Discover, trust, install: FAIR 1.0 is here
WP 2FA – Two-factor authentication for WordPress
Version: 3.0.0
Description
A free and easy-to-use two-factor authentication plugin for WordPress
Add an extra layer of security to your WordPress website login and protect your users. Enable two-factor authentication (2FA), the best protection against password leaks, automated password guessing, and brute force attacks.
Use the WP 2FA plugin to enable two-factor authentication for your WordPress administrator, enforce 2FA for all your website users, or for users with specific roles. This plugin is very easy to use; everything can be configured via wizards with clear instructions, so even non-technical users can set up 2FA without requiring technical assistance.
Features | Getting Started | Get the Premium!
WP 2FA key plugin features and capabilities
- Free two-factor authentication (2FA) for all users
- Supports multiple 2FA methods including authenticator app TOTP, and code over email
- An API that allows you to integrate any alternative 2FA method such as WhatsApp, OTP Token, etc.
- Universal 2FA app support – generate codes from Google Authenticator, Authy, & any other 2FA app
- Supports 2FA backup codes
- Wizard-driven plugin configuration & 2FA setup – no technical knowledge required
- Use 2FA policies to enforce 2FA with a grace period or require users to instantly setup 2FA upon logging in
- No WordPress dashboard access is required for users to set up 2FA
- Fully editable email templates
- Much more
Upgrade to WP 2FA Premium and get even more benefits
The premium version of WP 2FA comes bundled with even more features to take your WordPress website login security to the next level.
With the premium edition of WP 2FA, you get more 2FA methods, 1-click integration with WooCommerce, trusted devices feature, extensive white labeling capabilities, and much more!
Premium features list
- Everything in the free version
- Full white labeling capabilities (change all the text and look and feel of the wizards, emails, SMS, and 2FA pages)
- YubiKey hardware key support
- Several other additional 2FA methods (such as 2FA over SMS, link in email & more)
- Trusted devices (no 2FA required for a configured period of time)
- Require 2FA on password reset
- One-click integration to set up WooCommerce and two-factor authentication (2FA)
- Much more
Refer to the WP 2FA plugin features and benefits page to learn more about the benefits of upgrading to WP 2FA Premium.
Free and premium support
Support for the free edition of WP 2FA is free on the WordPress support forums. Premium world-class support via one-to-one email is available to the Premium users – upgrade to premium to benefit from email support.
For any other queries, feedback, or if you simply want to get in touch with us, please use our contact form.
MAINTAINED & SUPPORTED BY MELAPRESS
Melapress develops high-quality WordPress management and security plugins such as Melapress Login Security, Melapress Role Editor, and WP Activity Log; the #1 user-rated activity log plugin for WordPress.
Browse our list of WordPress security and administration plugins to see how our plugins can help you better manage and improve the security and administration of your WordPress websites and users.
Installing WP 2FA
From within WordPress
- Navigate to ‘Plugins’ > ‘Add New’
- Search for ‘WP 2FA’
- Install & activate WP 2FA from your Plugins page
Manually
- Download the plugin from the WordPress plugins repository
- Unzip the zip file and upload the folder to the ‘/wp-content/plugins/ directory’
- Activate the WP 2FA plugin through the ‘Plugins’ menu in WordPress
As featured on:
Screenshots
The first-time install wizard allows you to setup 2FA on your website and for your user within seconds.
The wizards make setting up 2FA very easy, so even non technical users can setup 2FA without requiring help.
You can require users to enable 2FA and also give them a grace period to do so.
Users can also use one-time codes via email as a two-factor authentication method.
You can use policies to require users to instantly set up and use 2FA, so the next time they login they will be prompted with this.
You can give users a grace period until they configure 2FA. You can also specify what should the plugin do once the grace period is over.
It is recommended for all users to also generate backup codes, in case they cannot access the primary device.
In the user profile users only have a few 2FA options, so it is not confusing for them and everything is self explanatory.
Faq
No, the plugin does not send any data to us whatsoever. The only data we recieve is license data from the premium edition of the plugin.
The free edition of WP 2FA includes the following 2FA methods: Authenticator app 2FA and code over email. This allows you to use Google authenticator OTP The premium edition adds Yubikey, one-click email link, SMS 2FA, and Authy push notifications.
WP 2FA includes backup authentication methods so that if the primary authentication method fails, you and your users can still log in. The free version of the plugin includes backup codes, which can be configured during 2FA configuration or at any point after that from the profile page. The premium edition adds 2FA backup codes over email.
In the unlikely event that you are unable to supply your 2FA code, there are several steps you can take to gain access to your WordPress dashbaord. First, check if there is another administrator who can reset your 2FA. If this is not possible, manually deactivate the plugin, log in without 2FA, re-activate the plugin, and then reconfigure your 2FA.
Yes, WP 2FA is multisite compatible. The plugin can be activated at the network level. 2FA policies can be enforced on all users, sub section of users, or per site on the network. It also supports network setups with different domains.
We update the plugin fairly regularly to ensure the plugin continues to run in tip-top shape while adding new features from time to time.
Yes, WP 2FA fully supports Google Authenticator on WordPress. WP 2FA also supports many other 2FA authenticator apps.
Support for the free edition of the plugin is provided only via the WordPress.org support forums. You can also refer to our support pages for all the technical and product documentation.
If you are using the Premium edition, you get direct access to our support team via one-to-one email support.
You can report security bugs through the Patchstack Vulnerability Disclosure Program. Please use this form. For more details please refer to our Melapress plugins security program.
Reviews
Useful and good support
By 
Quick support and useful plugin
Determined support group
By 
Great support that helped me sort out some PHP configuration issues with WP2FA. They really stuck with me while we worked through the issues.
Ecxelente plugin
By 
anda perfecto y el soporte técnico es muy reciente en caso de tener un problema
Works well and responsive support
By 
We had an issue with a plugin conflict between this plugin and another one. This was responded to and solved very quickly - excellent support
Awesome plugin and great supplier
By 
My goto plugin for adding 2FA to sites, it just works, excellent features and covers most needs you can think of. Also setup is done in minutes.
I highly recommend the pro version to get the remember my device and SMS option that really saves you nagging and frustration from less tech-savvy users.
Haven't even needed to bother support since it just works so well out of the box
Outstanding support
By 
Fast, accurate support - even when the problem was on my side.
Easy to use and excellent support
By 
Very easy to install and configure. I tested all three 2FA methods (app, email and backup codes) and they all work flawlessly.
Great Plugin
By 
Does the job.
Plugin that does, what it promises
By 
Plugin with a wide range of authentification methods. I tested a lot of plugins for authentification by mail oder SMS, this one is one of the few, where these methodes really work. User-friendly interface, great support.
YubiKey tylko w wersji płatnej
By 
Wtyczka po aktualizacji wyłączyła autentyfikację za pomocą YubiKey. Bez żadnej informacji. Oznaczało to, że nie można się było zalogować na konto, które miało właśnie taką metodę ustawioną. Żenada.
Changelog
3.0.0 (2025-09-23)
-
New features
- Zero-setup email 2FA method – automatically enroll users with 2FA without requiring any user setup or intervention (Premium).
- Added an option to enable/disable automatic email notifications when a user logs in but cannot configure 2FA (Premium).
-
Plugin & functionality improvements
- Backup codes are now 16 digits long for improved security.
- Extended the maximum allowed grace period to 90 days.
- Updated the plugin logo and artwork.
- Replaced the php-jwt library with in-house developed solution for improved security and performance.
- Added a new upgrade banner notification.
- Accessibility improvements across all plugin wizards; users can now configure 2FA using only the keyboard.
- Plugin no longer redirects to the Policies page after updating, improving the upgrade flow and avoiding unwanted redirection loops.
- Added the plugin’s branding signature to all Free edition email templates.
- Updated the default “From” name and email address used when sending emails.
- Improved the method selection step in the setup wizard by reducing the number of displayed methods for a lighter, cleaner look and feel.
- Improved the build process to better separate Free and Premium editions, in line with WordPress coding standards.
- Improved help texts in several areas of the plugin’s Settings page.
- Added a check to handle missing parameters on the lost password page, preventing a fatal error and displaying a proper message instead.
-
Bug fixes
- Fixed a user-reported PHP error which occurs in certain circumstances; “Uncaught TypeError: call_user_func_array(): Argument #1 ($callback) ‘wp_2fa_action_doing_it_wrong_run’ not found.”
- Fixed typos in the email template shown when a user logs in but cannot configure 2FA due to setup misconfiguration.
- Fixed a fatal error on multisite installations when users without the
manage_optionscapability attempted access. - Fixed a bug preventing backup codes from being enabled when Yubico was the only available method.
- Fixed a bug in the “log out user after 2FA configuration” feature which caused users to be logged out without finalizing 2FA configuration in some cases.
- Fixed an issue with the Twilio integration that caused alphanumeric IDs to be rejected by the plugin.
- Fixed an issue on multisite where users removed from an excluded subsite were not prompted to configure 2FA when still enforced on another subsite.
- Fixed several other user-reported PHP warnings that could occur under certain conditions.
Refer to the complete plugin changelog for more detailed information about what was new, improved and fixed in previous version updates of WP 2FA.