WordPress 2FA Setup: Which Plugin, How to Install It

WordPress logins are attacked constantly. The pattern is industrial: a botnet of compromised devices runs username-and-password guesses against `/wp-login.php` and `/xmlrpc.php` across millions of sites. They're not after you specifically; they're trying every site with a reachable login page until something works. With a single-factor login, the only thing standing between an attacker and your admin dashboard is whether they happen to guess your password.

Two-factor authentication adds a second proof — usually a six-digit code from an authenticator app on your phone — that the attacker can't get from a credentials list or a brute-force guess. Even if your password leaks in a breach somewhere else (a service you reused it on, say), the leaked password alone is no longer enough.

What 2FA doesn't fix: malware already on your site, vulnerable plugins, or a hijacked session cookie from a logged-in admin's compromised laptop. If your site is currently compromised, 2FA on the cleaned site is part of the prevention story but it isn't the cleanup. If you're not sure whether you're hacked yet, the diagnostic walkthrough covers the warning signs first; the cleanup walkthrough covers what to do if you are.

What 2FA absolutely does fix: the entire category of credential-based attacks. Brute force, password spraying, credential stuffing from a leaked database — all defeated by the second factor. That's a meaningful chunk of WordPress hacks, and adding it is a one-time setup task. The trade-off is small: ten minutes now, plus the friction of opening an authenticator app every time you log in (less than ten seconds).

Four types are commonly available. They are not equivalent — pick deliberately.

TOTP (time-based one-time passwords) is the standard. You install an authenticator app on your phone (Aegis on Android, Raivo or 1Password on iOS, Bitwarden cross-platform) and scan a QR code from WordPress. The app generates a fresh six-digit code every 30 seconds. This is what every serious 2FA plugin defaults to, and it's what you should use. It works offline, doesn't depend on your phone number, and isn't vulnerable to SIM-swap attacks.

SMS codes look the same to the user but are weaker. Anyone who can hijack your phone number — via SIM swap, port-out fraud, or a telecom social-engineering attack — also gets your codes. The US, UK and Netherlands have all seen meaningful SIM-swap incidents in the past five years. Avoid SMS as a primary factor. It's acceptable as a backup channel, never as the only one.

Hardware keys (YubiKey, Titan, the WebAuthn standard) are the strongest option. The key is a physical USB or NFC device that signs a challenge from the site. Phishing-resistant by design. The downside is cost (€25–€50 per key), and you really need two — one in your pocket and one in a drawer at home — because losing your only key locks you out. For high-value sites or anyone who got hacked once already, this is worth it.

Email codes are the weakest 2FA. If your email account itself isn't 2FA-protected — and most aren't — the second factor isn't really separate from the first. Use email only as an emergency-recovery channel, not as the primary 2FA method.

Recommendation: TOTP via authenticator app for the primary factor, backup codes for emergency access (covered in §5), and a hardware key as an optional second device if you want belt-and-braces. Skip SMS unless your plugin literally offers no other option (in which case pick a different plugin).

The WordPress.org plugin directory has dozens of 2FA plugins. Most are abandoned, half-finished, or bundled with feature bloat you don't want. As of 2026 there are three serious options. Pick one based on what else you're doing.

Two Factor (by the WordPress Plugin Contributors team — slug `two-factor`). Free, MIT-licensed, maintained by people who actively work on WordPress core. Supports TOTP, email, backup codes, and U2F/WebAuthn for hardware keys. No premium tier, no upsells, no telemetry. This is the recommendation if you have no other 2FA needs and want the cleanest possible install.

WP 2FA by Melapress (slug `wp-2fa`). Free version covers TOTP and email. Premium adds SMS, mandatory enrollment for specific user roles, role-based grace periods, and reporting. Worth it for sites with multiple admin users where you need to enforce 2FA across the team — the rollout features (covered in §6) are noticeably more polished than the free `two-factor` plugin's.

Wordfence Login Security (slug `wordfence-login-security`). Free, standalone — separated out of the main Wordfence Security plugin so you can use the login features without the full firewall and scanner. TOTP, recovery codes, optional Cloudflare integration. Use this if you're already a Wordfence user; otherwise the standalone choice is `two-factor`.

Avoid: Google Authenticator (the WordPress plugin, not the Google app — the WordPress plugin is unrelated and barely maintained), miniOrange (heavy upsell pressure to a paid plan for basic features), iThemes Security's bundled 2FA (only sensible if you're already using the full iThemes/Solid suite).

Install the chosen plugin. WordPress admin → Plugins → Add New → search for `two-factor` (or `wp-2fa`, or `wordfence-login-security`). Install and activate.

Set up the authenticator app on your phone if you don't have one. On Android, install Aegis (open-source, encrypted backups). On iOS, install Raivo or use 1Password's built-in TOTP. On any platform, Bitwarden also works. Open the app, get ready to scan a QR code.

Enroll your account. WordPress admin → Users → Profile (your own profile, scroll down). The 2FA plugin adds a section here. Enable TOTP — the plugin will display a QR code. Scan it with your authenticator app. The app immediately starts showing a six-digit code that rotates every 30 seconds. Enter the current code in the WordPress profile page to confirm enrollment. Save.

Log out. Log back in. WordPress will now ask for your password and then for the six-digit code from the app. Enter it. You're in. Total elapsed time including the app install: about ten minutes.

Test it once more by opening a private/incognito browser window and logging in there. If it works in both windows, the enrollment is solid. If anything is off, you still have an authenticated session in your normal browser to fix it.

If you skipped backup codes during setup — or your plugin didn't prompt — go back to your profile and generate them now. This is the single most-skipped step and the most common cause of permanent lockouts. Section 5 covers exactly what to do with them.

Backup codes are one-time-use codes you can use in place of the authenticator app. Every serious 2FA plugin generates them at enrollment. You typically get 8–10 codes; each works once.

What goes wrong: people enroll, see the codes, think "I'll save these later," close the tab. Six months later their phone dies or gets stolen. They have no codes, no app, and no way to log in. The fix at that point requires SSH or SFTP access to deactivate the 2FA plugin manually — feasible if you have those credentials, painful if you don't.

What to do instead, right now: when the plugin shows you the backup codes during setup, copy them into a password manager (1Password, Bitwarden, KeePass) under a clearly named entry like "WordPress site.com — 2FA backup codes." If you don't use a password manager, this is the moment to start. As a fallback: print the codes and put the paper somewhere safe (a desk drawer counts; a notes app on the same phone running the authenticator does not).

Treat the backup codes like a spare house key. They're for the day you lose the primary one. They're not for casual logins, and you don't share them.

If you do get locked out without backup codes, the recovery is: connect via SFTP (your hosting credentials), navigate to `wp-content/plugins/`, rename the 2FA plugin's folder (e.g. `two-factor` → `two-factor-disabled`). WordPress will deactivate the plugin on the next page load. Log in normally. Re-enable the plugin and re-enroll. If you don't have SFTP access either, contact your host's support — most can deactivate a plugin via their control panel given account verification.

Single-user sites are easy: enroll yourself and you're done. Multi-admin sites are where most 2FA rollouts stall — usually because someone resists, gets locked out, or quietly disables the plugin.

Two patterns work. The first is mandatory enrollment with a grace period. WP 2FA Premium does this natively: pick a date, after which any user above a chosen role (Administrator, Editor) is forced to enroll on their next login. Free plugins like `two-factor` don't enforce — you'd have to either trust the team to enroll voluntarily or set up a check that revokes admin role from un-enrolled accounts (overkill for most sites). For teams of 3 or fewer, voluntary enrollment with a deadline you communicate by email works fine.

The second pattern is exemption-by-default with hard enforcement on the highest-risk accounts. Force 2FA on Administrators only, leave Editors voluntary, leave Authors and below alone (they have less leverage if compromised). This minimises pushback while protecting the actual blast radius.

When someone pushes back: the response isn't to relent on 2FA, it's to reduce the friction. Usually the resistance comes from "I have to open my phone every time I log in" — which is true and which is also the entire point. Counter-arguments that work in practice: (a) most modern plugins remember the device for 30 days, so you only re-enter a code once a month; (b) the alternative is the next compromise being a credential leak from somewhere unrelated; (c) if their account has admin rights they can also break the site by accident — 2FA is also a brake against careless mistakes by reducing how often each admin actually logs in casually.

Audit periodically. WordPress admin → Users → All Users — most 2FA plugins add a column showing 2FA status. Check quarterly. Anyone with admin rights and no 2FA gets a friendly nudge or, if you have the authority, a forced enrollment.

Combine 2FA with the standard hardening checklist for the full preventive picture. 2FA closes credential-based attacks; hardening closes the rest.