How to Set Up Two-Factor Authentication on WordPress

Credential stuffing attacks use previously leaked username and password combinations to attempt logins at scale. If any of your users reuse passwords across services (most people do), their WordPress account is at risk regardless of how strong their WordPress password is.

Two-factor authentication (2FA) closes this attack vector. Even if an attacker has the correct password, they cannot log in without the second factor - typically a time-based one-time code from an authenticator app.

This guide covers setting up 2FA on WordPress correctly, enforcing it for specific roles, and handling the edge cases that trip up most implementations.

Choose a 2FA plugin

Several plugins handle WordPress 2FA. The most reliable options:

WP 2FA (by Melapress): The most complete free option. Supports TOTP authenticator apps, email codes, and backup codes. Has a setup wizard for onboarding existing users. Works with WooCommerce user accounts. Free version covers most needs; Pro adds backup codes management, role-specific policies, and white-labelling.

Two Factor (by WordPress core contributors): The official two-factor plugin maintained by core contributors. More minimal than WP 2FA but technically solid. Supports TOTP, email, FIDO U2F (hardware keys), and backup codes.

Wordfence Login Security: Part of Wordfence's security suite. Handles 2FA alongside login rate limiting and IP-based controls. Good if you are already using Wordfence.

For most sites, WP 2FA or Two Factor are the right choices.

Setting up WP 2FA

Installation and initial configuration

1. Install and activate WP 2FA from the WordPress plugin repository
2. Go to Users > Two-Factor Authentication
3. Run the setup wizard

The wizard asks:

• Which 2FA methods to enable (TOTP is the most secure; email codes are the easiest for non-technical users)
• Which user roles must use 2FA
• Grace period: how long users have to set up 2FA before being blocked

For agency sites: enforce 2FA for administrators and editors immediately. Subscribers and customers may not need it (depending on what data they can access).

Configuring enforcement

In WP 2FA > Settings > Policies:

Enforce 2FA for: Administrators, Editors
Grace period: 3 days (users without 2FA configured are blocked after this)
Allow users to choose method: Yes
Required methods: TOTP and email (give users a choice)

After the grace period, users who have not set up 2FA are redirected to the 2FA setup page when they try to access the admin. They cannot proceed until 2FA is configured.

Forcing 2FA on first login (no grace period)

For maximum security on admin accounts:

// In functions.php - redirect admins without 2FA to setup page immediately
add_action( 'admin_init', function() {
    if ( ! is_user_logged_in() ) return;
    if ( ! current_user_can( 'manage_options' ) ) return;

    // Check WP 2FA setup status
    $user_id = get_current_user_id();
    $has_2fa = get_user_meta( $user_id, 'wp_2fa_totp_key', true )
               || get_user_meta( $user_id, 'wp_2fa_email_key', true );

    if ( ! $has_2fa ) {
        // Get WP 2FA setup URL (varies by plugin version)
        $setup_url = admin_url( 'admin.php?page=wp-2fa-setup' );
        if ( strpos( $_SERVER['REQUEST_URI'], 'wp-2fa-setup' ) === false ) {
            wp_redirect( $setup_url );
            exit;
        }
    }
});

Setting up TOTP authentication

TOTP (Time-based One-Time Password) is the most secure and widely supported 2FA method. It generates a 6-digit code that changes every 30 seconds.

Authenticator apps

Recommend one of these to clients:

• Authy: Free, multi-device, cloud backup. Best for non-technical users who might lose their phone.
• Google Authenticator: Free, simple, no cloud backup. More private but loses all codes if phone is lost.
• 1Password / Bitwarden: If clients already use a password manager, these support TOTP codes built in. Convenient but slightly weakens 2FA security (the second factor and the password are in the same place).
• Microsoft Authenticator: Good for clients in Microsoft 365 environments.

The setup flow for users

1. User navigates to their Profile or is prompted during login
2. WP 2FA displays a QR code
3. User opens their authenticator app and scans the QR code
4. App adds a "WordPress - [site name]" entry
5. User enters the 6-digit code to verify setup
6. WP 2FA shows backup codes - user saves these securely

Backup codes

Backup codes are single-use codes that allow login when the authenticator app is unavailable (phone lost, broken, or stolen). Every user who sets up 2FA should save their backup codes.

Store backup codes:

• In a password manager
• Printed and stored securely offline
• NOT in the same email inbox or cloud drive that could be compromised alongside the password

WP 2FA Pro lets administrators regenerate backup codes for users who have lost theirs. With the free version, users regenerate their own codes from the profile page.

Email 2FA as an alternative

For clients or editors who are not comfortable with authenticator apps, email-based 2FA is a lower-friction alternative. After entering their password, a code is emailed to their registered address.

Security note: Email 2FA is less secure than TOTP because it relies on email account security. If the email account is compromised, 2FA is bypassed. For admin accounts handling sensitive data, require TOTP rather than allowing email as an alternative.

Configure email 2FA in WP 2FA:

• Enable "Email code" as an allowed method
• Set code expiry (15 minutes is reasonable)
• Ensure WordPress is configured with a reliable SMTP plugin (WP Mail SMTP, FluentSMTP) - delivery issues with the 2FA code will lock users out

Handling WooCommerce customer accounts

Customer accounts on a WooCommerce store present a different consideration. Customers expect a simple login experience. Requiring 2FA for customer accounts adds friction that can increase checkout abandonment.

Recommended approach:

• Require: 2FA for administrators and editors
• Offer optionally: 2FA for customers (let them enable it in My Account settings)
• Do not require: 2FA for customers unless they have access to sensitive operations

WP 2FA allows per-role enforcement. Configure it to enforce for admin/editor roles and make it optional for subscriber/customer roles.

Application passwords for REST API and WP-CLI

WordPress 5.6+ has Application Passwords built in. These are separate credentials used for REST API access and WP-CLI without triggering the 2FA flow (which would not work for non-interactive tools).

Create application passwords per-user:

• User Profile > Application Passwords > Application Name: "WP-CLI on server" > Add New
• Use the generated password for WP-CLI: wp option get siteurl --user=admin --password="xxxx-xxxx-xxxx-xxxx-xxxx-xxxx"

This means WP-CLI and API integrations keep working after 2FA is enforced.

What 2FA does not protect against

2FA is effective against:

• Credential stuffing (stolen passwords from other sites)
• Brute-force password attacks
• Phishing (if the phishing site does not also relay the 2FA code in real-time)

2FA does not protect against:

• Real-time phishing with 2FA relay (the attacker sits between the user and the site, forwarding codes instantly)
• Malware on the user's device that intercepts the code
• Social engineering to obtain backup codes
• Session hijacking after login (if the auth cookie is stolen)

Combine 2FA with other security controls: IP allowlisting for admin access, strong passwords via a password manager, and session timeout settings.

Related reading

• WordPress Security Hardening Checklist
• Best WordPress Security Plugins 2026
• How to Clean a Hacked WordPress Site