Two-factor authentication adds a second verification step after entering your username and password. Even if an attacker has your credentials through a data breach or successful brute force, they still cannot log in without the second factor. It takes five minutes to set up and is one of the highest-value security changes you can make to a WordPress site.
After you enter your username and password, WordPress shows a second screen asking for a time-based one-time code (TOTP). This code is generated by an authenticator app on your phone and changes every 30 seconds. The code is mathematically derived from a secret key that was shared between your site and the authenticator app at setup time, using an algorithm (HMAC-SHA1 with a time component) that produces a unique 6-digit code each 30-second window.
An attacker who has your password and is attempting to log in from their device will not have access to your phone. They cannot generate the correct TOTP code, so the login fails even with valid credentials. This makes 2FA effective against credential stuffing (using passwords stolen from other breached sites), successful brute force, and phishing attacks where you've been tricked into entering your password somewhere else.
WP 2FA is free, well-maintained, and has a straightforward setup wizard. Install it from the WordPress plugin repository. After activation, a wizard guides you through the process. Here's what each step involves:
After setting up 2FA for your own account, go to WP 2FA > Policies to configure enforcement. For a single-person site, requiring 2FA for the Administrator role is sufficient. For multi-author or client sites, the recommended approach is to require 2FA for Administrator and Editor roles and make it optional for Author and Contributor roles.
When you enable enforcement, existing users who haven't set up 2FA are given a grace period (configurable, 3 days is reasonable) before their login is blocked. They'll see a prompt to configure 2FA during the grace period. Users who miss the deadline are blocked from wp-admin until they complete setup, they're not locked out permanently, just redirected to the 2FA configuration screen on their next login.
For agency sites where you manage 2FA on behalf of clients, WP 2FA supports setting up 2FA for other user accounts from wp-admin > Users. Generate a setup link and send it to the user to complete configuration on their own device.
Backup codes are single-use emergency codes that allow login when you don't have access to your authenticator app. WP 2FA generates a set of these during setup (typically 10 codes). Each code can be used once and is then invalidated.
Store backup codes in your password manager alongside the site credentials, they're useless if you've forgotten where you put them when you need them. If you use them (for example, after getting a new phone), regenerate a new set immediately from WP 2FA > User Profile > Backup Codes. Used backup codes don't automatically replenish.
If you lose your phone and have no backup codes, recovery requires database-level access. See the next section.
First option: use a backup code. If you saved them (and you should have), this restores access immediately.
Second option: if you have server access via FTP or cPanel File Manager, temporarily rename the WP 2FA plugin folder. Navigate to wp-content/plugins/ and rename wp-2fa to wp-2fa-disabled. This deactivates the plugin, allowing login with just your username and password. Log in, set up 2FA again with your new phone or a new authenticator app, then rename the plugin folder back.
Third option: if you have a trusted person with server SSH access, a WP-CLI command can update the user meta directly to remove the 2FA requirement for a specific user account. This requires technical access and is a last resort.
Google Authenticator is the most widely known. It's free, works offline, and is compatible with all TOTP-based 2FA. Downside: no cloud backup of the codes by default, if you lose your phone and haven't backed up, you lose access to all configured accounts.
Authy provides encrypted cloud backup of your 2FA accounts, synced across devices. If you lose your phone, you can restore your 2FA accounts to a new device after verifying your phone number. This is the most practical option for users who manage multiple sites and can't risk losing access.
1Password integrates 2FA code generation directly into the password manager, so you have your password and 2FA code in one place. Convenient, though it somewhat reduces the security benefit if your password manager account is compromised.
Wordfence Security includes 2FA as part of its Login Security module (Wordfence > Login Security). If you're already running Wordfence for firewall and scanning, enabling its built-in 2FA avoids adding a separate plugin. The configuration is slightly more technical but the security is equivalent.
Two Factor (WordPress.org) is a lightweight, developer-maintained plugin from WordPress core contributors. It supports TOTP, email OTP, and backup codes with minimal overhead. A good choice if you want a simple, no-frills implementation without the policy management features of WP 2FA.
2FA protects your login. Daily backups and server-level malware protection cover everything else. HostBible plans include both as standard.
View Hosting Plans