. That single change eliminates most unauthorised login attempts.

Choosing a 2FA Plugin

Several solid options exist. The table below compares the most commonly recommended free plugins so you can pick the right fit.

Plugin Authentication Methods Free Tier Best For
Two Factor (WordPress.org) App (TOTP), Email, Backup Codes Yes, fully free Most sites; official, lightweight
WP 2FA App (TOTP), Email, WhatsApp (paid) Yes, core features free Sites needing user-facing 2FA setup wizards
Wordfence Security App (TOTP), Email Yes, included in free plan Sites already using Wordfence firewall

Step-by-Step: Setting Up 2FA with the Two Factor Plugin

The Two Factor plugin is maintained by contributors to WordPress core itself, has no upsell pressure, and works cleanly on almost every setup. These steps use that plugin.

  1. Install the plugin. In your WordPress dashboard go to Plugins > Add New Plugin, search for Two Factor, find the plugin by Plugin Contributors (listed as "two-factor" on WordPress.org), and click Install Now, then Activate.
  2. Open your user profile. Go to Users > Profile (or hover over your name in the top-right corner and click Edit Profile).
  3. Scroll to the Two-Factor Options section. You will see a list of available methods: Time Based One-Time Password (TOTP, the most secure), Email, and Backup Verification Codes.
  4. Enable TOTP (recommended). Check the box next to Time Based One-Time Password and set it as your primary method using the radio button. A QR code will appear on screen.
  5. Scan the QR code with an authenticator app. Open Google Authenticator, Authy, or any TOTP-compatible app on your phone, tap the option to add an account, and scan the QR code.
  6. Enter the six-digit code to confirm. Your authenticator app will display a rotating six-digit code. Type it into the Authentication Code field on your profile page and click Submit to verify the connection.
  7. Generate and save backup codes. Check the box next to Backup Verification Codes and click Generate Codes. Save these codes somewhere safe (a password manager or printed copy). They let you log in if you lose your phone.
  8. Save your profile. Scroll to the bottom and click Update Profile. 2FA is now active for your account.

Enforcing 2FA for All Users

If your site has multiple users, editors, shop managers, contributors, you should require 2FA for everyone, especially anyone with an Administrator or Editor role. The free WP 2FA plugin handles this well: after installing it, the setup wizard lets you set 2FA as mandatory for specific roles and gives users a grace period to configure their own method before they are locked out.

  • Go to WP 2FA > Policies after installing the plugin.
  • Under Who should use 2FA, select All users or choose specific roles.
  • Set a grace period (e.g. 3 days) so existing users have time to configure their method.
  • Save the policy. Users will be prompted to set up 2FA on their next login.

What to Do If You Get Locked Out

Losing access to your authenticator app after enabling 2FA is stressful but fixable. Try these options in order.

  1. Use a backup code. If you saved your backup verification codes during setup, enter one on the login screen where the 2FA code is requested.
  2. Use the email method. If you enabled email as a secondary method, choose it at the login screen to receive a one-time code.
  3. Disable 2FA via FTP or file manager. As a last resort, you can deactivate the plugin by renaming its folder. Connect via FTP or your host's file manager, navigate to /wp-content/plugins/, and rename the folder two-factor to something like two-factor-disabled. This deactivates the plugin and restores normal login. Re-enable and reconfigure 2FA once you are back in.

Adding two-factor authentication to your WordPress site is one of the highest-impact security steps you can take, and it takes less than 15 minutes. Install a trusted plugin, connect your authenticator app, save your backup codes, and you have closed the door on the most common type of WordPress account takeover. If you have already been hacked or suspect your site is compromised, 2FA alone won't undo existing damage, our WordPress Malware Removal service can clean the site and help you lock it down properly.

Does adding 2FA slow down my WordPress site?

No. Two-factor authentication only adds a step to the login process. It has no effect on your site's front-end speed or performance for visitors.

Which authenticator app should I use?

Any TOTP-compatible (Time-based One-Time Password) app works. Google Authenticator and Authy are the most widely used. Authy has the advantage of encrypted cloud backups, which makes recovering your codes easier if you change phones.

Can I require 2FA for customers or members on my site?

Yes, but it depends on your setup. The WP 2FA plugin supports enforcing 2FA for specific user roles, including custom roles created by membership or WooCommerce plugins. Check the plugin's policy settings to target the right roles.

Is 2FA enough to keep my WordPress site secure?

2FA is one of the most effective single steps you can take, but it works best as part of a broader approach. Keeping WordPress core, themes, and plugins updated, using strong unique passwords, and choosing a secure host all matter. Our Website Maintenance & Care Plans handle these ongoing tasks for you.

What happens if a user loses their phone and can't log in?

An administrator can disable 2FA for that user by going to Users > All Users, clicking Edit on the affected account, scrolling to the Two-Factor Options section, and unchecking all active methods. The user can then log in normally and set up 2FA again with their new device.

Hand your WordPress site to people who'll keep it running

Move to fully managed hosting and we'll handle speed, security, backups, and updates for you, with free migration and no lock-in. A faster, safer site, and a real person a click away.

We reply to every enquiry within one business day.