How to Set Up WordPress Two-Factor Authentication: WP 2FA Review

Want to add two-factor authentication to WordPress?

WordPress two-factor authentication can help you secure your WordPress site by protecting your own WordPress account, as well as the accounts of other users at your site.

When it comes to setting up two factor auth on WordPress, the freemium WP 2FA plugin offers one of the most polished, flexible solutions. It can work equally well for personal websites as well as large organizations that need custom two-factor policies.

In our WP 2FA review, we’ll start by briefly discussing the plugin’s features. Then, we’ll share a step-by-step guide on how to set up two factor auth on WordPress using the plugin.

Let’s dig in!

WP 2FA Review: A Quick Look at the Features

We won’t go too in-depth with looking at the features in this first section because you’ll see all of this in the more hands-on section of our WP 2FA review / tutorial.

You can also find all of the features on the WP 2FA website.

But, before we get started, here’s a quick look at the features that make WP 2FA one of the best WordPress two-factor authentication plugins:

• Multiple two-factor methods – you can choose from email, SMS/text message, any authenticator app (e.g. Google Authenticator), and/or push notifications (via Authy). There’s also an option to generate one-time backup codes.
• User-friendly interface (frontend and backend) – users can manage two-factor from the WordPress dashboard as well as from the frontend of your site.
• Flexible two-factor policies – you can create customized two-factor policies, such as requiring two-factor for some users but not others.
• White labeling – you can white label all parts of the WP 2FA interface to make it match your brand.
• Trusted devices – you can save a device as “trusted” for a certain amount of time so that you don’t need to re-do two-factor on that device.
• Integrations – it offers out-of-the-box integrations for WooCommerce and many membership plugins.

The WP 2FA plugin comes from WP White Security, the same team behind the popular WP Activity Log plugin – you can learn more about that in our WP Activity Log review.

How to Set Up WordPress Two-Factor Authentication With WP 2FA

Now, let’s get into the step-by-step guide on how to set up WordPress two factor auth using WP 2FA.

For this tutorial, we have the premium version of the plugin installed on our site. However, there’s also a free version of the plugin at WordPress.org and the basic steps will be the same for that version.

That is, you can follow along with this whether you’re using the free version or the paid version.

1. Install Plugin and Complete Setup Wizard

When you first install and activate the WP 2FA plugin, it will automatically launch a setup wizard to help you complete some important basic configuration steps.

For the first step, you’ll choose your preferred two-factor authentication method(s) from five different options.

You can choose as many or as few options as you want. If you provide multiple methods, users will be able to choose which method to authenticate with.

Some of them – such as sending SMS messages via Twilio – will require some additional setup. More on that later.

On the next step, you can enable alternative methods, such as letting users generate one-time backup codes that they can use if they lose their primary method.

Next, you can choose your 2FA policy – AKA which users should be required to use two-factor authentication. You have three option:

1. All users – require all users to configure and use two-factor authentication. Later on, you can configure other settings, such as a grace period to set it up.
2. Only for specific users and roles – only require certain users to use two-factor authentication. For example, you can require Administrators and Editors to use two-factor authentication, but not Authors or Subscribers. You can also just require it for specific user names.
3. Do not enforce on any users – do not force any users to use two-factor authentication – just provide it as an option for them if they want to protect their accounts.

If you choose one of the first two options, the next step will give you an option to manually exclude certain users. 

You won’t see this step if you choose not to enforce 2fa for any users.

Finally, the last step lets you configure your grace period. This lets you give new users a certain amount of time to set up two-factor authentication.

For example, you could give them three days before you start enforcing the rule.

Alternatively, you can select the Users have to configure 2FA straight away option to force users to set it up immediately.

And that’s it for the setup wizard!

2. Configure 2FA For Your Own Account

Once you’ve completed the setup wizard, the next step is to configure two-factor authentication for your own account:

1. Go to Users ? Profile in your WordPress dashboard to open your own user profile.
2. Scroll down to the Two-factor authentication settings section.
3. Click the Configure 2FA button.

You’ll now see a popup that lets you choose from the available two-factor authentication methods that you chose in the setup wizard:

For example, if you choose the 2FA app option (e.g. Google Authenticator), you’ll be prompted to configure your 2FA app by scanning the QR code:

The plugin will automatically add your site’s domain name and your user account to the two-factor app (if applicable):

The plugin will then ask you to enter the authentication code to validate that you’ve properly configured your app:

After that, the plugin will also prompt you to set up a backup method. For example, you could download some one-time use backup codes in case you can’t generate a code from the app:

You can send the codes via email, print them, or copy them to your clipboard:

And that’s it! Your WordPress admin account is now benefiting from two-factor authentication.

The setup process will be similar for other users at your site – I’ll show you an example a little later on.

3. Further Configure Your 2FA Policies

While the WP 2FA setup wizard lets you set up basic policies for WordPress two-factor authentication, the plugin’s full settings area gives you even more control.

To access these settings, go to WP 2FA ? 2FA Policies.

Here, you can configure sitewide policies. Or, you can also set up completely different policies based on different user roles, which you can select using the drop-down.

Here are some of the new settings that you get that weren’t part of the setup wizard:

• Email authentication links – choose how long they’re valid for and which emails people can use.
• Remember this device – choose whether to allow people to remember devices. If enabled, they won’t need to use two-factor for that device after their first login. You can also choose how long to remember the device before users need to re-authenticate.
• Redirect after setup – you can redirect users to a certain URL after they set up two-factor.
• Frontend 2FA pages – if you don’t want to have people use the backend dashboard, you can also set up a frontend page for them to manage their two-factor settings.

Again, you can set one sitewide default but then also adjust these settings for various user roles.

4. Explore All WP 2FA Settings

If you want to further configure the plugin, WP 2FA also offers a dedicated settings area. You don’t need to change anything here, but it does offer a few useful options:

• Emails & Templates – customize the two-factor emails that the plugin sends.
• White labeling – white-label all of the plugin’s interfaces to match your own. You can customize the logo, colors, and text of everything.
• Integrations – you can set up integrations with other services, including the following – Authy (push notifications for two-factor), Twilio (text messages for two-factor), and WooCommerce.

For example, when customizing the emails, you get a text editor and a bunch of merge tags to let you insert dynamic information:

For white labeling, you can use the drop-down to customize all different areas of the plugin:

And that’s pretty much it for configuring the plugin!

How Other Users On Your Site Will Set Up Two-Factor Authentication

I already showed you how to set up WordPress two-factor authentication for your own account, but what about other users?

How other users set up two-factor will depend on two variables:

1. Grace period – if you require users to set up two-factor right away, they’ll be prompted to do it right after logging in for the first time. If you give them a grace period of a few days, they’ll be able to wait.
2. Frontend interface – the backend interface works similarly to what I showed you above. But if you enable the frontend interface, it will look a bit different.

Here are some examples…

If you don’t offer any grace period, users will be automatically redirected to their profile page with the two-factor settings popup open (just like the interface that you used to configure it for your own account).

Users will not be able to access any part of the dashboard until they complete the setup.

If you enable the frontend two-factor settings page, you can add it anywhere on your site using the [wp-2fa-setup-form] shortcode.

Clicking that button will open the same setup prompt from before – the only difference is that everything is happening on the frontend of your site:

Again, you can white label all of this text to further integrate it with your site.

For example, here you can see that I’ve customized the text of the popup for WPKube:

Once users set up their two-factor method, they’ll see some additional options to change their settings or generate backup codes:

WordPress Two-Factor Authentication Reports

To help you see what’s happening on your site, the plugin also includes a reporting tool to quickly assess two-factor usage.

You can access it by going to WP 2FA ? Reports.

WP 2FA Pricing

WP 2FA comes in both a free version at WordPress.org as well as a premium version with more functionality.

In general, the free version should be fine if you just want to protect your own WordPress admin account. It already supports two-factor authentication via smartphone apps, email, and backup codes.

However, if you have other users on your site and you want to set up two-factor authentication policies for those users, I would recommend upgrading to the premium version.

Beyond giving you more control over two-factor policies and behavior, the premium version also adds additional methods like Authy push notifications and SMS messages via Twilio.

Here are some of the biggest features in the premium version:

• More 2FA methods including SMS, push notification, and one-click login.
• Option to add trusted devices (“Remember this device).
• White label support to customize the interface.
• Adjust 2FA policies for different types of users.

There are two main variables that affect the price:

• Number of users – rather than billing you based on how many websites you have, WP 2FA bills you based on the number of user accounts that activate two-factor authentication. All plans support unlimited sites and the users can be spread across any number of sites.
• Features – there are some feature differences between the different tiers.

The Enterprise plan also offers priority support.

Here’s a pricing screenshot that illustrates the difference:

• The large price at the top is for up to five user accounts.
• The price in the drop-down is to expand the usage to up to 25 user accounts.

Again – the user limits only apply to user accounts that have enabled two-factor authentication. If you have 250 users but only 10 of them have two-factor authentication, that only counts as 10 users for billing purposes.

If you want to try the premium features, the plugin has two relevant policies here:

1. You can get a 14-day free trial of the premium features to test things out.
2. There’s a 30-day money back guarantee if you run into any problems beyond the trial.

You can also save 20% on any license plan using our exclusive WP 2FA coupon code.

Purchase WP 2FA

WP 2FA Review: Pros and Cons of Using This Plugin

To recap what we’ve discussed in our WP 2FA review, let’s go over some of the pros and cons of using this plugin.

WP 2FA Pros

• Support for most popular methods – WP 2FA supports most of the popular methods that people use, including TOTP/HOTP authenticator apps, email, text message, push notification, and backup codes.
• Highly configurable two-factor policies – you get a lot of flexibility for controlling two-factor requirements on your site. For example, setting up different rules for different WordPress roles and giving people a grace period to set up two-factor authentication.
• Full white labeling – you can white label every single part of the interface, including text, emails, colors, logos, and more.
• Frontend dashboards – you can let users manage their two-factor methods from the frontend of your site (in addition to the WordPress dashboard).
• Polished designs – WP 2FA has very polished, professional designs, which isn’t always the case with some other WordPress two-factor authentication plugins.
• Integrations – WP 2FA integrates with WooCommerce and many membership plugins.

WP 2FA Cons

• No FIDO U2F support – WP 2FA doesn’t currently support FIDO U2F as a two-factor option, which means you can’t use physical hardware methods like Yubikey or Google Titan.
• Per-user pricing model can be expensive for lots of users – if you have more than 100 users, WP 2FA’s billing model of charging based on the number of users with active 2FA might make it more expensive than other solutions. However, the upside is that WP 2FA might be cheaper than other solutions if you only have a small number of users.

WP 2FA FAQs

To finish out our WP 2FA review, let’s go over some common questions that you might have about the plugin.

Is WP 2FA free?

WP 2FA does offer a free version at WordPress.org that should work fine for basic two-factor authentication.

Does WP 2FA support authenticator apps?

WP 2FA works with any authenticator app that supports the TOTP/HOTP protocols, which includes Google Authenticator, Authy, LastPass Authenticator, Microsoft Authenticator, and so on.

Does WP 2FA support backup codes?

WP 2FA lets users generate offline backup codes. Users can copy, print or email the codes.

Does WP 2FA support email verification?

WP 2FA lets users receive their one-time verification code using email. To ensure reliability, you should make sure to set up a WordPress SMTP sending service so that the emails make it to users’ inboxes.

Does WP 2FA support text message verification?

The premium version of WP 2FA supports SMS / text message verification. To power this service, it uses an integration with Twilio.

Does WP 2FA support FIDO U2F (Yubikey)?

WP 2FA does not support FIDO U2F at this time. If you want to use physical hardware keys as two-factor methods, you’ll need to choose a different two-factor plugin.

Final Thoughts on Our WP 2FA Review

Overall, WP 2FA offers a very polished way to set up WordPress two-factor authentication and secure your WordPress website.

I think there are a few areas where the plugin excels:

• Excellent interface with white labeling – the interface is more user-friendly and better designed than most other two-factor solutions, including letting people manage two-factor from the frontend. You can also white label it to match your brand to create a completely custom experience.
• Flexible policies – it gives you a lot of flexibility for creating a two-factor policy that meets your organization’s needs.
• Supports multiple methods – it supports a wide array of methods including email, SMS, authenticator app, push notifications, and one-time backup codes.

It does not currently support FIDO U2F, so it’s not the best option if you want to use physical hardware keys like Yubikey. But, outside of that limitation, I think it’s an excellent way to set up WordPress two-factor authentication.

So – if you want to use two-factor methods like email, SMS, and/or authenticator apps, you should definitely give this one a look. Make sure to use our WP 2FA coupon code to save 20% on any license.

Get WP 2FA

You can also pair WP 2FA with the WP Activity Log plugin from the same developer to protect your site even further. You can learn more in our WP Activity Log review and save with our WP Activity Log coupon.