Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Add Two-Factor Authentication in WordPress (Free Method)

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Big websites like Facebook and Google take security seriously, and they ask you to use two-factor authentication (2FA) to protect your account. That’s because 2FA adds an extra layer of security that in our experience makes it much tougher for hackers to get in.

Now, you can make your WordPress site just as secure. Adding two-factor authentication for your WordPress users is a smart move, whether you run a small blog or a busy online store.

This article will guide you through setting up 2FA on your WordPress site using a plugin and an authenticator app. It’s easier than you think and makes a big difference in keeping your site safe.

How to Add Two-Factor Authentication in WordPress (Free Method)

Why Add Two-Factor Authentication in WordPress?

One of the most common tricks hackers use is called brute force attacks. During one of these attacks, they use automated scripts that try to guess the right username and password so that they can log in to your WordPress website.

A successful brute force attack can give hackers access to your website’s admin area. They can install malware, steal user information, and delete everything on your site.

One of the easiest ways to protect your WordPress website against stolen passwords is to add two-factor authentication (2FA). With this setting, you will need to both enter your password and a secondary code (from an app, email, or text message) to log in to your website.

This way, even if someone stole your password, then they would still need to enter a security code from your phone to gain access.

What Is an Authenticator App?

There are multiple ways to set up 2-step login in WordPress. However, the most secure and easier method is by using an authenticator app.

An authenticator app is a smartphone app that generates a temporary one-time password for the accounts that you save in it.

Basically, the app and your server use a secret key to encrypt information and generate one-time codes that you can use as the second layer of protection.

There are many apps available for free:

  • The most popular app is Google Authenticator, but it’s not the best choice. That’s because if you lose your phone, there is no way to recover your accounts unless you create a backup copy in advance.
  • We recommend using Authy since it is an easy-to-use and free app that also allows you to save your accounts on the cloud in an encrypted format. This way, if you lose your phone, then you can simply enter your master password to restore all your accounts.
  • Other password managers like LastPass and 1Password all come with their own version of an authenticator. They are better than Google Authenticator since they allow you to restore keys.

For the sake of this tutorial, we will be using Authy. You can follow our tutorial using a different app if you want since they all work the same way.

With that being said, let’s take a look at how to add 2FA in WordPress. Simply click the links below to jump to the method you prefer:

Now, let’s take a look at how to easily add two-factor verification to your WordPress login screen for free.

Method 1: Adding Two-Factor Authentication Using WP 2FA

This method is easy and recommended for all users. It is flexible and allows you to enforce two-factor authentication for all users.

First, you need to install and activate the WP 2FA – Two-factor Authentication plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.

Upon activation, the WPA 2FA setup wizard will launch automatically. Otherwise, you can visit the Users » Your Profile page and scroll down to the ‘WP 2FA Settings’ section.

Clicking the ‘Configure Two-factor authentication (2FA)’ button will launch the setup wizard.

The WP 2FA Setup Wizard

Simply click the ‘Let’s Get Started!’ button to start configuring the plugin.

The WP 2FA Setup Wizard

On the next page, you will be asked to choose an authentication method.

There are two options:

  • One-time code generated with your 2FA app of choice (recommended)
  • One-time code sent to you via email
Choose 2FA method

We recommend that you choose the authentication via the 2FA app (TOTP) method, as it is more secure and reliable.

Once you have made your choice, you can click on the ‘Continue Setup’ button to go to the next page of the setup wizard.

You will be asked which alternative 2FA methods you’d like your users to use if the primary 2FA method fails, such as if they lose their phone.

On the free plan, only the backup code method will be available. If you would like more alternative 2FA methods, then you will need to upgrade to WP 2FA Premium.

WP 2FA Alternative 2FA Methods

Simply click the ‘Continue Setup’ button to move to the next page.

On this page, you can make two-factor login compulsory for some or all users. We recommend this, especially if you run a multi-user WordPress website, like a membership site.

If you’d like to enforce 2FA for all users on your website, then simply select the ‘All users’ option and click ‘Continue Setup’.

Enforce 2FA for All Users

Now all of your users will be required to use 2FA.

However, maybe there are some users on your website that you don’t want to force to use 2FA. The next page allows you to type the usernames or user roles of those team members.

Exclude Users or Roles from Having to Use 2FA

Once you have done that, clicking the ‘Continue Setup’ button will bring you to a page where you can decide how soon your users need to start using 2FA.

You can require them to start right away, or you can give them a grace period of, say, 3 days, so they have time to set things up. Just click on the option you want to use on your website.

If you want to give a grace period, then you can choose how many hours or days that will be. The default setting of 3 days will work well for most websites.

Set a Grace Period So Your Users Can Configure 2FA

There are also options for what to do after the grace period ends if some users have not set up 2FA. You can either let them in but not let them access the dashboard or block them from being able to log in at all. For most websites, the first option will be best.

Once you have made your choice, you can click ‘All Done’ to exit the setup wizard. Congratulations, you have set up two-factor authentication on your site!

You will see the Setup Finish screen with a congratulations message. You will also see a button that will allow you to set up 2FA for your own user account. You should click the ‘Configure 2FA Now’ button.

Configure 2FA on Your Own User Account

Configuring Two-Factor Authentication for Your Own User Account

A new setup wizard will start to help you set up two-factor authentication for your own user account. Other users on your website will be prompted to do the same.

The first thing you will need to decide is which 2FA method you wish to use. You should see the option for a one-time code via an authenticator app. You may also see other options depending on the choices you made during the setup wizard.

Simply choose the ‘One-time code via 2FA app’ option and then click the ‘Next Step’ button.

Choose the 2FA Method

The plugin will now show you a QR code and a text code.

You will need to scan the QR code using an authenticator app. Alternatively, you can type the text code into the app manually.

Use Your Authenticator App to Scan the QR Code

Now you will have to pick up your mobile device and open your preferred authenticator app. The screenshots below are using Authy, but other apps work in a similar way.

First, click on the ‘+’ or ‘Add account’ button in your authenticator app.

Click the + Button to Add an Account

The app will then ask permission to access the camera on your phone.

You need to allow this permission and then tap the ‘Scan QR Code’ button so that you can scan the QR code shown on the plugin’s settings page on your computer.

Click the Scan QR Code Button

Once the app recognizes the QR code, it will automatically start to save the account.

After that, you can edit the default logo and nickname for the account. When you are ready, you should tap the ‘Save’ button.

Save Your New 2FA Account

The authenticator app will now save your website account.

Next, it will start showing a one-time password. You will need to enter this in the plugin settings on your computer.

Find Your 2FA Token

Now you need to switch back to your computer.

In the plugin’s setup wizard, click on the ‘I’m Ready’ button to continue.

After Scanning the QR Code, Click the 'I'm Ready' Button

The plugin will now ask you to verify your one-time password.

Simply type the code from your mobile app into the ‘Authentication Code’ field before it expires.

After that, you should click on the ‘Validate & Save’ button to finalize the setup.

Type the One-Time Token and Validate

Next, you will be given the option to generate and save a list of backup codes. These codes can be used in case you don’t have access to your phone.

You should click the ‘Generate List of Backup Codes’ button.

Click 'Generate List of Backup Codes'

The backup codes will be generated and displayed.

You can download these backup codes to a secure location on your computer, print them, and put them somewhere safe, or send them to yourself via email. Make sure you keep them somewhere you can get to if you don’t have your phone.

List of Backup Codes

After that, you can click the ‘I’m Ready, Close the Wizard’ button to exit the setup wizard.

Using Two-Factor Authentication When Logging In

Next time your users log in, they will see a notification that they need to set up two-factor authentication, along with the deadline date at the end of the grace period.

They can click on a button to configure 2FA now or choose to be reminded on their next login.

Notification About Needing to Set Up 2FA

When they click the ‘Configure 2FA now’ button, they will be taken through the same steps as when you set up 2FA for your own user account in the previous section.

When they sign in after setting up two-factor authentication, they will see the WordPress login screen as normal. However, when they enter their username and password, a second screen will be displayed, asking for the code from their authenticator app.

Users Must Enter an Authentication Code Before Logging In

They will need to enter the code from the app on their phone before they can be logged in. Alternatively, they can enter a backup code if they don’t have their phone with them.

This makes your website more secure. If a hacker learns the username and password of one of your users, they will not be able to log in unless they also have access to their phone.

Tip: If your WordPress website uses a custom login form page, then you can also create a custom page where users can manage their two-factor authenticator settings without accessing the WordPress admin area.

Method 2: Adding Two-Factor Authentication Using Two-Factor

This method is less flexible as it does not allow you to enforce two-factor logins for all users. Each user will have to set it up on their own and can disable it from their profile. However, it is a quick and easy method if you just want to set up 2FA for your own account.

First, you need to install and activate the Two-Factor plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.

Upon activation, you need to visit the Users » Profile page and scroll down to the ‘Two-Factor Options’ section.

Two Factor options

From here, you need to choose a two-factor login option. The plugin allows you to use email, an authenticator app, and the FIDO U2F Security Keys methods.

We recommend using the authenticator app method. Simply scan the QR code on the screen using an authenticator app like Google Authenticator, Authy, or LastPass Authenticator.

Click the Scan QR Code Button

Once you have scanned the QR code, the app will show you a verification code that you need to enter into the plugin options and click on the ‘Submit’ button.

The plugin will now set the secret key. You can reset this key at any time from the settings page to rescan the QR code.

Secret keys configured

Don’t forget to click on the ‘Update Profile’ button at the bottom of the page to save your settings.

Now each time you log in to your WordPress website, you will be asked to enter the authentication code generated by the app on your phone.

Add two factor authentication code to continue

FAQs About Two-Factor Authentication (2FA) in WordPress

Here are some answers to some of the most commonly asked questions about using two-step login in WordPress.

1. How do I log in with 2FA if I don’t have access to my phone?

If you are using an authenticator app with a cloud backup option like Authy, then you can install the app on your laptop as well.

This gives you access to the authentication codes even when you don’t have your phone with you. It also allows you to easily restore your secret keys when you buy a new phone.

Many authenticator apps also allow you to generate backup codes. These codes can be used as one-time passcodes when you don’t have access to your phone.

2. How to log in without any codes from my authenticator app?

If you don’t have access to your phone, laptop, or backup codes, then you can only log in by disabling the 2FA plugin.

You can see our guide on how to deactivate all WordPress plugins when you are unable to access the admin area.

Once you deactivate all plugins, you will also disable the two-factor authentication plugin, and you will be able to log in to your WordPress website. Once logged in, you can reactivate the plugins and reset the two-factor authentication setup.

3. Do I need to password-protect the WordPress admin folder?

Website security works best when you have multiple layers of security to protect your website, starting with the basics like using HTTPS and secure WordPress hosting.

Two-factor verification makes your WordPress login secure, but you can make it even more secure by password-protecting the WordPress admin directory. This means that users won’t be able to access your login page unless they first enter a username and password.

Expert Guides on Protecting WordPress Login

Now that you know how to add 2-factor verification to WordPress, you may like to see some other articles related to making WordPress login more secure.

We hope this article helped you add 2-factor verification for WordPress login. You may also want to see our guide on how to get a free SSL certificate for your WordPress site or our expert pick of the best WordPress security plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

26 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Dayo Olobayo says

    I completely agree with the importance of two-factor authentication, but I also think we should consider the user experience implications. Some 2FA methods can be cumbersome and lead to friction so it’s essential to strike a balance between security and usability.

  3. Mrteesurez says

    Helpful article in securing website with 2FA, I don’t know how important 2FA is before and with this guide, I will be adding it to my site. But my question is, if I enforce 2FA to all my users, how often will they be asked to use it when logging in, is it just the first time or what ?

      • Jiří Vaněk says

        I wanted to follow up on the question. With many services, I am used to having the option of “remembering the device” for 2FA. This means that 2FA is entered only once, and then there is an option to remember my device, so I don’t have to enter 2FA repeatedly on the same machine. Is it possible to set this up, or is 2FA always enforced? My concern is also about user convenience on a website that will have a registration form.

        • WPBeginner Support says

          The plugin does not have that capability at the moment, you would want to reach out to the plugin’s author for requesting that capability.

  4. Felix says

    Cloud Syncing feature is now available at Google Authenticator. So, you won’t lose your accounts even if the phone is lost. For me, personally, I use Google Authenticator because it’s more convenient for me as a Google user.

    • Dayo Olobayo says

      That’s a great point! Cloud syncing in Google Authenticator is a lifesaver. No more worrying about losing access to accounts if your phone gets lost. Plus, using it with your Google account makes things even easier.

  5. Moinuddin Waheed says

    two factor authentication is a must have things for the security of the websites.
    I have used it after learning a horrible lesson from a shared hosting account. my website was corrupted and malfunctioned and I had no clue what to do.
    when I made fresh installation the first thing I did to enable two factor authentication.
    this might at times seem an additional thing to do while logging in but it saves from a large headache that may cause if account is compromised.
    I want to know how the hackers or brute force attackers target a website?
    do they have database of websites stolen from hosting providers or just they do it randomly?

    • WPBeginner Support says

      There are different ways that sites are targeted but in the long run it is random.

      Admin

  6. Jiří Vaněk says

    I use two-factor authentication for administration integrated into the Wordfence plugin, which also serves for overall website protection. Additionally, I would recommend changing the URL address from wp-admin to something custom for added security.

    • WPBeginner Support says

      While that can be done we would warn against it. If you change the wp-admin url it can cause conflicts with some plugins and can make any site troubleshooting more difficult.

      Admin

      • Jiří Vaněk says

        Okay, thank you for the advice. I’ve changed the URL on many websites, and so far, I’ve never had any issues with it. It might also be because I use a very similar, trusted series of plugins on many of these sites that I’m familiar with. Nevertheless, thanks for the warning.

  7. J P Welch says

    I’d like to use 2FA on one link to several pages of data, but not the entire site. Is that possible?

    • WPBeginner Support says

      While possible, we don’t have a recommended plugin to achieve that at the moment, we will be sure to keep an eye out!

      Admin

  8. Skye says

    What if you migrate your website to a different domain- will your 2FA be linked to the old domain? Would you have to deactivate it before migrating your website to the new host and domain?

  9. Bikash Rai says

    How to remove two factor authentication that I get every time I login. I want to simply get rid of this thing.
    Thanks in advance!

    • WPBeginner Support says

      It would depend on which method you used to set it up, if you used the plugin then you would remove the plugin to remove the two factor authentication. Should you be unable to remove it, if you reach out to your hosting provider they should be able to assist.

      Admin

  10. MuZa says

    Hey please update this post. This plugin is too old and not tested on three major updates of WordPress.

    • WPBeginner Support says

      Thank you for letting us know about the plugin not being updated we’ll be sure to take a look at it. The Two Factor SMS plugin is the only one not updated, the first plugin has been updated :)

      Admin

  11. Lisa Smith says

    Found this to be really helpful related to Two Factor, but FYI – the Two Factor SMS plugin hasn’t been updated in several WP versions.

    • WPBeginner Support says

      Thank you for letting us know, we’ll be sure to take a look into this for other plugin options :)

      Admin

  12. Anna Walton says

    I’ve followed your exact instructions just now to set up 2FA with Twilio. I logged out after finishing the set-up as per the article, and now I can’t get back into my site! I get the code from Twilio, but it says there’s an error! Unfortunately, I’d not yet set up the 2FA with the authenticator app, as I followed the steps in the article, which was to log out first to see it working. Can you advise please? I’ve checked your article https://www.wpbeginner.com/wp-tutorials/locked-out-of-wordpress-admin/, but this doesn’t seem to cover getting locked out due to 2FA error. I use your site loads, and think your guidance is great! Please help on this one!!

    • WPBeginner Support says

      Hi Anna,

      You can manually delete the plugin using FTP. Connect to your website and go to /wp-content/plugins/ folder and then delete two-factor and two-factor-sms folders. You can always reinstall the plugins after login.

      Admin

  13. Patrick Bartkus says

    FreeOTP is an Open Source alternative to Google Authenticator. It is not controlled by Google and is maintained by Red Hat under the Apache 2.0 license. It is available for iOS and Android. It also works on Google sites.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.