Discover, trust, install: FAIR 1.0 is here

Two-Factor

by WordPress.org

Version: 0.14.1

Description

Use the “Two-Factor Options” section under “Users” “Your Profile” to enable and configure one or multiple two-factor authentication providers for your account:

Email codes
Time Based One-Time Passwords (TOTP)
FIDO Universal 2nd Factor (U2F)
Backup Codes
Dummy Method (only for testing purposes)

For more history, see this post.

Actions & Filters

Here is a list of action and filter hooks provided by the plugin:

two_factor_providers filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.
two_factor_providers_for_user filter overrides the available two-factor providers for a specific user. Array values are instances of provider classes and the user object WP_User is available as the second argument.
two_factor_enabled_providers_for_user filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.
two_factor_user_authenticated action which receives the logged in WP_User object as the first argument for determining the logged in user right after the authentication workflow.
two_factor_user_api_login_enable filter restricts authentication for REST API and XML-RPC to application passwords only. Provides the user ID as the second argument.
two_factor_email_token_ttl filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the WP_User object being authenticated.
two_factor_email_token_length filter overrides the default 8 character count for email tokens.
two_factor_backup_code_length filter overrides the default 8 character count for backup codes. Providers the WP_User of the associated user as the second argument.

Screenshots

Two-factor options under User Profile.
U2F Security Keys section under User Profile.
Login with authentication app code.
Login with recovery code.
Login with email code.

Faq

What PHP and WordPress versions does the Two-Factor plugin support?

This plugin supports the last two major versions of WordPress and the minimum PHP version supported by those WordPress versions.

How can I send feedback or get help with a bug?

The best place to report bugs, feature suggestions, or any other (non-security) feedback is at the Two Factor GitHub issues page. Before submitting a new issue, please search the existing issues to check if someone else has reported the same feedback.

Where can I report security bugs?

The plugin contributors and WordPress community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.

To report a security issue, please visit the WordPress HackerOne program.

Reviews

This is a must-have plugin

By letharaddison on August 29, 2025

Essential Security Boost with Two-Factor

Great plugin with a compatibility issue

By michavo73 on August 20, 2025

A great plugin and absolutely useful and important! Unfortunately, there is a problem that needs to be addressed and resolved: The QR code generated for 2FA apps is reported as incorrect by the 2FAS smartphone app. If you type the code below into the app, everything works fine. This problem did not occur with Google Authenticator. Of course, it seems to be a problem with the 2FAS app, because Google can do it! But shouldn't the problem be analyzed in more detail on the developer side? I will probably also inform the developer of the app. However, it would certainly be best if the two experts (plugin here and app there) got in touch with each other.

Secure and Easy to Set up

By kruthikreddyj on July 17, 2025

This plugin made it really easy to add two-factor authentication to my WordPress test site. The interface is clean, and the setup took just a few minutes. Works well with email and TOTP apps like Google Authenticator. A must-have for basic security!

Works like a charm

By Christian Strasser (cswebdesigns) on July 4, 2025

Easy to setup and just works - great plugin. Installed on plenty of websites and never had an issue.

Enhorabuena / Congratulations!

By grupojomar on June 2, 2025

Congratulations! After trying several plugins, this one hasn't disappointed me so far. Let's hope it continues to do what it says. Congratulations to the developers!

So Easy to Implement

By briis on May 4, 2025

Great Plugin. Fast and easy to setup, and just works.

Very good plugin

By shawfactor on April 20, 2025

Not super complicated, just works

Essential for security

By carljkeller on February 16, 2025

I use it for the security of my WordPress admin panel and it's really nice. I just wish it was available as a text message via phone, that would be great.

Very pleased with functionality

By shaunek on January 10, 2025

This plugin adds 2FA to WordPress. It defaults to sending a code to the email address associated to the user, but it is possible for the user to configure for backup codes or authenticator app as well. We have been using this plugin for a couple of years. I definitely appreciate the fact that is maintained by open source contributors, although that does mean that at times bug fixes can be a little slow to be published. I have collaborated with the guys on Github and they are top notch.

Happy!

By geraldroy on December 11, 2024

Happy with this plugin.

Changelog

See the release history.

Version:Version: 0.14.1
Business model:Business model: community
Active installs:Active installs: 90K
Last updated:Last updated: 4 weeks ago
Requires:Requires: 6.7
Tested:Tested: 6.8.2

Average rating:4.8 out of 5 stars.

Number of ratings: 172 ratings
Number of ratings: 14 ratings
Number of ratings: 0 ratings
Number of ratings: 2 ratings
Number of ratings: 6 ratings