WordPress two factor authentication – How to Setup 2FA

WordPress two factor authentication

WordPress two-factor authentication (2FA) is an extra layer of protection used to reinforce your site’s login page.

Your WP login page is the gateway to all your valuable content. Simply using a username and password is no longer safe. Malicious hackers test out several usernames and passwords until they get it right.

This is why you should add that extra security layer to your website. Enable two-factor authentication in WordPress. It ensures better security for your site.

WordPress plugins are useful in implementing two-factor authentication(2FA) on your site. In this guide, we will show you a step-by-step process to set up a 2FA on your site.


    1. Using Google Authenticator App
    2. Push Notification on a Mobile Device
    3. Using WP 2FA WordPress Plugin

Why Use WordPress Two factor Authentication?

 Two-factor authentication uses a 2 step process in granting access to your site on the WordPress login screen. You need more than your username and password to log in. Besides those, you need another verification method to confirm your access.

WordPress’s two-factor authentication offers a second layer of security for the site’s admin users. Thereby ensuring better security for the site.

Passwords are weak because they could be deduced or hacked. They are also susceptible to brute force attacks. This makes use of passwords alone unreliable.

Whereas two-factor authentication for WordPress offers a second step authentication. And this makes up for the weaknesses of passwords.

The process of 2FA requires two out of three things that concern you to prove your identity.

  1. What you know
  2. Something you have
  3. Who you are

Currently, two-factor authentication uses what you know, such as your passwords. And also what you have, such as a mobile phone or an email account. It confirms a user’s identity when the verification code it sends to the user’s mobile phone or email account is entered at the point of logging in. The verification code completes the login process.

Two Factor verification option has been highly effective in user authentication. The reason for this success is because a hacker most likely will not have access to your password and mobile phone at the same time.

Ways to Setup WordPress two factor authentication

Side note: You may consider signing up for our WordPress maintenance service which covers site security. We will take care of 2FA, hardening, and all other aspects.

To set up two-factor authentication, you have to use suitable 2step verification plugins for WordPress. 2step verification works when the user receives a verification via SMS or phone call. Other methods include push notification and QR code authentication on a mobile phone.

Verification via QR code is when the user receives a verification code on the Google authenticator app. Another similar app for this purpose is Authy authenticator.

You can get Google authenticator app from google play store for android devices, or the app store for ios devices. Also, you can install it on any smartphone.

Using Google Authenticator App

The Google Authenticator App method requires the installation of the App on the mobile phone of the user who wants to login. The app works by generating codes every sixty seconds. The six digit code that’s generated by the app serves as a onetime password(OTP). This OTP authenticates a user at the point of login after username and password verification.

To use second factor verification, you first need to have the google authenticator app ready on your phone.

Next, it requires the installation and activation of a compatible 2FA plugin on your WordPress site. For this guide, we’ll use the Two Factor Authentication Plugin.

Two factor authentication plugin logo

Install and activate the plugin on your site. Two factor Auth icon will appear on your WordPress dashboard.

two factor Auth icon on wordpress dashboard

Setting up WordPress two factor authentication: Scan a barcode option

On the admin area of your dashboard, click Two Factor Auth > Two Factor Authentication settings page. 

Next, open the google authenticator app and on the Add an account page, choose the Scan a barcode option.

Google authenticator app as installed in a phone

First, scan the QR code by placing your phone’s camera over the code.

QR code for two factor authentication plugin

After scanning the QR code, a six digit code appears on the screen of your app. This code will correspond with the code on the plugin’s Settings page. Next, click Save Changes on the plugin’s Settings page.

google authenticator code

two factor authentication saved setting

To find out if your 2step verification settings have worked, log out of your site and log back in.

log out page Two factor authentication

Enter the code that the google authenticator app displays on your phone into the login page of your site. And click Log in.

google authenticator code


wordpress login page with one time password - 2FA

After clicking the login button on the login screen, the code grants access back into the site.

wordpress dashboard after 2FA verification

As seen, 2factor authentication is now implemented on your site. More so, you can only gain access into the site by entering the codes generated by the Google app into the login screen when required.

Setting up WordPress two factor authentication: Enter a provided key option

Although the scan the barcode option is much easier, you may choose to use the provided key option.

First thing you need to do is select the Enter a provided key option on the google authenticator app on your phone. Still on the app, set an account name.

Next, type the Private key(base 32) that displays on the plugin’s settings page into the app accordingly. Press Add thereafter.

two factor auth private key code

Auth ley for Two factor authenticator

A new account is added to your app with the name you created for the account. Also added to the account is a new code, which is the same as the code on the plugin’s set-up page. Click Save changes on the plugin’s page.

google authenticator code to verify auth key for 2FA plugin


two factor authentication onetime password

Two factor WordPress authentication is now active on your site. Let’s log out and log back in to verify 2FA on the site.

Enter the six-digit code that Google authentication app displays on the phone’s screen into the login page of your WordPress site. Click Log in.

google authenticator auth key code


login to test implementation of 2FA plugin on wordpress site

The 2F verification grants access to the WordPress site.

wordpress dashboard after 2FA verification

Using Push Notification on a Mobile Device

This method lets you receive a notification of a login attempt on your phone after entering your username and password at your site’s login page.

For this guide, we will use the Google Authenticator – Two Factor Authentication (2FA) Plugin.

google authenticator two factor authentication plugin logo

First, install and activate the Google Authenticator – Two Factor Authentication (2FA) Plugin. The plugin offers multiple choices for securing the login page of your WordPress site. We’ll show you how to use the Push notification option.

After activating the plugin, on your WordPress admin area, click on its icon on the dashboard.

2FA icon on wordpress admin dashboard

There will be a brief tour of the miniorange Google Authenticator 2FA plugin. The tour will show you how to navigate the plugin settings screen on your site. You may choose to click Next to complete the tour. Otherwise, click End tour to skip and continue setting up push notification 2FA on your WordPress site.

miniOrange Google authenticator setup tour

When the tour ends, your screen becomes clear, and all the 2FA options will be visible. Click Configure  for ‘miniOrange Push Notifications’ option.

configure push notification on miniOrange google authenticator 2FA plugin

A window to register your account with miniOrange opens, and the email address associated with your site will display. You may keep it or change it to another email.

Next, enter the password that you want to use for the plugin account in the field provided. Re-enter the password to confirm it.

Finally, click Continue.

registration page for miniOrange google authenticator plugin

Enabling Push Notifications on Your Phone

Step 1: You have to download miniOrange Authenticator App for your smartphone or any other mobile device. You can get it from App Store for iPhone users, or from Google play store for Android users.

We are using an Android device and Google play store for this WordPress two factor authentication article. On your smartphone or mobile device, search for mini orange on Google Play Store. Thereafter, select Authenticator from the result list as shown below, download and install on your device.

google play store search for authenticator

When that is done, click on Configure your phone button on miniOrange settings page on your computer screen.

miniOrange google authenticator options for phone reset


Step 2: A QR code will display on the screen, and a message to prompt you to scan the code will display as well.

Place your phone’s camera over the QR code to scan.

QR code for miniOrange google authenticator plugin

When Scan QR code process completes, the code will have a large green check sign on top of it. This shows that the scan is successful.

Scan QR code

The Push Notification option Configure bar is now the color green. This means that Push notification option was successful. To test run it, click on Test miniOrange Push Notification.

test miniOrange two factor authenticator

The plugin sends a push notification to your phone notifying you of a login request to your account.

miniOrange push notification test on wordpress dashboard

Click ACCEPT to accept, otherwise you may click DECLINE.

push notification on mobile device for miniOrange Google authenticator 2FA

After you accept the request, the plugin page on your site will show that you have successfully completed the test.

completed miniOrange google authenticator push notification setting

Test if plugin actually works

As usual, we have to test if the plugin actually works to implement a second layer verification on the site.

Log out of your site and try to login again.

log in to test miniOrange google authenticator 2FA setup

After your username and password verification, a push notification is sent to your phone.

miniOrange push notification at point of login awaiting approval

Accept the login request.

push notification on mobile device for miniOrange Google authenticator 2FA

And here we are, back in the dashboard area of the site.

miniOrange google authenticator icon on wordpress admin dashboard

And that’s it! We have implemented two factor authentication in WordPress using Push notification.

Using WP 2FA WordPress Plugin

WP 2FA is a WordPress two-factor authentication plugin that supports multiple authentication apps, including Google Authenticator, Authy, FreeOTP, and many others. This flexibility allows users to choose the authentication app they prefer, making it easier to increase your website’s security by reducing entry barriers. The plugin also includes several administrator options, including the option to enforce 2FA on the website users via configurable policies, giving you complete control over the implementation of 2FA on your website.

Furthermore, the app supports both TOTP and HOTP protocols. While the latter is not as secure, it allows you to offer two-factor authentication to users who might not have access to a smartphone. Of course, you have the option of disabling it from the admin panel should you so desire.

Get Started with WP 2FA

To get started with WP 2FA, download the plugin from the WordPress repository, and once installed, click the activate button. Once you activate the plugin, the wizard will start, walking you through the initial configuration steps in a matter of seconds.

01 wp 2fa

Click Let’s get started! to start the initial plugin configuration.

02 wp 2fa

In the next screen, choose whether you want to activate TOTP, HOTP, or both. As briefly touched upon earlier, the TOTP protocol requires a 2FA app to be installed on a smartphone while HOTP sends an OTP (One Time Password) via email – making it an excellent option for users who might not have a smartphone.

Here, you can also choose whether you want to enable backup codes, which users can use to log in should the primary 2FA method be unavailable.

Once you’ve made your choices, click on Continue Setup to continue to the next step.

03 wp 2fa

In the third and last screen, you can configure the 2FA policies to select whether you want to enforce 2FA for all, some, or none of the users. When 2FA is not enforced, users will still have the option to set up 2FA if they want to, but it will not be mandatory.

WP 2FA Settings

By default, users for whom 2FA is enforced are given a 3-day grace period to set up 2FA. The grace period can be extended, reduced, or removed entirely from the plugin’s settings.

Users that have 2FA enforced will be prompted to configure 2FA the next time they log in. A friendly wizard makes the entire process a breeze.

In the first step of the wizard, depending on plugin configuration, users will need to choose between TOTP and HOTP.

04 wp 2fa

If they choose TOTP, the wizard will provide a key, which the user must scan using their favorite authentication app.

05 wp 2fa

Once completed, all that’s left to do is to click the I’m Ready button to complete the process. The next time the user logs in, they will need to use 2FA to log in to WordPress successfully.

WordPress two factor authentication – Conclusion

In this guide, you have learned how to enable Two-Factor Authentication for your WordPress site. The steps listed are rather easy to follow. You should be able to enable twofactor authentication for WordPress without hassle.

So, if you solely manage a site with WordPress, it is important to enable 2FA on your site. It is even more important to have this when you have several people working on a site. Two factor authentication will provide the much needed extra WordPress security.

To learn more about securing your site, please read our WordPress Security guide.

 This post was written by Mesheal Fegor

Mesheal Fegor is a Web/WordPress Developer and technical writer. His WordPress help articles have been featured on Kinsta and other sites. Mesheal holds a master's degree in computer science. His writing focuses on technical WordPress issues, ranging from core WordPress problems, to issues with WooCommerce, and more.

Last edited by: FixRunner Team