Skip to main content
WordPress made easy with the drag & drop Total WordPress Theme!Learn More

How to Add Two-Factor Authentication for WordPress

Last updated on:
WordPress 2-Step Authentication Plugins

Did you know that you can add two-factor authentication to WordPress? If you’re not sure you would want to add two-factor authentication to you WordPress website consider this – how many accounts across the internet do you possess? All of them password protected? How many share the same password? If an unwanted visitor gains entry into one account, he may most likely gain entry into others. You will make it easier for him if you use easy to guess passwords or use public networks. Is it the name of your pet dog? Your birthday? Have you written down that password in a diary?

Everyday, bots attack thousands of WordPress websites and expose their visitors to malware. A website that is bot infested gets de-listed by search engines, hosting service providers may block access to the website. This means that the websites begin to lose traffic. All your hard work is reduced to nought.

What is Two-Factor Authentication?

Passwords can be broken, especially by brute force attacks. This is where it helps to add another layer of security, beyond a simple password. Two-factor authentication is one way of doing this. What is two step or two-factor authentication? You could call having to enter a captcha as a two-factor authentication in it’s simplest form. Or you may be required to enter an additional PIN number. Some websites need you to identify a pattern before you can login. What two-factor authentication essentially means is that users will have to confirm their identity beyond passwords using some device that they have in their possession.

In this process, you would login just as usual, but after that you need to enter a code that will be sent to your mobile or any other device. Two-factor authentication offers an additional layer of security, so that even if your password is overcome, the hacker cannot access your website without an additional piece of code. This code is sent to your registered smartphone number. It is commonly referred to as One Time Password or OTP and only upon entering this is access gained to the website.

Methods to receive the code used for Verification?

Before you begin to use the the Two-Factor Authentication on your system, it makes sense to understand how the second step works, so that you can pick the one best suited for you. The code that you input during the verification can be received by you in any one of the following ways,

  • Email Services: When you try to login, the code is sent to your email.
  • SMS: Sent to your mobile phone.
  • App Generated Codes: Apps like Google Authenticator and Authy will automatically generate a new code at very short time intervals. The code that is currently generated when you are logging in will have to be entered. The app may take a bit of setting up.
  • USB Tokens: You will simply have to insert a token into your USB port (and maybe enter a token password). Nothing further. This is a very safe method, as there is no way in which the authentication can be intercepted. But it has the disadvantage of not working with mobiles, as it needs to be inserted into a USB port.

The first two methods will need internet or cellular connectivity for receiving the code, while the last two are not dependent on connectivity.

All services will not offer all the options and you must choose what is best for you. Some services may offer more than one option, in which case you will have a fall back option. Often, when you are setting up the authentication, you will be provided with Recovery Codes, which you should note down and keep safely.

Two-factor authentication has been around for quite some time. Think credit cards. But it is now being applied more and more to website access. It prevents account takeover and data theft. And provides strong authentication and enhanced security.

Some plugins (installed in your WordPress) and App (downloaded to your smartphone) combos that help with two step or two-factor authentication are detailed here.


No Password and no one time codes, but yet secure sign in – that’s what is possible with Clef. To use this free plugin, you will have to download it from the WordPress repository and activate it. You will also have to download the Clef app into your mobile phone. Select the option to login with your phone. You just have to sync your mobile using the camera with the Clef wave on the login screen and you will be logged in. You will automatically enjoy one click sign ins to the subsequent sites as well. Sign out can be with a timer or a single click sign out.

Clef two-factor authentication

Clef uses RSA Public key cryptography. We can understand it this way – the website holds a user’s Public key and the user holds a Private key. The Private key is stored on the user’s phone. When a user logs into the website, a new signature is generated by the Private key that is verified by the Public key. The Public key cannot generate any signature. Near foolproof security without any password.

Additionally Clef disables all three password authentication points in WordPress – at the Dashboard, at the login and at the API level. So password phishing and account hijacking through breaches in email are avoided.

You do have to do a small amount of set up with Clef. You have to connect your mobile app to your WordPress website, but from there on things go smoothly.


Rublon is an easy to install and activate plugin that needs no configuration. Nor does it need any additional code. No one time passwords. For your first login after installation of the plugin, you will have to log into your WordPress by entering your username and password as usual. But before being allowed entry into the website, you will have to click on a link that the plugin sends to your email account. Your next login from the same device will need only your password. No OTPs for each login from the same device.

For additional security, you can optionally install the mobile app. You will then have to scan the mobile code generated by the plugin to confirm your identity. Once identity is confirmed, the user can access his account. All communication between your server and Rublon is encrypted.

Rublon two-factor authentication

The plugin is compatible with all major browsers. It has received favorable reviews from many WordPress experts. If you detest passwords, there’s some good news for you. Login without any passwords is coming soon from Rublon. Remote logout feature is also to be added soon.

Rublon is free for personal use on one website. To add Rublon to your business WordPress website, you will have to opt for paid plans. With these plans, you get to group users and assign different levels of security to each group. You can also prevent others from changing your password, as any change in password will need confirmation via your email account. Multiple users can access the website using the same account and their own devices.

5sec Google Authenticator

5sec Google Authenticator is a premium plugin available on Codecanyon for $18. Once you have installed this plugin, no one can log into your account even if they know the password. When a user logs in, a one time password is generated, which is received on the user’s mobile phone. Access to the website is gained only when the OTP is entered in the login page.

A fresh login will require a new OTP to be generated. The OTP is valid only for a certain period of time. This kind of login is very commonly used by banks for financial transactions and the validity for the OTP can vary from website to website.

5sec Google Authenticator for WordPress Two Step Login Protection

This plugin will protect you from brute force attacks, as an IP based brute force protection is built in. And even if you mistakenly click on ‘Remember Password’ on a website, it will not matter, as no one can login without the OTP. In case you leave your computer without logging out, that too is taken care of. The plugin will automatically log you out, and the login box will open in a lightbox. You can resume where you left off after entering a new OTP.

What happens if you lose your phone? Well, in this case a unique site specific URL can be used to login with just the username and password. 5sec Google Authenticator is easy to setup and use.

Duo Two Factor Authentication

The Duo plugin will help you add two factor security to your WordPress quite easily. All users and admins will need to verify themselves with a device that they have – a hardware token, or a mobile phone. This will also help you to keep track of user activity on your website.

Duo two-factor authentication

To make use of this plugin, you will have to install it, activate it and then sign up for their services. On sign up, you will have access to security keys. You can then go about specifying the user roles for which you want to enable two factor authentication.

Users can authenticate or verify themselves in multiple ways. They can use OTPs delivered by messaging services to cell phones or generated by a hardware token or generated by Duo’s mobile app. They can call back to any phone or they can use Duo’s mobile app for one tap authentication.


Authy is a simple plugin that makes it easy to install a two-factor authentication to your WordPress. You will have to sign up to obtain API keys.

Authy two-factor authentication

After that, you simply have to download, install and activate the plugin and type in the API keys that you have obtained. Pick the user roles for which the authentication must apply. When these users login, a code will be sent to their cell phones. Once they feed in this code, they will be able to access your WordPress.

WP Google Authenticator for WordPress

WP Google Authenticator for WordPress uses the Google Authenticator App that you can download for free from here. This App can help you generate codes using Android, iPhone or Blackberry.

WP Google Authenticator Settings

Once you have setup the App on your phone, you need to download the plugin to your WordPress, install and activate it. A secret key will be generated and you will be able to add your website to your App by simply scanning a QR code. You can select users whom you want to use this mode of login and leave out other users.

The plugin allows for discrepancies in clocks within a certain time band. A new secret key can be generated at any time and any user’s key can be revoked at anytime. Used OTPs are disabled and stored in database to avoid misuse in case of interception. Just in case you cannot use the App, a recovery code will be made available.

WP Google Authenticator sure packs in a lot for a free plugin and it has an impress 4.8 star rating on WordPress directory. This plugin is fully compatible with Authy, and so, you can use Authy as well to generate OTP.

Two Factor Auth

If you want to up your security without going into too much of setup, you should try Two Factor Auth. It works with third party apps like Google Authenticator that generate 6 digit OTPs. The default method of receiving OTP is by email, but users can change the setting so that they can receive it on their mobiles as well.

Two Factor Auth Plugin

Industry standard algorithms TOTP or HOTP is used for generating passwords. TOTP is time based, while HOTP is event based. TOTP is to be preferred as the code will have validity for a very short time. But this will require that the servers are time synchronized.

Two Factor Authentication by miniOrange

Two Factor Authentication from miniOrange  works in much the same way as the other options mentioned here. But is has a few additional features that make it more attractive.

It works with Google Authenticator, miniOrange App as well as Authy 2 factor Authentication App. The miniOrange Authenticator App encrypts all the data. It has inbuilt PIN protection. If you happen to lose your phone, alternate login methods like OTP over email and Security Questions are available. If the phone is offline, an OTP generated by the app can be used to login.

miniOrange 2 Factor Auth Setup

The miniOrange app supports 15 authentication methods, including soft tokens, QR Code authentication and Push Notifications. To access the website from your mobile browser, you can switch to security Question based login method by just clicking an option. It works with all types of phones including landlines and smartphones.

Frontend login for WooCommerce theme is supported. The premium version of the plugin comes packed with even more features.

All Round Security Options

If you are evaluating the security of your website, you may want to look beyond two factor authentication and something more comprehensive. There are security options which offer all round security for your WordPress and at the same time include two-factor authentication as one of their features. iThemes Security Pro and Wordfence are two such plugins.

ManageWP includes two-factor authentication as a builtin feature and you can manage everything from the dashboard. WP Simple Firewall is a complete security plugin that offers 2 step authentication by email.

Besides installing plugins, admins may consider putting a password manager in place. Strong passwords changed regularly can really cut down on unauthorized access. Implementing SSL for your WordPress is also advisable.

Two-Factor Authentication greatly minimizes the threat of unauthorized access to your WordPress and is easy to install and implement. You really should try it out to keep your website safe.

Article by Vishnu author
Subscribe to the Newsletter

Get our latest news, tutorials, guides, tips & deals delivered to your inbox.


  1. Cornelius Kölbel

    great article about different ways to secure the wordpress installation with 2FA. Usually these are either local solutions which work for one wordpress installation like 5sec or two factor auth or these are clients for hosted services like duo or clef.
    If you have several wordpress instances and you do not want to rely on a 3rd party auth server, you could run your own authentication system with the open source solution privacyIDEA ( and the wordpress plugin (
    You can manage hardware tokens, smartphone Apps, SMS, Email, Yubikeys, U2F… centrally and use these devices for authentication at all your blogs.
    Kind regards

  2. Deepanker

    This is something very interesting. With the increasing attacks on WordPress websites, this is a useful feature for most of the WordPress users. Thanks for this awesome post.

  3. Munna Hossain

    Impressive article. This is really an important article. We should think again about the security of our site. Because we are living under the threats of the hackers. Only strong password and unique username are not enough to protect us. So we need another stable security shield that are really strong to protect any hackers. Two step authentication is one of the best security layer. So you need to enable two step authentication on your WordPress site. Your tips must be helpful for us. Thanks for sharing.

  4. S T

    You know, I had such high hopes for miniOrange given the many positive reviews, but in practice it’s clear they cater to blog owners and write many of the reviews themselves. For the other guys, their free plugins have a LOT of bugs and when you report them they tell you to upgrade your license from the free tier. Other apps do work – for admin only. I sent them screenshots of their licensing saying that the free tier should work and they say no, I must have misread it, I have to upgrade.
    In the end their practices are predatory – the licensing agreements and descriptions aren’t accurate and their support is rude unless you’re paying them. If it’s payware, fine, at least be honest about it – no way am I going to implement their business tier software if this is how they treat people.

    • AJ Clarke Avatar AJ Clarke


      Thank you for sharing your experience with miniOrange. I can totally understand your concern with the lack of support the problem is that free plugins generally get thousands, hundreds of thousands or even millions of users which can be extremely costly to support for free. Even if it’s not support but just answering questions/emails can cost thousands of dollars a month. I don’t believe that anyone should be rude or deceitful, that’s for sure, but do place yourself in their position. Based on your comment, it sounds like there is a market for a good free two-factor authentication plugin with more options and better support, I would encourage you to spend your time and money developing one and helping out the community. We would be happy to review it once it’s done 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.