Two-factor authentication (2FA) is the single highest-impact security upgrade you can make to a WordPress site. It stops virtually all password-based attacks, including the constant brute-force traffic every WordPress site receives. Setting it up takes 10 minutes. There’s no good reason not to.
What 2FA actually is
Two-factor authentication requires two things to log in:
- Something you know (your password).
- Something you have (your phone, or a hardware key).
The “something you have” usually means a 6-digit code from an app that changes every 30 seconds. Even if an attacker steals your password, they can’t log in without the second factor.
Why it matters more than people think
Brute-force attacks on WordPress are constant. Bots try common passwords against every WordPress site they find. Without 2FA, an unlucky password match means full admin access.
With 2FA, the password match isn’t enough. The attacker needs your phone too. They almost never have it.
2FA stops virtually all credential-based attacks. It’s the closest thing to a security silver bullet.
The plugins
1. Two Factor (free)
Maintained by the official WordPress 2FA Feature Plugin team. Eventually likely to be merged into WordPress core. Solid, minimal, free.
Supports: authenticator apps, email codes, FIDO U2F security keys.
2. Wordfence Login Security (free)
Free standalone plugin from Wordfence (you don’t need the full Wordfence to use just this).
Supports: authenticator apps. Also includes brute-force protection.
3. WP 2FA (free + paid)
More configurable. Pro version offers email-based 2FA, role-based requirements, more options.
4. Solid Security / iThemes Security
If you already use Solid Security as your security plugin, it includes 2FA. Configure there.
5. Wordfence (full plugin)
If running full Wordfence, 2FA is built in. Configure under Wordfence → Login Security.
Recommended: Two Factor if you want a minimal install, or whichever your existing security plugin offers.
The authenticator app on your phone
You need an authenticator app. Options:
- Google Authenticator. Free. Simple. No cloud backup in older versions, recent versions have it.
- Authy. Free. Cloud backup of your 2FA codes — if you change phones, you don’t lose access.
- 1Password. Built into 1Password password manager. Convenient if you use 1Password anyway.
- Bitwarden. Built into Bitwarden password manager (premium tier).
Authy is the most-recommended free option because of the backup feature.
Setting it up
Step 1: Install the 2FA plugin
WordPress → Plugins → Add New → search for “Two Factor” or your chosen plugin → Install → Activate.
Step 2: Open your user profile
Users → Your Profile. Scroll to the Two-Factor Options section (the plugin adds this).
Step 3: Enable “Time Based One-Time Password (Authenticator app)”
Check the box. A QR code appears.
Step 4: Scan the QR code with your authenticator app
Open Authy / Google Authenticator → add account → scan the QR code. The app starts generating 6-digit codes for your WordPress site.
Step 5: Enter the current code
Type the current 6-digit code into the WordPress field to verify.
Step 6: Save backup codes
The plugin generates one-time backup codes. Save them somewhere safe — password manager notes, printed copy in a safe place. These are your “I lost my phone” recovery.
Step 7: Save changes
Update profile. 2FA is now active on your account.
Step 8: Test it
Log out of WordPress. Log in. You’ll be prompted for the 6-digit code after your password. Enter it. Verify you can log in.
The “what if I lose my phone” plan
This is the most common 2FA fear. Solutions:
1. Backup codes (the standard answer)
Save the one-time backup codes the plugin generates. Each can be used once to log in if you’ve lost your phone.
Where to save them:
- Password manager (1Password, Bitwarden, etc.).
- Printed copy in a physical safe.
- Encrypted note on a different device.
Don’t save them in plain text in your email or notes app.
2. Authy’s cloud backup
If using Authy with backup enabled, you can install Authy on a new phone and recover your 2FA codes. Removes the “lost phone” problem entirely.
3. Multiple devices
Configure the same 2FA setup on two devices (phone + tablet, or phone + computer with desktop authenticator). If one is lost, the other still works.
4. Hardware key as alternative
A YubiKey or similar hardware key works as a second factor. Plug into USB, tap. Works without internet. Backup option in case the phone is unavailable.
Requiring 2FA for all users
If your blog has multiple authors or contributors, requiring 2FA for high-privilege roles is good practice.
Most 2FA plugins let you require 2FA for specific roles (admin, editor) while making it optional for lower roles (subscriber, contributor).
Set this once. New users created with admin roles will be prompted to enable 2FA on first login.
What about app passwords for the REST API?
If you use the WordPress REST API (for mobile apps, integrations, automation), 2FA doesn’t apply to API calls directly.
Solution: WordPress has “Application Passwords” feature (Users → Profile → Application Passwords). Generate per-app passwords for API access. These bypass 2FA but are limited to specific apps you create.
For API-heavy use, this is the right pattern.
Common 2FA mistakes
Not saving backup codes
The “I’ll deal with that later” trap. Save them when you set up 2FA, not after you’ve lost your phone.
Using only SMS-based 2FA
SMS 2FA is better than no 2FA but worse than app-based. SIM swap attacks bypass it. Use an authenticator app, not text messages, where you have the choice.
Disabling 2FA “temporarily” and forgetting
Sometimes admins disable 2FA to test something, then forget to re-enable. Set a reminder. Or don’t disable it in the first place.
Enabling 2FA on only the admin account
If your blog has editors or other admins, enable 2FA for them too. The weakest link breaks the chain.
The “is this overkill” question
No. 2FA is the cheapest, easiest, most effective security upgrade available to a WordPress site. It takes 10 minutes once and prevents virtually all credential-based attacks forever.
The only reason not to set it up is forgetfulness. Don’t be that person who learns the value of 2FA the hard way.
The honest summary
2FA stops virtually all password-based WordPress attacks. Setup takes 10 minutes. Install a 2FA plugin, scan a QR code into Authy or Google Authenticator, save backup codes somewhere safe. Test by logging out and back in. Require 2FA for all admin-level accounts on multi-user blogs. The single most cost-effective security upgrade available.
