How can we help?

Search for answers or browse our knowledge base.

Table of Contents

Getting started with the WP 2FA plugin

Thank you for trusting WP 2FA to keep your WordPress website more secure. This guide will help you get started with the basics in no time at all.

Note: If you are using the free edition of WP 2FA, kindly go directly to Step 3 once you have installed and activated the plugin. Do keep in mind that some of the options listed in this tutorial may not be available in the free edition. Refer to the WP 2FA pricing page for a comparison chart of what’s included in each edition of the plugin.

Step 1: Download and install the WP 2FA plugin

Upon completion of the purchase process, you will receive an email that includes a download link for the plugin and your license key. Remember to check your spam folder if you do not find the email in your inbox.

You can also access your account details, including the license key and plugin download link, through the My Account page. To log in, use the email you used during the license key purchase. If you do not have the password, use the forgot password function to reset the password.

Download the plugin through the provided link and install it on your WordPress website like you would with any other plugin.

Step 2: Enter your license key

Once you have installed the plugin, you will need to activate it and enter your license key. License keys are sent via email upon confirmation of purchase. If you cannot find the license key in your inbox, make sure you check your Spam folder. If you still cannot find it, click the Can’t find your license key? option in the license prompt or open a support ticket.

Step 3: Plugin configuration wizard

When you activate the plugin, a wizard starts automatically to help you configure 2FA for your users.

WP 2FA wizard Get started

Click on Let’s Get Started to continue.

Step 3.1: Select 2FA Methods

In the 2FA Methods screen, choose which 2FA methods you want to make available to your users. Available options include:

  • One-time code via 2FA App (TOTP): When using this method, users have to configure a 2FA app, such as Google Authenticator and Authy, to generate a code.
  • One-time code via email (HOTP): When using this method, users will receive a code via email to use as their 2FA OTP. Kindly make sure your WordPress can send emails before choosing this method.
  • One-time password via hardware key (with YubiKey): When using this method, users will need to use a hardware YubiKey device as their OTP
  • Push notification via Authy App: When selecting this method, users will receive a push notification on their Authy App (requires configuration of Authy API key)
  • One-time code via SMS (with Twilio): When selecting this method, users will receive their 2FA OTP as an SMS (requires configuration of Twilio account)
  • One-time code via SMS (with Clickatell): When selecting this method, users will receive their 2FA OTP as an SMS (requires configuration of Clickatell account)
  • Link via email: When selecting this method, users will receive a link in their email that acts as their 2FA authentication method

You can select as many methods as you want.

Step 3.2: Select alternative 2FA methods

Alternative 2FA authentication methods give users the option to use a backup code or link via email should their primary authentication method fail. For example, if a user forgets their phone or WordPress fails to route emails correctly, the user can use a backup code to gain access to their account. This ensures that users do not get locked out. Choose all that apply:

  • Backup codes: Enable this option to allow users to receive backup codes. Backup codes are one-time use codes that are given to the user in bulk. Once a backup code is used, it cannot be used again.
  • One-time code over email: Enable this option to allow users to receive an OTP via email. Consider enabling this alternative 2FA authentication method when the primary 2FA method is set to ‘One-time code via 2FA App.
WP 2FA wizard alternative 2FA authentication methods

Step 3.3: Enforce 2FA

When enforcing 2FA, users have to configure 2FA. You will be able to configure a grace period in the next step, giving users a time window to comply. When 2FA is not enforced, users can choose whether they want to set up 2FA or not. Choose from the following options:

  • All users: Enforce 2FA for all users
  • Only for specific users and roles: Enforce 2FA on specific users and roles (click this option to enter the users and/or roles you want to enforce 2FA on)
  • Do not enforce 2FA on any users: Does not enforce 2FA and leaves it optional
WP 2FA wizard enforce 2FA

Click on CONTINUE SETUP once ready.

Step 3.3: Exclude 2FA

Just like you can choose whether you want to enforce 2FA or not, you can also exclude it for specific users and roles. Excluded users will not be able to set up 2FA. Choose from the following options or leave empty to not exclude anyone.

  • Exclude the following users: Enter the usernames of any users you would like to exclude from being able to set up 2FA
  • Exclude the following roles: Enter the role names of any user roles you would like to exclude from being able to set up 2FA
WP 2FA wizard exclude users and roles

Click on CONTINUE SETUP once ready.

Step 3.3: Configure 2FA grace period

If you chose to enforce 2FA, here you can set up a grace period. The grace period gives users who must configure 2FA a time window in which they must configure 2FA.

  • Users have to configure 2FA straight away: Choose this option to force users to configure 2FA straight away
  • Give users a grace period to configure 2FA: Give users a grace period to configure 2FA.

If you chose to give users a grace period in the previous step, you will need to configure what happens if they do not configure 2FA within the allocated timeframe:

  • Do not let them access the dashboard/user page once they log in until they configure 2FA: Choose this option to force users to configure 2FA before they proceed to the dashboard/user page
  • Block the user (administrators have to manually unblock them): Choose this option to block the account. An administrator will have to manually unblock the account

For more information about available configuration options, kindly refer to the WP 2FA’s knowledge base.

You can also configure how you would like users to be informed that they are required to set up 2FA. Through this reminder, you can ensure users have ample notification to set up their 2FA before the grace period runs out. Available options include:

  • Show an admin notice in the dashboard: Users will see an admin notice in their WordPress dashboard
  • Show a notification on a page of its own: Users will temporarily be redirected to a page after they log in to WordPress, after which they can proceed to the dashboard
WP 2FA wizard configure grace period

Click on ALL DONE once ready.

Step 4: Configure 2FA for your account

Now that you have finalized the initial WP 2FA configuration, you can configure 2FA for your WordPress user account.

Alternatively, you can choose to close the wizard and configure 2FA later.

WP 2FA wizard finish setup

The initial configuration wizard helps you configure all of the basic features to get 2FA running on your WordPress in no time. However, the plugin offers more features to help you secure your site even more. Be sure to check the WP 2FA knowledge base for even more tutorials on how to use the plugin to its fullest extent.

Take the Melapress Security Survey 2024

Share your perspective
and WIN