Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme!Learn More

How to Add Two-Factor Authentication for WordPress

Last updated on:
How to Add Two-Factor Authentication for WordPress

Did you know that you can add two-factor authentication to WordPress? If you’re not sure you would want to add two-factor authentication to you WordPress website consider this – how many accounts across the internet do you possess? All of them password protected? How many share the same password? If an unwanted visitor gains entry into one account, he may most likely gain entry into others. You will make it easier for him if you use easy to guess passwords or use public networks. Is it the name of your pet dog? Your birthday? Have you written down that password in a diary?

Everyday, bots attack thousands of WordPress websites and expose their visitors to malware. A website that is bot infested gets de-listed by search engines, hosting service providers may block access to the website. This means that the websites begin to lose traffic. All your hard work is reduced to nought.

What is Two-Factor Authentication?

Passwords can be broken, especially by brute force attacks. This is where it helps to add another layer of security, beyond a simple password. Two-factor authentication is one way of doing this. In fact, many popular websites (e.g., Facebook, Gmail, PayPal, etc) use two-factor authentication to minimize security breaches in case an attacker steals user credentials.

So what exactly is two step or two-factor authentication (2FA for short)? You could call having to enter a captcha as a two-factor authentication in it’s simplest form. Or you may be required to enter an additional PIN number. Some websites need you to identify a pattern before you can login. What two-factor authentication essentially means is that users will have to confirm their identity beyond passwords using some device that they have in their possession.

The technology does not replace the password; it adds an extra step that only you, the rightful admin, can access. In this process, you would login just as usual, but after that you need to enter a code that will be sent to your mobile or any other device. 2FA offers an additional layer of security, so that even if your password is overcome, the hacker cannot access your website without an additional piece of code. This code is sent to your registered phone number, email, app etc. It is commonly referred to as One Time Password or OTP and only upon entering this is access gained to the website.

Methods to receive the code used for Verification?

Before you begin to use the the Two-Factor Authentication on your system, it makes sense to understand how the second step works, so that you can pick the one best suited for you. The code that you input during the verification can be received by you in any one of the following ways,

  • Email Services: When you try to login, the code is sent to your email.
  • SMS: Sent to your mobile phone.
  • App Generated Codes: Apps like Google Authenticator will automatically generate a new code at very short time intervals. The code that is currently generated when you are logging in will have to be entered. The app may take a bit of setting up.
  • USB Tokens: You will simply have to insert a token into your USB port (and maybe enter a token password). Nothing further. This is a very safe method, as there is no way in which the authentication can be intercepted. But it has the disadvantage of not working with mobiles, as it needs to be inserted into a USB port.

The first two methods will need internet or cellular connectivity for receiving the code, while the last two are not dependent on connectivity.

All services will not offer all the options and you must choose what is best for you. Some services may offer more than one option, in which case you will have a fall back option. Often, when you are setting up the authentication, you will be provided with Recovery Codes, which you should note down and keep safely.

In today’s post, we share our picks of the best two-factor authentication WordPress plugins to bolster security on your login page. The 2FA WordPress plugins in the following section are all easy to configure. They ship with adequate installation instructions and documentation, so we don’t expect any problems. And please feel free to share your favorite 2FA WordPress plugins or your security concerns at the end. Without further ado, let’s get down to business.

1. Google Authenticator

google authenticator wordpress two factor authentication plugins

First on our list is Google Authenticator by miniOrange, a reputable WordPress plugin developer. The plugin offers you a complete solution to secure your WordPress login pages without paying a dime.

Google Authenticator is a remarkable two-factor WordPress plugin that is easy to set up and use. It ships with a beautiful set of features enough to keep the impersonating hacker at bay.

The plugin boasts of features such as a slick user interface, a variety of authentication methods, multi-language support, TOTP + HOTP support, brute force attack prevention, IP blocking, custom security questions, support for multiple WordPress form plugins, GDPR compatibility and a massive list of extra premium features.

The core plugin is free for one user, and you can always get support on the plugin’s support forum.

2. Two-Factor

two factor authentication wordpress plugins

Two-Factor WordPress plugin is a free and open-source project led by George Stephanis with the help of nine other plugin contributors. It is one of the simplest two-factor authentication WordPress plugins you will ever use.

Once you install the plugin, navigate to Users > Your Profile and scroll down to Two-Factor Options section. Under the section, you can enable and configure your two-factor authentication options.

The Two-Factor WordPress plugin supports four authentication methods. You can send codes to an email address, enable Time Based One-Time Password (TOTP), FIDO Universal 2nd Factor (U2F), and backup verification codes.

Besides, you get a dummy method that’s fantastic for testing purposes. On top of that, you can actively contribute to the project and follow the progress on Github. Other than that, the Two-Factor WordPress plugin supports 15 languages and has over 10K active installs at the time of writing.

The plugin works as advertised, and we would be thrilled to see a premium version soon.

3. WordPress 2-Step Verification

wordpress 2 step verification plugin

Look at that! We are halfway through the list already.

Have you found a two-factor WordPress authentication plugin you like yet?

If not, we are glad to point you towards the WordPress 2-Step Verification plugin by as247, a great PHP developer from Vietnam. Yes, that Vietnam.

But Vietnam aside, you don’t have to worry about hackers stealing your login credentials anymore with the WordPress 2-Step Verification plugin. It incorporates the best login page 2FA protection measures and ensures the attackers stay where they belong; outside your admin area.

The plugin is easy to set up and use, and we expect you to configure everything in less than 10 minutes. If you experience problems, as247 is ready to help you via the support forums.

Need a faster response? I am always eager to help out when and where I can 🙂

Plenty of Features

WordPress 2-Step Verification ships with a slew of amazing features, including multisite support, email codes, app-generated codes, SMS verification, and backup codes.

In case you lose your phone or verification code, you can use easy recovery via FTP, which is a lifesaver. Furthermore, you can deactivate 2-step verification on the devices you trust, such as your personal computer.

Are you wondering how the plugin supports app-generated codes? They offer an Authenticator App on Playstore. The app further helps you to provide passwords for apps that don’t support 2-step verification.

At the time of writing, the plugin doesn’t support the Gutenberg Editor, meaning you need to activate the Classic Editor. Plans are underway to add support for Gutenberg, but if you don’t mind using the Classic Editor, the WordPress 2-Step Verification plugin is a great option.

4. Rublon Two-Factor Authentication

wordpress two factor authetication plugins rublon

The fourth position goes to Rublon Two-Factor Authentication. The sole purpose of this brilliant WordPress plugin is to keep the bad guys out, which it does effectively. It’s a simple solution to enable two-factor authentication on your WordPress site.

The Rublon Two-Factor Authentication plugin is super-duper easy to install and use; you need no training or technical knowledge to hit the ground running. You only need to install the plugin and connect it to the Rublon API using a system token and security key.

After that, you’ll receive a verification link via email. Once you confirm your identity, you need to configure a few options, and you’re good to rock the party.

Rublon supports several two-factor authentication methods, including email, SMS, QR code, push notifications, and TOTP, among others. Additionally, you can whitelist trusted devices eliminating the need for two-factor authentication on subsequent logins.

The plugin comes with a friendly backend interface that makes adding two-factor authentication to your WordPress site a breeze. It supports five languages, and security experts and beginners alike are saying great things about the plugin.

5. GatewayAPI

gatewayapi wordpress plugin

Perhaps the other two-factor authentication plugins on our list don’t cut it for you in terms of ease of use. If you’re looking for a useful but super-duper easy plugin, say a big hello to GatewayAPI.

GatewayAPI is not your typical two-factor WordPress plugin. It’s a complete engine that helps you to send SMS’s right from your WordPress admin area. On top of that, the plugin comes with a free and easy to use two-factor authentication feature.

Notable GatewayAPI features include:

  • Capability to add custom data to SMS
  • Import recipient list from CSV file
  • Bulk sending feature
  • Recipient segmentation or grouping
  • Shortcodes
  • Easy to use
  • Reauthorize at each login or remember devices for 30 days
  • Ability to receive and read incoming messages via your phone number
  • And so much more

To get started, install the plugin and sign up for a free account. Don’t worry; if you’re stuck, the plugin ships with helpful text and a step-by-step guide full of screenshots. Between you and me, I doubt you will need to read the documentation to enable two-factor authentication.

6. 5sec Google Authenticator

5sec Google Authenticator for WordPress Two Step Login Protection

5sec Google Authenticator is a premium plugin available on Codecanyon for $19. Once you have installed this plugin, no one can log into your account even if they know the password. When a user logs in, a one time password is generated, which is received on the user’s mobile phone. Access to the website is gained only when the OTP is entered in the login page.

A fresh login will require a new OTP to be generated. The OTP is valid only for a certain period of time. This kind of login is very commonly used by banks for financial transactions and the validity for the OTP can vary from website to website.

This plugin will protect you from brute force attacks, as an IP based brute force protection is built in. And even if you mistakenly click on ‘Remember Password’ on a website, it will not matter, as no one can login without the OTP. In case you leave your computer without logging out, that too is taken care of. The plugin will automatically log you out, and the login box will open in a lightbox. You can resume where you left off after entering a new OTP.

What happens if you lose your phone? Well, in this case a unique site specific URL can be used to login with just the username and password. 5sec Google Authenticator is easy to setup and use.

7. Duo Two Factor Authentication

Duo Two-Factor Authentication

The Duo plugin will help you add two factor security to your WordPress quite easily. All users and admins will need to verify themselves with a device that they have – a hardware token, or a mobile phone. This will also help you to keep track of user activity on your website.

To make use of this plugin, you will have to install it, activate it and then sign up for their services. On sign up, you will have access to security keys. You can then go about specifying the user roles for which you want to enable two factor authentication.

Users can authenticate or verify themselves in multiple ways. They can use OTPs delivered by messaging services to cell phones or generated by a hardware token or generated by Duo’s mobile app. They can call back to any phone or they can use Duo’s mobile app for one tap authentication.

Honorable Mentions

  • Shield Security (formerly named WP Simple Firewall) – A powerful WordPress security plugin that comes with two-factor authentication.
  • Wordfence – A popular, all around security plugin that also features 2FA via any TOTP based app or service.
  • ManageWP – Two-factor authentication is a built in feature along with all of their other helpful tools to better manage your websites.
  • iThemes Security Pro – iThemes is another security plugin which offers 2FA via apps (Google Authenticator, Authy, FreeOTP and Toopher), email or backup codes to further secure your site.

There you have it; some of the best two-factor authentication plugins for WordPress. We hope you found your favorite 2FA plugin from our list, but if you’re having a hard time choosing, I recommend Google Authenticator by miniOrange.

That aside, remember that WordPress security is an integral part of running a successful website, so don’t take anything for granted. Two-factor authentication is an excellent way of keeping the bad guys out of your WordPress admin area.

Which is your favorite two-factor authentication plugin? Have questions, concerns, or suggestions? Please share with us in the comment section below.

Article by Freddy author
Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.


  1. Cornelius Kölbel

    great article about different ways to secure the wordpress installation with 2FA. Usually these are either local solutions which work for one wordpress installation like 5sec or two factor auth or these are clients for hosted services like duo or clef.
    If you have several wordpress instances and you do not want to rely on a 3rd party auth server, you could run your own authentication system with the open source solution privacyIDEA ( and the wordpress plugin (
    You can manage hardware tokens, smartphone Apps, SMS, Email, Yubikeys, U2F… centrally and use these devices for authentication at all your blogs.
    Kind regards

    • Freddy Muriuki

      Thank you Cornelius for chipping in; you put across a great point.

  2. Deepanker

    This is something very interesting. With the increasing attacks on WordPress websites, this is a useful feature for most of the WordPress users. Thanks for this awesome post.

  3. Munna Hossain

    Impressive article. This is really an important article. We should think again about the security of our site. Because we are living under the threats of the hackers. Only strong password and unique username are not enough to protect us. So we need another stable security shield that are really strong to protect any hackers. Two step authentication is one of the best security layer. So you need to enable two step authentication on your WordPress site. Your tips must be helpful for us. Thanks for sharing.

  4. S T

    You know, I had such high hopes for miniOrange given the many positive reviews, but in practice it’s clear they cater to blog owners and write many of the reviews themselves. For the other guys, their free plugins have a LOT of bugs and when you report them they tell you to upgrade your license from the free tier. Other apps do work – for admin only. I sent them screenshots of their licensing saying that the free tier should work and they say no, I must have misread it, I have to upgrade.
    In the end their practices are predatory – the licensing agreements and descriptions aren’t accurate and their support is rude unless you’re paying them. If it’s payware, fine, at least be honest about it – no way am I going to implement their business tier software if this is how they treat people.

    • AJ Clarke Avatar AJ Clarke


      Thank you for sharing your experience with miniOrange. I can totally understand your concern with the lack of support the problem is that free plugins generally get thousands, hundreds of thousands or even millions of users which can be extremely costly to support for free. Even if it’s not support but just answering questions/emails can cost thousands of dollars a month. I don’t believe that anyone should be rude or deceitful, that’s for sure, but do place yourself in their position. Based on your comment, it sounds like there is a market for a good free two-factor authentication plugin with more options and better support, I would encourage you to spend your time and money developing one and helping out the community. We would be happy to review it once it’s done 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.