WP 2FA – Two-factor authentication for WordPress


A free and easy-to-use two-factor authentication plugin for WordPress

Add an extra layer of security to your WordPress website login pages and protect your users. Enable two-factor authentication (2FA), the best protection against users using weak passwords, automated password guessing, and brute force attacks.

Features | Getting Started | Get the Premium!

Use the WP 2FA plugin to enable two-factor authentication for your WordPress administrator, and to enforce your website users, or users with a specific role to use 2FA. This plugin is very easy to use; everything can be configured via wizards with clear instructions, so even non technical users can setup 2FA without requiring technical assistance.


Melapress develops high-quality WordPress management and security plugins such as Melapress Login Security, CAPTCHA 4WP, and WP Activity Log, the #1 user-rated activity log plugin for WordPress.

Browse our list of WordPress security and administration plugins to see how our plugins can help you better manage and improve the security and administration of your WordPress websites and users.

WP 2FA key plugin features and capabilities

  • Free Two-factor authentication (2FA) for all users
  • Supports multiple 2FA methods
  • Universal 2FA app support – generate codes from Google Authenticator, Authy & any other 2FA app
  • Supports 2FA backup methods
  • Require 2FA on password reset
  • Very easy to use and simple to set up
  • Use 2FA policies to enforce 2FA with a grace period or require users to instantly setup 2FA upon logging in
  • No WordPress dashboard access is required for users to set up 2FA
  • Fully editable email templates
  • Protection against automated password & dictionary attacks
  • Much more

Upgrade to WP 2FA Premium and get even more

The premium version of WP 2FA comes bundled with even more features to take your WordPress website login security to the next level.

With the premium edition of WP 2FA, you get more 2FA methods, 1-click integration with WooCommerce, trusted devices feature, and extensive white labeling capabilities.

Premium features list

  • Everything in the free version
  • Full white labeling capabilities
  • Trusted devices (no 2FA required)
  • One-click integration with WooCommerce
  • Much more

Refer to the WP 2FA plugin features and benefits page to learn more about the benefits of upgrading to WP 2FA Premium.

Free and premium support

Premium world-class support for WP 2FA is free via email or through the WordPress support forums.

Note: paid customer support is given priority and is provided via one-to-one email. Upgrade to Premium to benefit from priority support.

For any other queries, feedback, or if you simply want to get in touch with us, please use our contact form.

As featured on:

Related links and documentation:

You can find more detailed information about 2FA and its benefits in the links below

Installing WP 2FA

From within WordPress

  1. Navigate to ‘Plugins > Add New’
  2. Search for ‘WP 2FA’
  3. Install & activate WP 2FA from your Plugins page


  1. Download the plugin from the WordPress plugins repository
  2. Unzip the zip file and upload the folder to the /wp-content/plugins/ directory
  3. Activate the WP 2FA plugin through the ‘Plugins’ menu in WordPress


  • The first-time install wizard allows you to setup 2FA on your website and for your user within seconds.
  • The wizards make setting up 2FA very easy, so even non technical users can setup 2FA without requiring help.
  • You can require users to enable 2FA and also give them a grace period to do so.
  • Users can also use one-time codes via email as a two-factor authentication method.
  • You can use policies to require users to instantly set up and use 2FA, so the next time they login they will be prompted with this.
  • You can give users a grace period until they configure 2FA. You can also specify what should the plugin do once the grace period is over.
  • It is recommended for all users to also generate backup codes, in case they cannot access the primary device.
  • In the user profile users only have a few 2FA options, so it is not confusing for them and everything is self explanatory.


27 de noviembre de 2023
Why to pay for a 2FA plugin, when there are free alternatives, you might ask? I choose to support the premium solution of the 2FA plugin for Melapress, because I much appreciate on how clean and lightweight this plugin is. By supporting it, I also believe that the plugin will be continued to develop for the long haul, while keeping it high performing.I can set very tight security policies as well using only 2FA app and backup codes, as I don't trust that an email based 2FA is so secure. I then can see neatly all users who have taken these policies to use, and enforce them, if needed. Security is to me one of my highest priorities, and I can rest assured that the 2FA needs are taken care of with this solution.
23 de octubre de 2023
No doubt in my mind that this is the best 2FA plugin in the repository. I've got it installed across several sites for a reason, and when I had a query, the customer service were excellent in handling the situation smoothly and quickly. But the good thing is that the plugin is so good, I've only contacted them once in the few years that I've been using them across multiple sites.
19 de octubre de 2023 1 respuesta
It stopped working after 6 months and locked me out of wpadmin. Upon deleteing the plugin in manually it affected all the other plugins including woocommerce and now my website is totally broken. i will never use it again
29 de septiembre de 2023
I am sceptical about security plug-ins for WordPress. Usually these plugins are fooled by real threats and give a false sense of security.This is completely different with 2fa. I know what to expect from this plugin and it makes me feel that the admin panel and admins' accounts are more secure with two-factor authentication. Thank you for your work! 2fa is the only WordPress security plugin I accept.
28 de septiembre de 2023
I had absolutely no trouble integrating this plug-in with the regular WP login. We've set it to enforce 2FA for anyone with editor role or above, leaving it as an option for regular members. The one time we had any trouble, it turned out to be that the user's system clock was about 15 minutes off, far outside the grace period for TOTP! I almost regret that the free version does everything we need. I did have a small bit of integration trouble with one highly customized area of the site which turned out to be me not understanding something fundamental to WordPress... the issue I raised in the support forum was handled rapidly and considerately.
Leer todas las 113 reseñas

Colaboradores y desarrolladores

Este software es de código abierto. Las siguientes personas han contribuido a este plugin.


"WP 2FA – Two-factor authentication for WordPress" ha sido traducido a 9 idiomas locales. Gracias a los traductores por sus contribuciones.

Traduce "WP 2FA – Two-factor authentication for WordPress" a tu idioma.

¿Interesado en el desarrollo?

Revisa el código, echa un vistazo al repositorio SVN o suscríbete al registro de desarrollo por RSS.

Registro de cambios

2.5.0 (2023-07-20)

Release notes: 2FA for password resets, more branding options for the 2FA code page & much more

  • New features

    • Require 2FA on user reset password.
    • CSS editor for the 2FA code page, allowing users to also apply their CSS to the 2FA login page.
    • Front-end 2FA support for multisite network – the plugin creates a front-end 2FA page for every subsite on the network.
    • User licensing tab in the plugin settings, allowing admins to see the number of users and websites using user-activations.
  • Improvements

    • Disabled auto complete in the 2FA code placeholder.
    • User private key is regenerated each time they start the 2FA setup process and they do not finish it.
    • Backup code email template added to editable email templates.
    • Email tags are populated even test emails.
    • Updated the “user count” licensing logic on multisite networks – now the plugin counts the users on the network (more accurate).
    • Full compatability with Flywheel’s and WP Engine’s seamless sign-on (no sign on is required).
    • Revised and improved the text used in the 2FA SMS login process.
    • Added all SMS 2FA text (used in wizards, login pages etc) to the whitelabelling options.
    • Removed the 2FA plugin menu completely when access to the plugin is restricted to certain website admins.
    • Added more strings to the Whitelabelling options.
    • Removed a number of font files from the QR library since no text is used and it makes the plugin size smaller.
    • Select2 library is now shipped directly with the plugin instead of it being downloaded from a CDN.
    • Applied a number of performance improvements to the plugin – the loading mechanism is more efficient and determining when the plugin is needed and when not.
    • Plugin no longer loads on the front-end part of the website – only on the shortcode page.
    • Removed a number of JS and CSS scripts that were loading on the frontend and were made redundand.
    • Full support for multsite networks using different domains for subsites – users are no longer required to access the network dashboad to set up 2FA.
    • Improved the CSS in the whitelabelling settings so all the text in the 2FA code page can be edited, recoloured etc.
    • Removed some code that was left in the plugin for backward compatability (no longer required at this stage).
    • Removed all third party’s admin notices from the plugin settings pages.
    • The 2FA usage reports have also been improved so they report accurate numbers on a multsite network.
    • Improved a number of error and users messages in the plugin.
    • Updated the CSS of the backup codes wizard page to have the buttons all in one line.
    • Plugin now automatically removes the extra space at the end of the one-time code if entered in the 2FA code prompt.
    • Updated the CSS of the plugin’s own admin notices so they fit better within the plugin’s UI.
    • Improved the text used in the wizards, especially the text used when setting up alternative 2FA methods.
    • All plugin strings are now available on WPML.
    • Plugin now displays the Twilio service error directly in the wizard when there are issues with the Twilio setup.
  • Bug fixes

    • Fixed: Cannot change the users phone number on Twilio unless you reset the 2FA configuration.
    • Fixed: In some edge cases admins were unable to access the plugin settings, instead they were shown the policies page.
    • Fixed: WP 2FA disconnects ManageWP sessions.
    • Fixed: Rest 2FA configuration button in user profile missing when the license quota is reached.
    • Fixed: Premium plugin ads still showing when Premium edition is activated on a multisite network.
    • Fixed: The 2FA code page styling was not being saved when only changing the 2FA button colour.
    • Fixed: Number of PHP warnings are triggered when WP 2FA is installed alongside Melapress Login Security.
    • Fixed: Expired license on multisite network leads to a blockage of logins.
    • Fixed: “Remember this device for 0 days” string shows up on the login page after rebranding the page (whitelabelling).
    • Fixed: On some cases the users were not prompted for 2FA in the /my-account page on WooCommerce.
    • Fixed: Plugin’s private key not stored in wp-config.php file after permissions are updated.
    • Fixed: Subscribers are not asked to set up 2FA even when 2FA is enforced when registering on a multisite network without subsites.
    • Fixed a number of PHP notices when running the plugin on a multisite network with a specific PHP version (older versions).
    • Fixed: Users can’t set up SMS 2FA (over Twilio) after the grace period expires.

Refer to the complete plugin changelog for more detailed information about what was new, improved and fixed in previous version updates of WP 2FA.