WP 2FA – Two-factor authentication for WordPress


A free and easy-to-use two-factor authentication plugin for WordPress

Add an extra layer of security to your WordPress website login pages and protect your users. Enable two-factor authentication (2FA), the best protection against users using weak passwords, automated password guessing, and brute force attacks.

Features | Getting Started | Get the Premium!

Use the WP 2FA plugin to enable two-factor authentication for your WordPress administrator, and to enforce your website users, or users with a specific role to use 2FA. This plugin is very easy to use; everything can be configured via wizards with clear instructions, so even non technical users can setup 2FA without requiring technical assistance.


Melapress develops high-quality WordPress management and security plugins such as Melapress Login Security, CAPTCHA 4WP, and WP Activity Log, the #1 user-rated activity log plugin for WordPress.

Browse our list of WordPress security and administration plugins to see how our plugins can help you better manage and improve the security and administration of your WordPress websites and users.

WP 2FA key plugin features and capabilities

  • Free Two-factor authentication (2FA) for all users
  • Supports multiple 2FA methods
  • An API that allows you to integrate supplementary 2FA methods
  • Universal 2FA app support – generate codes from Google Authenticator, Authy & any other 2FA app
  • Supports 2FA backup methods
  • Wizard-driven plugin configuration & 2FA setup – no technical knowledge required
  • Use 2FA policies to enforce 2FA with a grace period or require users to instantly setup 2FA upon logging in
  • No WordPress dashboard access is required for users to set up 2FA
  • Fully editable email templates
  • Protection against automated password & dictionary attacks
  • Much more

Upgrade to WP 2FA Premium and get even more

The premium version of WP 2FA comes bundled with even more features to take your WordPress website login security to the next level.

With the premium edition of WP 2FA, you get more 2FA methods, 1-click integration with WooCommerce, trusted devices feature, extensive white labeling capabilities, and much more!

Premium features list

Refer to the WP 2FA plugin features and benefits page to learn more about the benefits of upgrading to WP 2FA Premium.

Free and premium support

Premium world-class support for WP 2FA is free via email or through the WordPress support forums.

Note: paid customer support is given priority and is provided via one-to-one email. Upgrade to Premium to benefit from priority support.

For any other queries, feedback, or if you simply want to get in touch with us, please use our contact form.

As featured on:

Related links and documentation:

You can find more detailed information about 2FA and its benefits in the links below

Installing WP 2FA

From within WordPress

  1. Navigate to ‘Plugins > Add New’
  2. Search for ‘WP 2FA’
  3. Install & activate WP 2FA from your Plugins page


  1. Download the plugin from the WordPress plugins repository
  2. Unzip the zip file and upload the folder to the /wp-content/plugins/ directory
  3. Activate the WP 2FA plugin through the ‘Plugins’ menu in WordPress


  • The first-time install wizard allows you to setup 2FA on your website and for your user within seconds.
  • The wizards make setting up 2FA very easy, so even non technical users can setup 2FA without requiring help.
  • You can require users to enable 2FA and also give them a grace period to do so.
  • Users can also use one-time codes via email as a two-factor authentication method.
  • You can use policies to require users to instantly set up and use 2FA, so the next time they login they will be prompted with this.
  • You can give users a grace period until they configure 2FA. You can also specify what should the plugin do once the grace period is over.
  • It is recommended for all users to also generate backup codes, in case they cannot access the primary device.
  • In the user profile users only have a few 2FA options, so it is not confusing for them and everything is self explanatory.


July 17, 2024
Started out with the free version, then switched to the paid version to get the “remember me on this device” option. A great improvement. Discovered a weird problem that occurred occasionally. It didn’t affect real users, only hackers 🙂 I am working with them to try and figure it out. Support is great.
July 2, 2024 3 replies
After seeing a lot of hacked WordPress websites recently I came to the conslusion that every WordPress installation should have 2FA. Since this is not part of WordPress core, I was looking for a plugin that offers a good user experience and enough configuration options to become my new default plugin for that pupose. What I like about this plugin is the clean user interface that offers good guidance for the user during the setup process the flexibility for the admin to configure which users/roles need to use 2FA the option of 2FA by SMS or push notification (paid version only, but available if needed)
June 15, 2024
I was searching for a simple 2FA plugin and found this. I was able to set it up fsirly quickly. I linked it to my Microsoft Authenticator. The plugin works fine. I did find a small conflict but support resolved quickly. The support was responsive and courteous. Over all, I would recommend this plugin to those that are in search of this type for their system needs.
June 12, 2024 1 reply
Made an account just to post this. None of the settings in the backend actually do anything. The plugin just does what it wants, directly ignoring what Ive put into the plugin options. Users are getting locked out of accounts, even though I explicitly said that this should not happen. Now we update the plugin and it crashes our entire installation. We literally paid money for the pro version. Such a waste of our time.
June 5, 2024 1 reply
Pretty short and simple. Spent some time figuring out how to set this up correctly without locking myself out (there’s almost no documentation that I can find except for marketing videos / articles that don’t actually explain how to correctly set it up). I ended up setting my 2FA to link to Microsoft Authenticator. Thought I was good to go. Log out of my account and log back in to test, where I enter my code and I’m redirected to domain.tld/wp-login.php?action=validate_2fa. This is a white screen that doesn’t load anything. I open up the network tab in developer tools and see I get a 402 – Payment required error. Don’t waste your time with this plugin — now I have to go and SSH in and restore from backup. Edit: I was able to remove this plugin via SSH by going to my plugins folder and simply deleting the plugin. I didn’t have to restore my database. I then found the “Wordfence Login Security” plugin — this was much more straightforward and didn’t require payment. I got that installed and working in under ~3 minutes.
Read all 133 reviews

Contributors & Developers

“WP 2FA – Two-factor authentication for WordPress” is open source software. The following people have contributed to this plugin.


“WP 2FA – Two-factor authentication for WordPress” has been translated into 10 locales. Thank you to the translators for their contributions.

Translate “WP 2FA – Two-factor authentication for WordPress” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.


2.8.0 (2024-07-17)

  • New features

    • Out of the box support for Yubico – use any YubiKey hardware key by Yubico as a 2FA method to log in to your WordPress website.

      • Plugin & functionality improvements
    • Bumped up the minimum supported PHP version from 7.2 to 7.3.
    • Updated a number of strings in the settings + improved help text.
    • The names of debug log file in uploads directory are now randomized.
    • Updated the default text in different sections of the wizard to simplify things and improve UX.
    • Adjusted the order in which the 2FA methods are listed.
    • Updated the features’ page in the plugin – added the new features etc.
    • Updated all UTM parameters in the plugin’s URLs and links.

      • Bug fixes
    • Fixed: PHP fatal error in class-email-wizard-steps.php in some edge cases.
    • Fixed: Apostrophe character shows up as ASCII in email subject.
    • Fixed: Error with importing plugin’s settings from one website to another in some edge cases.
    • Fixed: The grace period expiration setting did not have a default value / setting.
    • Removed reference to Premium backup methods in the free edition’s wizard.
    • Fixed: Redirecting to frontend 2FA page without permalinks set up does not work.
    • Fixed: Some user profile 2FA buttons were not functioning properly when used on mobile.
    • Fixed: Data was not always / all deleted when the setting “Delete data upon uninstall” was enabled.

Refer to the complete plugin changelog for more detailed information about what was new, improved and fixed in previous version updates of WP 2FA.