Two-factor authentication for WordPress: why you need it and how to set it up

How two-factor authentication works

Authentication is the process of proving you are who you claim to be. Traditionally, a password is the only proof required — something you know. Two-factor authentication requires a second factor from a different category: something you have (a phone, a hardware key, a TOTP code) or something you are (biometrics). Requiring two different categories of proof means that compromising one does not compromise the other.

The most common implementation for small business websites uses a time-based one-time password (TOTP) generated by an authenticator app. When you set up 2FA, the app scans a QR code that gives it a shared secret with the site. Every 30 seconds, both the app and the site independently generate the same six-digit code from that secret and the current time. When you log in, you enter your password and then the current code from the app. Because the codes change every 30 seconds and are generated locally on your device, an attacker who sees a code cannot reuse it.

The practical security improvement is significant. Large-scale analyses of compromised accounts consistently show that 2FA stops the vast majority of credential-based account takeovers. Google's internal research found that adding an authenticator app to an account prevented 99.9% of automated attacks. For a WordPress site, the calculation is the same: most attacks on WordPress logins are automated, testing thousands of username/password combinations. 2FA makes those attacks irrelevant.

Types of 2FA and which to use

Several types of second factor are commonly available. They differ significantly in security and usability.

TOTP authenticator apps (Google Authenticator, Authy, Microsoft Authenticator, 1Password, and others) generate time-based codes locally on your device. This is the recommended approach for most WordPress sites — it is secure, works offline, and does not depend on a third-party service remaining operational. The codes cannot be intercepted in transit because they are never transmitted to the site.

SMS/text message codes are a common 2FA method but are significantly less secure than authenticator apps. SMS codes can be intercepted through SIM-swapping attacks (convincing a carrier to transfer your number to an attacker's SIM card), SS7 network vulnerabilities, or simply by having access to your unlocked phone. Canadian carriers have had SIM-swapping incidents. For a small business WordPress site, SMS 2FA is better than nothing, but TOTP apps are preferable.

Hardware security keys (YubiKey, Google Titan Key) provide the strongest protection available. A physical device that plugs into USB or taps against NFC generates a cryptographic response. Phishing is not possible because the key verifies the site's domain before responding. This is appropriate for high-value targets — a site managing financial transactions, sensitive personal data, or e-commerce. For most small business sites, a TOTP app is sufficient and more practical.

Email codes — where the site emails you a login code — are convenient but only as secure as your email account. If your email is compromised, an attacker receives the codes. Not recommended as a second factor for WordPress.

2FA plugins for WordPress

WordPress does not include 2FA by default. You add it through a plugin. Several reliable options are available.

WP 2FA is a well-maintained, actively developed plugin with a free tier that covers most small business use cases. It supports TOTP authenticator apps, backup codes, and a setup wizard that walks users through the configuration. The paid version adds additional methods and policy enforcement.

Two Factor (by the WordPress core contributors' team) is a simpler plugin that supports TOTP, FIDO U2F (hardware keys), email codes, and backup codes. Less polished interface, but has been maintained as part of the infrastructure for eventual core WordPress 2FA support.

Wordfence is primarily a security firewall and malware scanner, but its free version includes a solid 2FA implementation. If you are already using Wordfence for site security, its built-in 2FA is a reasonable choice rather than adding a separate plugin.

Avoid implementing 2FA through your hosting control panel as a substitute for WordPress-level 2FA — they protect different things. cPanel or Plesk 2FA protects access to your hosting account; WordPress 2FA protects your WordPress admin. You may want both, but one does not substitute for the other.

Setting up 2FA on your WordPress site

The general process, using WP 2FA as an example:

Install and activate the plugin from the WordPress plugin repository (Plugins → Add New → search "WP 2FA").

Run the setup wizard. WP 2FA's wizard walks through selecting which 2FA methods to enable, which user roles to require it for, and a grace period during which existing users can set up their 2FA before being locked out.

Configure your own account first. Before enforcing 2FA for others, set it up for the admin account you are using. Go to Users → Your Profile (or the profile link WP 2FA adds) and follow the setup for your account. You will be shown a QR code to scan with your authenticator app.

Scan the QR code in your authenticator app. Open the app, tap the + or Add Account option, and choose to scan a QR code. Point your camera at the code displayed in WordPress. The app will add the account and immediately start showing six-digit codes.

Verify the setup. Enter the current six-digit code from the app to confirm the connection is working before navigating away from the setup page.

Save your backup codes. This step is critical. Before completing setup, you will be shown a set of backup codes. These are single-use codes that allow access if you lose your phone. Save them in a password manager, print them and store them securely, or email them to yourself and save to a secure folder. Do not skip this step.

Managing 2FA across multiple users

If your site has multiple users with admin, editor, or author access, each one needs to have 2FA configured on their own account. The plugin can be set to require 2FA for specific roles — you can enforce it for administrators only, for all logged-in users, or selectively.

For sites with a small number of users, requiring 2FA for all accounts with any posting or admin access is the right approach. A compromised author account can be used to inject malicious content; a compromised editor account can modify existing content; a compromised admin account can install malware, create new admin accounts, or export user data.

Set a grace period — typically 3 to 7 days — during which existing users are prompted to set up 2FA but can still access the site without it. When the grace period expires, users who have not set up 2FA are locked out until they complete the process. Communicate the requirement and deadline to all users before enabling enforcement.

If a user loses their phone and cannot access their 2FA codes, an administrator can temporarily disable 2FA for their account in the plugin settings (Users → select the user → 2FA settings), allowing them to log in and set up a new authenticator. This is also why individual backup codes are important — a user with their backup codes saved can recover access without needing administrator intervention.

Backup codes and lockout recovery

Lockout scenarios — where an administrator loses access to their 2FA method — are worth planning for before they happen. The risk is real: a phone lost or replaced without backing up the authenticator, a new device without the app installed, or simply forgetting which app contains the WordPress codes.

Prevention: save backup codes for every account, kept somewhere accessible offline from your phone (a printed sheet in a safe, a second device, a password manager that syncs to a computer). Authy or 1Password as your authenticator app significantly reduces lockout risk by keeping encrypted synced backups.

Recovery if locked out: if you have server or hosting access (cPanel, SFTP), you can disable the 2FA plugin by renaming its folder in wp-content/plugins/ — WordPress will automatically deactivate a plugin with a renamed folder on next load. This gives you access to the admin to reset your 2FA. If you have hosting shell access, wp plugin deactivate wp-2fa via WP-CLI does the same thing.

Beyond 2FA: other login hardening steps

Two-factor authentication addresses credential theft. It works alongside other login hardening measures rather than replacing them.

Limit login attempts to slow brute-force attacks. Most security plugins (Wordfence, Solid Security, Limit Login Attempts Reloaded) can lock out an IP address after a configurable number of failed attempts. With 2FA in place this is less critical, but still useful for reducing noise in your logs.

Change the default admin login URL if possible. WordPress's login is at /wp-login.php by default, which is universally known and heavily targeted by automated scanners. Moving it to a non-standard path reduces the volume of automated login attempts. Plugins like WPS Hide Login handle this with minimal risk.

Do not use "admin" as a username. If your administrator account is named "admin", an attacker already knows half of the credentials they need. Create a new administrator account with a non-obvious username and delete the default admin account.

Use strong, unique passwords on all WordPress accounts. With 2FA in place, the password is no longer the only protection, but a strong password adds time and friction to attacks. A password manager makes this easy to maintain across all accounts.

Together, these measures address the most common attack vectors for WordPress sites. Two-factor authentication is the most impactful single change, but the full set — 2FA, login attempt limits, non-standard login URL, non-admin username, strong unique passwords — creates multiple layers of defence against the automated credential attacks that target WordPress sites at scale every day.