Secure WordPress login with this two factor authentication (TFA / 2FA) plugin. Users for whom it is enabled will require a one-time code in order to log in. From the authors of UpdraftPlus – WP’s #1 backup/restore plugin, with over two million active installs.
Are you completely new to TFA? If so, please see our FAQ.
Features (please see the “Screenshots” for more information):
- Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).
- Displays graphical QR codes for easy scanning into apps on your phone/tablet
- TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)
- TFA can be turned on or off by each user
- TFA can be required for specified user levels, after a defined time period (e.g. require all admins to have TFA, once their accounts are a week old) (Premium version)
- Supports front-end editing of settings, via [twofactor_user_settings] shortcode (i.e. users don’t need access to the WP dashboard). (The Premium version allows custom designing of any layout you wish).
- Site owners can allow “trusted devices” on which TFA codes are only asked for a chosen number of days (instead of every login); e.g. 30 days (Premium version)
- Works together with “Theme My Login” (both forms and widgets)
- Includes support for the WooCommerce and Affiliates-WP login forms
- Includes support for Elementor Pro login forms (Premium version)
- Includes support for any and every third-party login form (Premium version) without any further coding needed via appending your TFA code to the end of your password
- Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)
- WP Multisite compatible (plugin should be network activated)
- Simplified user interface and code base for ease of use and performance
- Added a number of extra security checks to the original forked code
- Emergency codes for when you lose your phone/tablet (Premium version)
- When using the front-end shortcode (Premium version), require the user to enter the current TFA code correctly to be able to activate TFA
- Works together with “WP Members” (shortcode form)
- Administrators can access other users’ codes, and turn them on/off when needed (Premium version)
Why use TFA / 2FA ?
How Does TFA / 2FA Work?
This plugin uses the industry standard TFA / 2FA algorithm TOTP or HOTP for creating One Time Passwords. These are used by Google Authenticator, Authy, and many other OTP applications that you can deploy on your phone etc.
A TOTP code is valid for a certain time. Whatever program you use (i.e. Google Authenticator, etc.) will show a different code every so often.
This plugin began life in early 2015 as a friendly fork and enhancement of Oscar Hane’s “two factor auth” plugin.
This plugin requires PHP version 5.3 or higher and support for either php-openssl or PHP mcrypt. The vast majority of PHP setups will have one of these. If not, ask your hosting company.
- Search for ‘Two Factor Authentication’ in the ‘Plugins’ menu in WordPress.
- Click the ‘Install’ button. (Make sure you picks the right one)
- Activate the plugin through the ‘Plugins’ menu in WordPress
- Find site-wide settings in Settings -> Two Factor Authentication ; find your own user settings in the top-level menu entry “Two Factor Auth”.
If you want to add a section to the front-end of your site where users can configure their two-factor authentication settings, use this shortcode: [twofactor_user_settings]