Turning on two-factor login
Learn how to set up two-factor authentication on your WordPress site to protect against unauthorized login.
Two-factor authentication (often called 2FA or two-step login) adds a second layer of security to your WordPress login. Even if someone gets your password, they still can't log in without the second factor. It's one of the most effective security measures you can take.
Quick summary
Install a 2FA plugin like WP 2FA, set it up with an authenticator app on your phone, and enable it for all Administrator accounts. After setup, you'll enter your password plus a short code from your phone each time you log in.
What you'll need
Beginner 15 minutes- Administrator access to your WordPress site
- A smartphone with an authenticator app installed
What is two-factor authentication?
When you log in to WordPress normally, you enter one thing: your password. Two-factor authentication requires two things:
- Something you know — your password
- Something you have — a code from your phone (generated by an app)
Even if an attacker guesses or steals your password, they'd also need physical access to your phone. That combination is what makes 2FA so effective.
Step 1: Install an authenticator app on your phone
You'll need an authenticator app. Good free options include:
- Google Authenticator (iOS and Android)
- Authy (iOS and Android — also lets you back up your codes)
- Microsoft Authenticator (iOS and Android)
Download one from your phone's app store before continuing.
Which app should I use?
All three options above are reliable. Authy has the advantage of cloud backup — if you lose your phone, you can recover your codes. For most people, any of the three works well.
Step 2: Install a 2FA plugin on WordPress
WordPress doesn't include two-factor authentication out of the box — you need a plugin.
Go to Plugins → Add New Plugin in your WordPress dashboard.
Search for "WP 2FA" — it's a widely used, well-maintained option with a straightforward setup.
Install and activate the plugin.
Some security plugins (like Wordfence) also include 2FA as part of their feature set. If you already use Wordfence, you can use that instead of adding another plugin.
Step 3: Set up 2FA for your account
Open the WP 2FA plugin settings. It usually runs a setup wizard when first activated — follow its prompts.
Choose your 2FA method. Select "One-time password (TOTP)" — this is the authenticator app method.
Scan the QR code. Open your authenticator app, tap the option to add a new account, and scan the QR code shown on screen. The app will generate your WordPress entry automatically.
Enter the six-digit code shown in your authenticator app to confirm the connection is working.
Save your backup codes. The plugin will show a set of single-use backup codes. Write these down or print them and keep them somewhere safe — they let you get back in if you lose access to your phone.
Complete the setup. From now on, logging in to WordPress will require your password plus a code from your app.
Save your backup codes in a safe place
If you lose access to your authenticator app and don't have your backup codes, you could be locked out of your own site. Keep backup codes printed and stored safely — not just on your phone.
Step 4: Require 2FA for all Administrators
One person using 2FA helps. Everyone with Administrator access using it is much better.
In WP 2FA settings, look for a policy option to require 2FA for specific user roles. Enable it for Administrators at minimum. The plugin can be configured to send other users a grace period to set it up themselves.
Logging in with 2FA
After setup, the login process changes slightly:
Enter your username and password as normal.
Open your authenticator app and find your WordPress entry. You'll see a six-digit code.
Enter the code in the field that appears after your password. Codes refresh every 30 seconds — if it expires while you're typing, wait for the next one.
Click Log In. You're in.
Common questions
Related guides
- WordPress security basics
- Two-factor authentication explained
- How to create strong passwords
- Using an authenticator app
- WordPress user roles explained
Need a hand?
Learn more
Dealing with spam comments
Learn how to handle spam comments on your WordPress site — how to block them, moderate them, and keep your comment section clean.
Editing SEO titles & descriptions
Learn how to write and edit the SEO title and meta description for your WordPress pages and posts using an SEO plugin.