WP 2FA release notes

On this page, you’ll find a highlight of what is new and improved with every update release of the WP 2FA plugin. Entries are listed in chronological order, starting from the most recent at the top. For a complete and detailed list of all changes, including bug fixes, please refer to the WP 2FA plugin change log.

Update 2.6.4

Date: 7th March 2024

In this update we made a minor change that should drastically help in solving many email deliverability problems. From this update onward the “from email address” the plugin uses by default includes the website’s domain, for example wp2fa@melapress.com. Previously it was using the admin notification email configured in the WordPress settings, however, very often this address has a different domain, therefore there were relaying problems.

On top of the above, we also included a number of bug fixes and generic plugin improvements.

Update 2.6.3

Date: 15th February 2024

Update 2.6.3 was mainly released to address a security issue reported by Rafi Muhammad. However, other bug fixes and a few minor plugin improvements were also included in this update.

Update 2.6.2

Date: 7th February 2024

Update 2.6.2 mainly features support for the new premium plans that will be introduced later on and a few minor bug fixes (maintenance update).

Update 2.6.1

Date: 19th December 2023

Update 2.6.1 is a followup / maintenance release to 2.6.0, mainly fixing an issue in the upgrade process that was resetting the configuration in some edge cases.

Update 2.6.0

Date: 13th December 2023

In update 2.6 we focused on a number of new features and improvements that have been requested by the plugin’s users. There are no big features and announcements, just a solid number of updates that improves the user experience (UX). In this update we wanted to give the administrators more tools to make it easier for them to get their websites’ users onboard with 2FA.

New plugin features

Configure the order of how 2FA methods are displayed

The order of the 2FA methods and how they are presented to the users can be changed from the plugin’s configuration via a simple drag and drop interface. For example, if you’d like to push 2FA over email with the subscribers while still leaving the TOTP option for those who want, you can create a policy for the subscriber user role and configure the 2FA over email method to be listed as the first option.

Plugin settings import and export

With the plugin settings importer and exporter tool you can easily create a settings template so you can replicate the same settings / setup to other installs on other websites. With this tool deploying the plugin on a different number of websites, while also retaining the standard you want when it comes to 2FA policies and plugin configuration has become really easier and quicker.

Plugin improvements

  • Added a number of checks and notifications to the “from email address” and the email configuration settings to help admins ensure their website’s email configuration and improve email deliverability.
  • View QR code of configured TOTP: up until now it was not possible to view the QR code once you set up TOTP, hence it was not possible to add your WordPress user 2FA setup to multiple devices. However, with the new update you can see the QR code of a configured 2FA setup with just a click of a button from the user’s profile page, making it really easy to add the user’s 2FA configuration to multiple devices.
  • Included a number of scalability enhancements to the reports module so admins can now create reports even on websites with tens of thousands of users without the need to increase the PHP timeout limit.
  • Improved some of the wizard’s and plugin’s help text to better explain all the settings to the users, thus helping users with the 2FA setup and use.

Security and bug fixes

In this update we have also fixed 13 issues, and two security issues reported by Ulyses Saicha. Please refer to the plugin’s change log for a complete and detailed list of all the changes in this update.

Update 2.5.0

Update brings some big changes to the table with new features, solid improvements, and fixes that will surely elevate the 2FA experience for both customers and their users.

New features

Here are some of the new features that you can look forward to when upgrading to this version of WP 2FA:

2FA password reset

Add an extra layer of security to password resets by automatically sending a one-time code via email that the user needs to enter to complete the reset. This feature can be configured for all users, even those who do not have 2FA set up.

2FA code page CSS editor

Take white labeling to the next level using the built-in CSS editor. Apply your own CSS code to the 2FA code page and match your branding to a T.

Better multisite support

Have WP 2FA create a separate 2FA front page for each child site in the network.


Several improvements have been made to this version, improving some of the great features already present and available in WP 2FA.

More customization options

We have added the backup code email to the list of editable email templates, making this email fully editable. SMS 2FA text, used in wizards, login pages, etc, has also been added to the white-labeling options.

Smoother onboarding

The user private key is now regenerated every time the process is started but not finished, ensuring a smoother configuration process in cases where the user does not finish configuring 2FA and restarts the process later.

Better multisite compatibility

We have also updated the “user count” licensing logic on multisite networks for a more accurate user count. The plugin is now also fully compatible with Flywheel’s and WP Engine’s seamless sign-on (no sign-in required).


WP 2FA version includes several bug fixes for a smoother, trouble-free WordPress 2FA experience. Some of the issues we fixed include:

  • Fixed an issue where users’ Twilio phone numbers can’t be changed unless the 2FA configuration is reset
  • Fixed an issue where WP 2FA disconnects ManageWP sessions
  • Fixed an issue where users can’t set up SMS 2FA (over Twilio) after the grace period expires

Update 2.4.1

What’s new?

Backup codes are a no-fuss way to avoid user lockouts. In the previous release, we made adjustments to ensure they receive more prominence. In this release, we have added a button to have the codes automatically sent to the user’s email address – neat!

What’s improved?

We have made several UI and UX improvements, including improvements to texts and layouts for smoother configuration processes and management. We have also made several changes to the licensing mechanism to ensure users can continue to work even when quotas are reached or exceeded.

Other improvements include updates to the CSS file of the WooCommerce 2FA notification in the portal and many others. It’s also worth noting that we have added a dashboard notification with instructions on how to manually copy the private encryption key to the wp-config file.

What’s fixed?

We have fixed an issue where premium users were not getting an update notification. A separate email with further details has been sent to all premium license holders. Kindly check your email if you currently have a WP 2FA premium license.

Other fixes include the addition of missing strings in the translation file and a number of other fixes.

Update 2.4.0

SMS OTPs via Twilio

Last year, Twilio, the parent company of Authy, started the process of deprecating the Authy API. To this end, we have moved SMS OTP delivery to work via Twilio. The process is now easier to set up and manage, ensuring a more reliable service. Refer to the 2FA knowledge base for more information on how to set up SMS OTP delivery via Twilio.

One-click integration with WooCommerce

We have made improvements to the way WP 2FA integrates with WooCommerce. You can now add 2FA to your WooCommerce at the click of a button, helping you achieve faster deployment times while maximizing security.

one-click integration with woocommerce

Add WP 2FA to WooCommerce

Once you add WP 2FA to WordPress, provided that the 2FA policies cater to your WooCommerce users, users will be able to set up 2FA. If a grace period has been configured, the plugin will also display a notification to remind users to set up 2FA. This notification will include links to configure 2FA or set up a reminder.

notification of grace period

Notification of grace period.


We have also made several improvements to the plugin, with the below features being notably noteworthy:

White labeling – We have made several improvements to the white labeling settings, giving administrators and website owners an even greater degree of customization control.

Less configuration – We have also updated the default grace period setting to force the user to set 2FA rather than face account lockout. While this feature remains optional, it can help you avoid user lockouts if you accept the default values.

Prominence to alternative methods – To make sure administrators have fewer helpdesk requests due to lockouts, we have given alternative methods more prominence, thus encouraging users to take advantage of this functionality

Other notable improvements include a number of UX and UI enhancements, among others.

Bug fixes

This version includes a number of bug fixes, including PHP warnings in the free edition and the plugin sending duplicate emails.

Update 2.3.0

This latest release features some important updates across the board – making it an essential update that users will surely benefit from.

More white labeling options

To help WordPress administrators and website owners in the deployment and management of 2FA, we have increased the available white-labeling options. These options allow many aspects of WP 2FA to be customized in various ways, including matching your branding elements. This can help you increase trust and confidence among your users, mitigating any possible friction and shortening the learning curve.

We have added white labeling options to the user 2FA wizards, which are now fully customizable. Available options include options to change the look and feel via CSS and text using the options available in the plugin’s user interface.

Furthermore, you can now add a new first step in the wizard, where you can add any text and links you want, such as user instructions and agreements, among other things. For more information on how to customize the user experience, refer to the WP 2FA white labeling settings and options.

Straightforward licensing

Following customer feedback, we are updating how the plugin’s license works. From this version onwards, you only need licenses for users configuring 2FA – regardless of how many users can or must enable 2FA.

This simplification in the licensing model means that every time a user configures 2FA, one license is used from the available pool. Once the pool runs out, you can simply purchase more licenses at a prorated rate.

Better security

All 2FA keys and sensitive data in the WordPress database were always encrypted using an encryption key in the database. However, now we’ve taken it a step further; the plugin uses the WordPress website salts as private keys to save the data in the database, ensuring better security. This helps you ensure data remains as secure as possible, even in the event of a database data breach.

Other noteworthy updates

Version 2.3.0 also includes several other improvements and updates to ensure a better user experience and better stability. Some other noteworthy updates we have included in this build are:

  • Several UI and styling improvements in the plugin’s settings pages
  • Better out-of-the-box support for websites on which access to wp-login.php & wp-admin is blocked
  • Implemented several improvements for better support of 2FA on multisite networks. For example, super administrators are no longer required to have a role on a sub-site to use 2FA.
  • Improved the comparison of authentication codes as an extra security precaution to ensure the plugin is not vulnerable to time-based side-channel attacks.
  • Applied several maintenance and WP coding standards checks to improve the overall performance and stability of the plugin.

Update 2.2.0

This version introduces a number of new 2FA methods as well as several improvements and bug fixes to ensure WordPress administrators, owners, and users alike have the best 2FA experience on WordPress yet. Find out more!

Integration with Authy 2FA service for more 2FA methods

The main highlight of this release is the addition of the Authy 2FA service integration – allowing WordPress administrators to leverage the flexibility that this 2FA platform offers. Through Authy, administrators can set up and use different types of 2FA methods, including:

  • Push notifications
  • SMS
  • WhatsApp
  • Phone calls
  • TOTP authenticator app
  • Email

This new feature allows WordPress website administrators to easily take advantage of the superior 2FA methods and services provided by Authy, bolstering their WordPress security efforts.

Other noteworthy mentions

Exclude users from any 2FA enforcement policy

Another great feature that makes an introduction in this version update is the ability to exclude users or roles regardless of which users and roles you are enforcing 2FA on. This feature adds flexibility in environments where users may have multiple roles helping you make sure you are able to implement 2FA even in complex environments.

Also in this update:

  • Removed the word “WordPress” from all 2FA user wizards (a heavily requested change)
  • Improved the module that checks which 2FA policies apply to a user during login
  • Implemented several minor UI and UX updates.

Update 1.7.0

In this update, we focused on rewriting many parts of the plugin, which allow for better performance, design, and reliability.

Let’s dive right in to see what is new, improved, and fixed in this update.

What’s new?

With every new update released, we continue to enhance the efficiency of our code, making the plugin more stable and easy to use. In this update, we have rewritten many sections of the code & redesigned the way the plugin works. The result is one big improvement, which is noticeable from the plugin’s responsiveness.

In addition, administrators and users alike can benefit from the UX & UI improvements of all the 2FA wizards, which allow for a better and easier installation and 2FA configuration process. We also have a new plugin logo, and we have added it to the 2FA wizard.

With so many updates packed in this release, the plugin now performs much better, and it also makes it easier for admins to manage their users and enforce 2FA reliably. Below are the noteworthy plugin improvements:

  • Refactored the plugin (major improvements in terms of product design, performance, & reliability).
  • Refactored the way the plugin saves and retrieves user 2FA properties.
  • Added a number of new tags that can be used in the plugin’s email templates.
  • Improved the way and logic of how the plugin works on a multisite network.
  • Improved the handling of users with super admin privileges in the 2FA policies.
  • Improved the first-time install wizard (both UX and UI)
  • Improved the user 2FA wizard (both UX and UI)
  • A new plugin logo (you can change or remove the plugin logo from the 2FA wizard)

Update 1.6.0

Check the 2FA status of all users

The highlight of this update is the new feature that allows administrators to get an overview of the “2FA status” of all their website users. Prior to adding this new feature, it was quite hard for administrators to quickly check who configured what.

Now admins can easily refer to the newly added 2FA status column, which surely allows for better user management.

They can see which users have or haven’t configured 2FA, which users are required to configure 2FA via policies and which have not, and much more. For more details on this feature and a complete list of all the different user statuses, refer to the WordPress user 2FA status feature documentation.

check the 2fa status of all users

The user 2FA Status column in WordPress

Enforce 2FA on multisite network individual sites

With this update, site administrators can now configure 2FA policies to require all users of an individual site on a multisite network to set up and use two-factor authentication.

This new policy allows you to faster configure and enforce 2FA for users on a sub-site rather than having to enforce policies for every individual user. All this will definitely save you a lot of time and can help you to better manage your multisite network.

Custom redirection after the 2FA wizard is completed

This new feature was mostly requested by e-commerce and membership websites as it allows for better branding and more personalized service.

Administrators can now easily redirect users who complete the 2FA setup to a custom URL. To redirect users after they set up two-factor authentication, just specify the URL in the setting Redirect user after 2FA setup to. Site administrators also have the option to configure different redirect URLs for users configuring 2FA through the dashboard vs. users configuring 2FA through the front-end wizard, as explained in the documentation, redirect users to a custom URL after 2FA setup.

Setting to change the 2FA code page text

Users can now personalize the text on the 2FA code page. By having a more personalized message, you are not only improving the ease of use for the user but also enhancing the branding of your website. Change the text from the 2FA code page text option in the plugin’s settings.

setting to change the 2fa code page text

Custom 2FA code page text

Restrict the 2FA plugin settings to all other administrators
By default, the plugin settings are accessible and can be configured by all administrators on the website. With this update, administrators can now restrict access to the 2FA plugin setting, so they are restricted only to them.

This allows for better security and gives you more control over what all your other administrators can see.

Other noteworthy highlights

In this update of the plugin, we have also improved and fixed many other things. Below is a highlight of the improvements worth a shoutout:

  • Backup codes are now optional – administrators can disable them, so the plugin does not suggest users create them
  • Standardized the text and button labels on the 2FA code page
  • Removed reference to “WordPress” from the wizard (for users who do not want to show that they are using WordPress)

Update 1.5.0

The highlight of this update is the new fully responsive 2FA wizard and a much improved and efficient code.

In this update, we have also improved a lot of under-the-hood things. Let’s dive right in for a highlight of what’s new, improved, and changed in this update of the WP 2FA plugin.

New fully responsive 2FA wizard

With this new update of the two-factor authentication plugin for WordPress, users can now set up 2FA from their smartphones, tablets, and other devices without the need to use a computer.

new fully responsive 2fa wizard

2FA reminder on mobile devices

This makes 2FA easily accessible to many more users who might not have a laptop or computer. Therefore site administrators can now be certain that all their users can set up 2FA without worrying about the security of their websites.

2fa mobile setup wizard

2FA mobile setup wizard

We believe that this is the right direction. Thus, it’s only fair that our plugin becomes more accessible to more people.

Much improved & more efficient code

As usual, with every update, we are trying to improve the efficiency of our code and make the plugin more stable. For instance, we have removed all the duplicate CSS and JS from the wizards, making them much lighter.

In addition to that, we’ve improved how the plugin saves and retrieves settings and also moved a lot of processes as background tasks.

With all these performance updates, the plugin is now much lighter and faster, which means that it can be used on big websites with thousands of users, and it has a much easier code to maintain.

Other noteworthy plugin improvements

In this update of the plugin, we have also improved and fixed a lot of under-the-hood things. Below is a highlight of what we improved:

  • Applied several minor UI and UX improvements to the 2FA wizard, making it more intuitive and better looking
  • Backup codes do not need to be regenerated whenever the 2FA method is reset, resulting in much less work for the users
  • Administrators can now reset a user’s 2FA configuration from their profile page, allowing an easier user management

Update 1.4.2

WP 2FA 1.4.2 comes with a good number of improvements. This update will benefit mostly those who want to set up two-factor authentication on a multisite network or have multiple-word user roles, such as shop manager in WooCommerce.

However, there is much more to this update than just that. Let’s dive right in to see what else is new, improved, and fixed in this exciting update.

Improved 2FA policies & multisite network support

In this version update of the WP 2FA plugin, we have added new specific two-factor authentication (2FA) policies for multisite networks.

improved 2fa policies & multisite network support

2FA policies on a multisite network

With this update, site admins can configure a policy to enforce 2FA only to the super admins on a multisite network, which previously was not available.

Better user experience when 2FA is enforced

When site administrators required users to instantly set up 2FA, the WP 2FA plugin was terminating the sessions of currently logged-in users. This led to a few user session problems. In some cases, users were unable to complete the 2FA wizard.

better user experience when 2fa is enforced

The user is required to set up and use 2FA

We have reviewed and improved this process and have also eliminated the known issues. From now onward, when the admin requires users to instantly set up 2FA, existing users’ sessions will be retained. However, they will be redirected to the 2FA wizard and won’t be able to access the dashboard until they set up 2FA.

Other noteworthy plugin improvements

In this update, we have also included the following updates in the plugin:

  • New setting to restrict access to the 2FA settings and policies
  • Plugin now supports user roles names with spaces
  • The date and time strings are also translatable
  • Plugin now uses the date and time formats configured in WordPress
  • Improved the responsiveness of the 2FA app wizard (fully responsive UI available from next update)
  • Improved user error reporting for better UX
  • Added a test email template and test email system buttons to allow users to test the emails

Update 1.4.0

Today, we are releasing an update in which we have added support for a number of 2FA apps. This means that users are no longer restricted to using only the Google Authenticator app.

In this update, we have also added a handful of several other new features and a good number of improvements. Let’s dive right in to see what is new and shiny in this update.

Support for Authy and many other 2FA apps

In this update of our 2FA plugin, we have added support for the following two-factor authentication apps; Authy, Duo Security, FreeOTP, Microsoft Authenticator, and LastPass.

support for authy and many other 2fa apps

Configuring 2FA with a one-time code from an app

You do not have to specifically use Google Authenticator now. If you are already using one of these 2FA apps for your business, you can now use it to generate the one-time login code to log in to your WordPress site!

For more information on the 2FA apps and how to set them up, refer to configuring WordPress 2FA with your preferred mobile app.

Policy to require users to instantly configure and use 2FA

By default, when you enable the two-factor authentication (2FA) policies with the WP 2FA plugin, users have a grace period during which they have to 2FA. However, during the grace period, they can still log in to the website without 2FA.

Some business sites have very strict security requirements. They require users to configure and use 2FA as soon as the policies are enforced. There is no grace period. With this new update site admin can now do that. All you need to do is select the option Users have to configure 2FA straight away in the plugin configuration.

Once you enable this setting, the next time users log in to your WordPress website, they have to configure two-factor authentication before they can access any section of your website.

policy to require users to instantly configure and use 2fa

Require users to set up and use 2FA instantly

Choose when the plugin sends emails and not

When you enable the two-factor authentication policies, the plugin automatically notifies those users for whom the policies apply via email to configure 2FA. The plugin also sends an email to those users who have not yet configured 2FA whenever you change the settings, as reminder.

choose when the plugin sends emails and not

Confirmation to send emails or just save settings

From this update onward, whenever you make a setting change, the plugin confirms if you want to notify the users again or simply save the settings without sending any emails.

Other notable WP 2FA updates

In this update of the plugin, we have also improved and fixed many other things. Below is a highlight of what we improved:

  • Plugin is now fully scalable; it can be installed on websites with more than 100,000+ users
  • Added a new setting to disallow users from disabling 2FA from their profiles
  • Reviewed and improved the instruction and help text
  • Simplified and also enriched the 2FA wizard
  • Added notification with the tag and URL information for when the front-end 2FA configuration page is enabled

Update 1.3.0

With this update of our two-factor authentication plugin for WordPress, all site users, members, and customers can set up 2FA from a website page. They do not need to have access to the WordPress dashboard.

In this release post, we explain how we are supporting custom user profile pages and also highlight what else is new and improved in WP 2FA update 1.3.

The 2FA setup website page

In this update of the plugin, we added the new front-end website page from where authenticated users can configure 2FA for their user accounts. This means that they do not need to have access to the dashboard to set up 2FA.

the 2fa setup website page

Configuring a custom 2FA configuration page

Once this feature is enabled and a URL is specified, the plugin creates a page that can only be accessed by authenticated users. Users do not need to have access to the WordPress dashboard to set up two-factor authentication for their WordPress user. When you create the custom page, your users will be redirected to your new custom page from the dashboard notice, as well as have access to the traditional setup wizard too.

Read the 2FA setup website page support document for more detailed information on this feature.

Shortcodes to fully customize the 2FA experience

In this update, we have also included a number of shortcodes, which you can use if you do not want to use a dedicated page for the 2FA settings.

Read the WP 2FA shortcodes documentation for more information on how you can include the 2FA user configuration settings and notifications in any of your custom pages, and also style the plugin’s notifications and text to match your business’ branding.

Improved 2FA policies

One of the key features our plugin offers are the two-factor authentication (2FA) policies. Up until this update, if you wanted to enforce 2FA, you could configure your 2FA policy for users based on one of three criteria –

  • Enforce 2FA on all Users
  • Enforce 2FA on users with a role (or several roles)
  • Enforce 2FA on specific users

Whilst we felt this was a flexible approach, we realized that we could make this even better by combining the role/username options, allowing you to apply your 2FA policy to not only users with a specific role but also to specific users at the same time.

improved 2fa policies

The 2FA user policies in the WP 2FA plugin

So what does this mean? Well, as of this update, you could enforce 2FA on all users with the role “subscriber” or “editor,” like you could before – but you can also then enforce 2FA on specific users (regardless of role), all in the same policy.

What happens to my current policy?

If you’re already using WP 2FA and have your policies set up to apply to specific roles or users, these will automatically be inherited when you update to version 1.3, so you can continue to use the plugin as normal, or if you wish, you can make use of the new feature and expand your policies to make your site even more secure.

Update 1.2.0

The highlights of this update are support for WordPress multisite network, configurable email templates, and out-of-the-box support for custom login pages. These notes highlight what is new, improved, and fixed in this update of WP 2FA.

WordPress Multisite network support

Since with WP 2FA you can enable policies to make two-factor authentication mandatory, a lot have asked us to support multisite networks. Typically, multisite networks have many more users. So 2FA is even more important in such setups. So in this update, we added support for multisite.

WP 2FA supports multisite networks right out of the box. There is no need for extra configuration. Simply install the plugin and configure the 2FA policies from the network dashboard. You can even exclude a whole site from the 2FA policies on the multisite network.

wordpress multisite network support

The WP 2FA plugin multisite network settings

Configurable email notifications templates

The WP 2FA plugin uses a number of emails to advise users about policies, account lockouts, and more. With this update, you can now change the text in the email notifications using the easy-to-use email text editor in the plugin.

configurable email notifications templates

The email notification templates in WP 2FA

You can also configure the ‘from’ email address and display name the plugin uses in its emails, as explained in configuring the 2FA email notifications templates.

Other notable plugin features & updates

In this update, we have also added the following:

  • Out-of-the-box support for custom login pages; if you use a custom login page, you can still use WP 2FA without requiring any customization.
  • Support for post-login redirects; if, after logging in, you redirect users to a non-default page, the plugin redirects the users to the correct page after authenticating.
  • 2FA policies are now properly enforced when a user’s role is changed, or a new user is created after the policies have been applied.