How to Set Up Two-Factor Auth on WordPress (2026)

How to Set Up Two-Factor Authentication on WordPress

Two-factor authentication (2FA) adds a second verification step beyond your password. Even if an attacker obtains your WordPress password through phishing or a data breach, they still can't log in without your second factor. It's the most effective security improvement for WordPress admin access.

2FA Methods Available for WordPress

• Authenticator app (TOTP): Time-based codes from Google Authenticator, Authy, or 1Password. Most secure and recommended.
• Email codes: One-time codes sent to your email. Convenient but dependent on email security.
• SMS codes: Text message codes. Convenient but vulnerable to SIM-swapping attacks.
• Hardware keys: YubiKey and similar physical tokens. Most secure, requires device.

WP 2FA Plugin Setup (Recommended)

1. Install WP 2FA from the plugin directory
2. Run the setup wizard — choose your preferred 2FA method (TOTP authenticator app recommended)
3. Set the 2FA policy: Required for all users (recommended for all admin-level accounts)
4. Set a grace period (e.g., 3 days) for existing users to set up 2FA before being locked out
5. Configure backup codes — generate and store these safely for account recovery

User Enrollment Flow

After WP 2FA is active with the "required" policy, existing users are prompted to set up 2FA on their next login. They scan a QR code with their authenticator app, enter the verification code, and receive backup codes. The whole process takes under 2 minutes.

Additional Security Recommendations

2FA is most effective as part of a layered security approach. Combine it with: a strong password policy (Wordfence or WP Password Policy Manager), login attempt limiting (Limit Login Attempts Reloaded), and keeping WordPress, themes, and plugins updated. SiteICO's auto-update feature handles the last item automatically.