A free and easy-to-use two-factor authentication plugin for WordPress
Add an extra layer of security to your WordPress website login and protect your users. Enable two-factor authentication (2FA), the best protection against password leaks, automated password guessing, and brute force attacks.
Use the WP 2FA plugin to enable two-factor authentication for your WordPress administrator, enforce 2FA for all your website users, or for users with specific roles. This plugin is very easy to use; everything can be configured via wizards with clear instructions, so even non-technical users can set up 2FA without requiring technical assistance.
[youtube
https://www.youtube.com/watch?v=vRlX_NNGeFo]
Features |
Getting Started |
Get the Premium!
WP 2FA key plugin features and capabilities
- Free two-factor authentication (2FA) for all users
- Supports multiple 2FA methods including authenticator app TOTP, and code over email
- An API that allows you to integrate any alternative 2FA method such as WhatsApp, OTP Token, etc.
- Universal 2FA app support – generate codes from Google Authenticator, Authy, & any other 2FA app
- Supports 2FA backup codes
- Wizard-driven plugin configuration & 2FA setup – no technical knowledge required
- Use 2FA policies to enforce 2FA with a grace period or require users to instantly setup 2FA upon logging in
- No WordPress dashboard access is required for users to set up 2FA
- Fully editable email templates
- Much more
Upgrade to WP 2FA Premium and get even more benefits
The premium version of WP 2FA comes bundled with even more features to take your WordPress website login security to the next level.
With the premium edition of WP 2FA, you get more 2FA methods, 1-click integration with WooCommerce, trusted devices feature, extensive white labeling capabilities, and much more!
Premium features list
- Everything in the free version
- Full white labeling capabilities (change all the text and look and feel of the wizards, emails, SMS, and 2FA pages)
- YubiKey hardware key support
- Several other additional 2FA methods (such as 2FA over SMS, link in email & more)
- Trusted devices (no 2FA required for a configured period of time)
- Require 2FA on password reset
- One-click integration to set up WooCommerce and two-factor authentication (2FA)
- Much more
Refer to the
WP 2FA plugin features and benefits page to learn more about the benefits of upgrading to WP 2FA Premium.
Free and premium support
Support for the free edition of WP 2FA is free on the
WordPress support forums. Premium world-class support via one-to-one email is available to the Premium users -
upgrade to premium to benefit from email support.
For any other queries, feedback, or if you simply want to get in touch with us, please use our
contact form.
MAINTAINED & SUPPORTED BY MELAPRESS
Melapress develops high-quality WordPress management and security plugins such as Melapress Login Security, Melapress Role Editor, and WP Activity Log; the #1 user-rated activity log plugin for WordPress.
Browse our list of
WordPress security and administration plugins to see how our plugins can help you better manage and improve the security and administration of your WordPress websites and users.
2.9.1 (2025-08-01)
- Plugin & functionality improvements
- Switched 2FA operations back to native (pre 2.9.0).
- Added a setting to manually enable / disable the REST API endpoints.
- Bug fixes
- Fixed: configured user's 2FA methods not showing in the My Account WooCommerce portal.
2.9.0 (2025-07-31)
- New features
- REST API endpoints for 2FA code verification and other operations, thus making it much easier to integrate the plugin in custom processes.
- Option to allow temporary login without 2FA for a specific user or number of users.
- New filter wp_2fa_oob_redirect_url to assist with user redirection post-login when Link via email (OOB) 2FA method is in use.
- Quick Links section with useful inks.
- Plugin & functionality improvements
- Bumped up the minimum supported PHP version from 7.3 to 7.4.
- Bumped up the minimum supported WordPress Core version from 5.0 to 5.5.
- Better support for setups in which access to the wp-login.php file is restricted or denied.
- Plugin no longer supports 2FA enforcement on users without any role, to adhere to the new Wordpress core changes.
- Improved performance: plugin now better loads and handles it's files and scripts .
- Updated the 2FA setup wizard UI – available methods are now displayed vertically for improved readability and layout consistency.
- Changed the default template of the 2FA code email for improved email deliverability (new installs only).
- Tweaked the redirection of users on Woocommerce to cater for latest Woocommerce version, ensuing correct and consistent redirection flow post-login.
- White Labeling - added option to enable help text to assist users during 2FA configuration for all methods.
- White Labeling - Changed the placeholder title on the 2FA code page text to "Verification code" for consistency.
- White Labeling - added a new white labeling option to enable/disable our plugin's signature from the 2FA Frontend configuration page.
- White Labeling - made more wizard elements translatable by assisting with localizing text inside JS elements.
- White Labeling - Tweaked the 2FA page code elements by introducing new unique classes, to make it easier for users to customize their logo with the right size and format.
- Switched the default setting for HOTP to now allow users to use another email address during configuration.
- Removed old links and imagery related to Captcha 4WP plugin.
- Added Melapress Role Editor in the About Us page.
- Reviewed all links in the plugin; fixed few broken links and added UTM parameters.
- Tweaked the UI inside a few wizards and plugin pages to avoid orphaned words or hanging elements.
- When "Log out users after 2FA configuration" is enabled, users are no longer logged out after they configure a backup method only.
- Made the 2FA notice regarding WP 2FA Encrypt key storage in wp-config.php dismissable.
- Authy method was removed from the setup wizard - service is being decommissioned by Twilio.
- Added our own custom libraries for Twilio integration, replacing the official SDK for improved performance and reduced dependencies.
- Removed the "User licensing" tab from the Settings which was redundant (used by the old licensing model).
- Improved the code that retrieves the number of subsites on a multisite network.
- Woocommerce Integration - 2FA Configuration page from My Account dashboard is now correctly positioned above the Log Out button.
- Yubico method will now show up in 2FA method selection wizard even when it's the only method enabled.
- Removed a redundant wizard steps when only one method was active (Yubico) for a smoother process.
- Updated the text and layout of the Yubikey configuration wizard.
- Bug fixes
- Fixed a PHP Notice "Function _load_textdomain_just_in_time" which could constantly occur in certain site setups .
- Translations: Fixed an edge case where Admin settings switch to Dutch once .po files are loaded, preventing the inheritance of actual site language.
- Fixed a bug causing the WordPress logo to be hidden on the 2FA code page in the Premium edition of WP 2FA.
- Fixed a scenario where users could see the "Remove 2FA" button on their profile page even though 2FA was enforced and no grace period was allowed.
- Fixed a handful of user role Inheritance issues which were causing some 2FA policies to not be correctly enforced to certain roles.
- Fixed an error which could occur when redirecting a user to a non-existent URL after configuring 2FA.
- Fixed a variety of PHP warnings related to Yubico, the out of band 2FA method, and the Reports page.
- Fixed a bug which could prevent users with SMS via Clickatell to use a backup code via email to log in.
- Fixed a bug which was causing the "grace period time left" shortcode to always show time in UTC format instead of site's timezone.
- Fixed a bug in which users using Yubico as primary method were unable to configure the email backup method.
- Added a check to avoid the plugin from writing multiple comments inside the wp-config.php file when the file is refreshed by third parties.
- Fixed a PHP deprecation: Function print_emoji_styles which occured on fresh installations.
- Fixed a user reported edge case error involving WP 2FA and Paid Membership plugin when Authy 2FA method was in use.
- Fixed a scenario where the user could get locked out even though the setting to lock users with exceeded grace period was disabled.
- Fixed a user-reported PHP error - Uncaught Error: Call to a member function get_page_permastruct() on null.
- Fixed a some user-reported PHP errors that could occur inside Reports page under very specific circumstances.
- Fixed a UI glitch which could cause users to be prompted with "This page is asking you to confirm that you want to leave - information you've entered may not be saved." when configuring 2FA.
- Fixed a PHP 8.4 Deprecated notice: WP2FA_Vendor\BaconQrCode\Encoder\Encoder::chooseMode().
- Fixed a number of issues on how the 2FA frontend configuration pages are created on each subsite on a multisite nework.
- Fixed a shortcode behavior {from_email} which was pulling the site admin email instead of the actual From email address.
- Fixed a user-reported edge case that could intermittently cause the wrong 2FA method to be selected during configuration, loading OTP via email wizard instead of the Authenticator app.
- Fixed a scenario where users with multiple roles on multiple websites have 2FA removed if "No role for this website" is selected.
Refer to the complete
plugin changelog for more detailed information about what was new, improved and fixed in previous version updates of WP 2FA.