Two Factor Authentication in 2019 for WordPress

Last modified date

Comments: 5

We regularly get asked for recommendations on two-factor (or Multifactor) authentication plugins and products for WordPress Hosting. It’s a topic we have covered a few times in the past, but in 2019 we now really only recommend a single plugin.


If you are looking to enable two-factor authentication (and if you are not, you really should be!) then we recommend the plugin two-factor.

This plugin is a “feature” plugin and is developed by members and former members of the WordPress core security team. The goal of a feature plugin is that it will ultimately become part of the standard WordPress core, so using it today will mean continuity when the features are eventually incorporated into WordPress core.

In addition to being a feature plugin (which is a massive plus), it supports a range of two-factor methods including Google Authenticator and U2F hardware keys. It also supports having multiple factors setup per person.

For users of our WordPress Hosting, the plugin works fully with our WordPress login button, allowing you to skip the login but still be challenged. Many other solutions either break the button or mean we skip two-factor authentication altogether.

The reason the button still works is the UI decision that was taken, meaning the two-factor authentication field is presented after a successful login rather than on the login page itself. This makes it harder for potential attackers to identify which users might have two factor authenticaiton available and presents a simplified login experience for end users.

Installing Two-Factor

To install the two-factor plugin, log into the WordPress admin area, select Plugins and click the add new button.

Within the search box on the right type two-factor.

Two-Factor by George Stephanis is the plugin we wish to install, so click Install for that one.

Click Activate.

Two-Factor is now installed and activated.

Setting up Two-Factor

If you want to setup two-factor for your user, then within the WordPress Admin area select Users -> Your Profile. Alternatively, administrators may edit any user by accessing their user page.

Scroll Down the profile to Two-Factor Options under Account Management and select the second factor option you wish to configure. We recommend Google Authenticator or U2F Hardware keys.

For Google Authenticator

Make sure you have the Google Authenticator app on your phone or device installed and ready.

With the Google Authenticator app open and press the + circle selecting scan barcode.

Hold the phone to your screen to scan the QR code on the screen.

Enter the code you are presented with into your WordPress Admin area in the box Authentication Code and hit submit.

For U2F keys

You will need a hardware key like UbiKey or Feitian ePass, and will need to have the device with you, using a machine which it can be plugged into. If the device uses NFC you should probably use USB rather then NFC for setting up.

Insert the key into a USB port.

Click Register Security Key.

The key should now be registered, remember good practice is to install at least two security keys with the backup stored somewhere very safe.

We do not recommend using security codes via email, but if you have users who don’t have Google Authenticator and cannot install it, or aren’t in a position to purchase hardware tokens then this is an option, though it is not as secure as the previous two.

Once you have setup one or more authentication methods you can enable them and select one as default. When you log in you will be asked to authenticate with your default option, with an option to change methods.

That’s it! From now on you will be asked to authenticate with your second factor (or choice of the second factor) after a successful login. With Two-Factor enabled and configured even if a brute force attack was successful in working out your password, they will still be unable to access the account without the second factor.

We highly recommend installing and setting up two-factor on all sites; it’s quick and easy and with the Google Authenticator app on your phone, free.

Tim Nash

Tim is a well known member of the WordPress community and a regular attendee of our local Manchester WordPress User Group as well as being a co-organiser of the WordPress Leeds user group (the oldest in the country). He is also an established speaker at WordCamps and tech conferences both in the UK and abroad.

5 Responses

  1. Thanks for this article, but when I try to add using Google Authenticator I keep getting “Invalid Two Factor Authentication code” error.

  2. I’ve just moved a site on to your WordPress hosting, and at the same time have decided to tighten up on security (I’m not too bad but could do better).

    I’ve finally created a separate Editor profile for the times I don’t need to login as Admin (a tip Tim provided at a MeetUp, thanks Tim), and set a new, strong password (refreshed whilst using my VPN). I’m pretty diligent at keeping plugins and parent/child theme updated, and keep plugins to a minimum.

    I’ve just disabled Wordfence based on the comments in another blog post ( – “The only reason WordFence didn’t make our list is because we don’t need it on our hosting. It would only serve to duplicate the security we have built in”.

    Other than setting up two-factor using the suggested plugin, which I’ve now done, are there any other security plugins I should consider? Or is two-factor plus your supplied Fingerprint plugin as much as I need? I appreciate security can ever be 100% but if there are any other plugins you recommend for security purposes I’d welcome your advice.

    • We are never going to tell someone not to use a security plugin but it is true our hosting covers a lot of the security options WordFence has and obviously a lot more as we are able to configure the server.

      In terms of other plugins, we recommend at least some sort of application-level auditing be that something like Stream or WP Security Audit.

      Beyond that, it becomes specific for the site as to what other plugins may or may not be needed.

  3. Tried to find more info on this and found your article, really pleased as I’ve been a customer for yours for 25+ years!

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment