Two-Factor Authentication (2FA) or Two-Step Verification is an additional layer of security you add to your WordPress login pages to further harden the overall security of your WordPress site. With 2FA it is virtually impossible for attackers to hijack your WordPress user, even if they guess the password.
Two-factor authentication is also good to help mitigate WordPress brute force attacks. If you are interested in learning more about 2FA and how it works read the introduction to Two-factor authentication in WordPress.
An out-of-the-box install of WordPress does not have 2FA. You need a third-party plugin to enable it on your website. So in this article, I am going to highlight a list of the best Two-Factor Authentication WordPress plugins available.
Note: two-factor authentication does not replace the need to use strong passwords on your WordPress websites.
WP 2FA
WP 2FA is a WordPress two-factor authentication plugin we develop. We went the extra mile to make this plugin very easy to use for both the administrator managing the website, and also the users. Upon installing the plugin you are presented with a setup wizard. Users set up 2FA on their accounts via a wizard as well, so they do not need to have any technical expertise and do not need the helpdesk’s assistance.
WP 2FA supports multiple two-factor authentication protocols (such as TOTP and HOTP) and also 2FA backup codes. The features that make this WordPress 2FA plugin unique are:
- Support for multiple 2FA apps for TOTP, so users can user Authy, Google Authenticator, FreeOTP, or any other 2FA app,
- 2FA policies; website administrators can make 2FA mandatory to all WordPress users,
- Administrators can also configure which 2FA methods users can use,
- A grace period to configure 2FA (configurable by admin) for users who are required to use 2FA,
- The plugin automatically locks users who are required to use 2FA but fail to configure it within the grace period,
- Administrator can exclude specific user(s) or all users with a role from the 2FA policies.
When administrators require users to set up two-factor authentication, the plugin sends the users an email. The users also get a notification in the WordPress dashboard (screenshot below).
Two-Factor
Two-Factor is a well-maintained plugin. The 2FA settings are available on your WordPress user profile page. You can configure any of the following 2FA methods:
- Authentication codes via email
- One-time codes with the Google Authenticator app (Time Based One-Time Password)
- Universal 2nd Factor (requiring a third-party device)
The Two-Factor plugin does not have a global setting or 2FA policies to enforce 2FA on website users. The website administrator has to enable it individually for every user. Two-Factor also supports backup codes, so if you cannot generate the second factor to login to your WordPress, you can use one of the backup codes.
Google Authenticator
Google Authenticator is the first Two-factor authentication plugin I used. It is the most simple 2FA WordPress plugin, which means it is also the most basic one. Once you install the plugin visit your profile page, enable the Google Authenticator Settings, and scan the QR code with the Google Authenticator app on your smartphone. Read Google authenticator app for WordPress 2FA for instructions on how to use the app.
The next time you want to login to your WordPress website you will be asked for the username, password, and the code from the Google Authenticator app. However, being simple also means this plugin has a few shortcomings:
- The Google authenticator code placeholder is added to every user’s login page, which can be confusing. Use the Google Authenticator – Per User Prompt plugin to disable the prompt.
- There is no global option to enforce 2FA for all WordPress users. As an administrator you have to enabled it for every user individually.
- It does not support backup codes, so if you lose your phone the only way to login back to your WordPress is to delete the plugin via FTP or SSH.
WordPress 2-Step Verification
WordPress 2-Step Verification is another 2FA plugin for WordPress. It is easy to setup; once installed you can configure Two-factor authentication from your WordPress user profile page. The plugin supports the following 2FA protocols:
- Time Based One-Time Password (codes are generated via the Google Authenticator app)
- Email (authentication codes are sent via email)
The WordPress 2-Step Verification plugin also supports backup codes, which you can use if you loose access to your primary 2FA code generator. The other useful features that this plugin has are Trust this Computer and App passwords.
The Trust this Computer setting is useful if you always use the same computer. If you use it, the plugin won’t be asked for the one-time code during login for 30 days.
This plugin also has App passwords. They are permanent passwords for applications that connect to your WordPress and do not support 2FA. For example, if you have an app on your phone that connects to your website.
The only shortcoming the WordPress 2-Step Verification plugin has is that every user has to enable 2FA. Website administrators cannot enforce it.
Unloq Two Factor Authentication
Another good WordPress 2FA plugin is the Unloq Two Factor Authentication plugin. However, to use this plugin you have to install Unloq’s own smartphone app.
Getting started is easy; install the plugin and activate your Unloq account. You can do so by specifying your email address. Once you confirm the one-time code you receive via email, you can specify which of the Two-Factor Authentication methods to use:
You can also send an invitation to all of your WordPress users from a central location:
Once users receive the invite, they need to scan the QR code with the Unloq smartphone app to get started. I like this plugin because of:
- Push Notifications; instead of entering a one-time code each time you want to login you are asked to approve the login from the smartphone app.
- It works with both OTP and email as a second factor for authentication.
- You have a central location from where you can manage all the users.
- You can use the same login / setup for multiple WordPress websites that you manage.
Which is the best two-factor authentication plugin?
With so many different options, it is hard to make a choice. If you are looking for a very basic plugin go for Two-Factor or Uniloq, which has a bit more features than WordPress 2-Step Verification and Google Authenticator.
If you want a good all-rounder two-factor authentication plugin that is easy to set up and use and hassle-free, supports backup codes, and has policies to enforce two-factor authentication, we highly recommend the WP 2FA plugin for WordPress.
Using the Google Authenticator app
To generate one-time codes for two-factor authentication on WordPress you need the Google Authenticator app. Refer to how to use the Google Authenticator app to learn about all the functions of the app and how to use it.
Nicely summarized.
I plan on sharing this with my clients as well.
Thank you.
Thanks Jim.
Heya, great article on 2FA… The more we discuss it the more folks will get on board.
I wanted to draw your attention to the 2FA system provided for within our Shield Security plugin. Would you be interested to give that a look and share your thoughts with me?
Cheers!
Paul.
Thank you Paul. This article is about single scope plugins which provide 2FA functionality, hence why I did not include any other “multi-security-purpose plugins”. Yes I’d be interested in taking a look. Use our Contact Form to get in touch with me. Looking forward to hearing from you.
Looks good to me, glad to see your plugin getting better!
Done any research on what happens with these if you lose your phone? With the Google Authenticator plugin I was using just changing my iPhone was a pain…all my accounts were gone when I opened the Authenticator app on the new phone (which was restored from a backup)! Imagine if I had lost the original iPhone…
Hi Johnny,
Thanks for your comment.
This is where backup codes help, and that is why you should ensure that the plugin you use supports them. So when you loose your phone, you can use one of those codes. Also, should you not have backup codes, you can always use a last resort solution: access the website files via FTP / CPanel and rename the plugin folder to disable it. Once logged in, rename it back, activate it and reconfigure it.
I hope the above answers your question.
I need to consider install one from them on few websites of my clients after last brute force attacks. Thanks for info.
Cheers
Good idea @Adam! Definitely recommended.
I expected better things of miniOrange but had a horrible experience with them. Over time it became clear that their licensing tiers and product descriptions are misleading and designed to get you to upgrade. They need to be straight if their software is payware – if you’re after free multifactor for your users or even want to trial something before full implementation, you’re going to be disappointed in miniOrange.
I use the Google Authenticator Plugin, one thing to note is that on old android phones, there is a glitch that makes the time sequence out of whack, and you don’t have enough time to log in. So If you are planning on implementing any of these plugins in your website, make sure you have a backup done before implementation, so you can recover your account if the plugin locks you out.
Valid point Mike. In fact I do notice that from time to time I am not allowed to login even though the code is correct. Maybe it is time to upgrade the phone 🙂
Nice and precise but I have a question about SMS verification. Is it covered in these plugins or something we need to purchase like an API? I read over here https://www.cloudways.com/blog/two-factor-authentication-plugins-wordpress/ regarding WordFence and other two factor authentication WordPress plugins but I am still not sure.
The plugins I covered in this post are free plugins and do not have SMS verification. If you want SMS verification then you need to look for commercial solutions. By the way, SMS it is not a recommended and good solution for 2FA. You can read more about this here:
https://www.entrepreneur.com/article/317830
https://www.howtogeek.com/310418/why-you-shouldnt-use-sms-for-two-factor-authentication/
Sorry I’m a bit late to the party here. I don’t understand why 2FA is not deemed as 100% hacker proof. I’m using Two Factor. It works perfectly by sending the code to my email. How can any hacker get round that?
It works well, however, it has got its shortcomings. For example if an attacker hacks / gains access to your email, then he can practically reset the password and login to the website. On the other hand, if you use one time codes via a mobile app for logins, unless the attacker steals your mobile, it is virtually impossible to break 2FA. It is not recommended to use email or SMS for 2FA. Preferably you should use one time codes generated via a mobile app.
Hi Robert, I like this plugin and we use it. My question is: Does WP 2FA support “Push Notifications”?
Hello Harald, I am glad to read that you like and use our plugin. At the moment we do not support “Push Notifications” but this is something we have in our roadmap.
Please don’t forget to rate our plugin. These reviews really help us and the plugin.