How to Implement Two-Factor Authentication in WordPress

December 17, 2020


An online business dealing with personal customer information needs to enforce a robust verification mechanism to prevent unauthorized access.

Two-Factor Authentication (2FA) adds a strong security layer and creates a formidable obstacle for potential attackers. Implementing 2FA in WordPress is a straightforward process, thanks to a number of easy-to-use authentication plugins.

Follow the instructions in this guide to learn how to install and implement 2FA for your WordPress website.

Guide on how to implement two-factor authentication in WordPress.

Why Implement 2FA in WordPress?

A third of all websites use WordPress, making these websites a frequent target of brute-force attacks. The username and password are the only things standing between the WordPress admin area and a potential attacker.

By gaining access to a website’s admin area, an unauthorized individual could control every aspect of that website. To protect yourself, your customers, and your business, use additional authentication layers.

2FA is a highly secure method that delivers a one-time password to a physical device, for example, a smartphone, to verify the WordPress user’s identity before they can log in.

Even if attackers manage to guess or obtain valid WordPress credentials, they still need access to the device.

How to Install Popular WordPress 2FA Plugins

Two-factor authentication is an advanced system that merges several software solutions and devices. Users without technical expertise can quickly implement 2FA using a free WordPress plugin. The most popular free plugins include:

  • WP 2FA – Two-factor Authentication for WordPress - An easy-to-implement and intuitive solution that supports numerous mobile verification apps such as Duo, Google Authenticator, LastPass, Authy, etc.
  • Google Authenticator by miniOrange – WordPress Two Factor Authentication (2FA, MFA) - Provides essential authentication services for free and paid enterprise-level upgrades for large organizations. It also works with time-based one-time passwords (TOTP) apps like Google Authenticator, Authy, LastPass, Microsoft Authenticator, etc.

To install a 2FA plugin, access the WordPress dashboard:

1. Select Add New from the Plugins menu.

2. Type 2FA in the Search Bar.

3. Install either the WP 2FA or the Google Authenticator plugin by clicking Install Now.

Steps to install 2FA plugin in WordPress.

4. After installing the preferred plugin, click Activate.

A setup wizard guides you through the implementation process.

Note: Learn more about curl basic auth, an authentication method where the server declares that the client must submit a username and password to access a resource.

Implementing 2FA in WordPress

Before setting up 2FA, decide what type of authentication method you want to implement. Time-based one-time passwords (TOTP) generated by mobile apps are well-suited for a business environment with multiple website administrators.

The process looks like this:

1. A user enters their username and password to login to WordPress.

2. Instead of gaining access, the user is presented with a new field requesting a one-time password.

3. The password is generated randomly and regularly within an authentication app installed on a mobile device.

4. The user enters the current code and gains access to the WordPress admin area.

Some of the most popular TOTP apps for mobile devices are Microsoft Authenticator, Duo, Authy, LastPass, and Google Authenticator. This article explains how to implement WP 2FA with LastPass and the Google Authenticator plugin by miniOrange with the Google Authenticator app.

Option 1: Setting up WP 2FA with LastPass

Once you have installed and activated the WP 2FA plugin, a setup wizard launches automatically:

1. Click Let’s get started!

Initial step for implementing WP 2FA.

2. A one-time password can be generated by an authentication app (recommended) or sent via email. Once you select the code delivery method, click Next.

Select authentication method for WP 2FA.

3. Install the LastPass Authenticator app on your mobile device.

Instal the LastPass authenticatior on phone.

4. Use the LastPass app to scan the QR code on your computer screen. Alternatively, enter the randomly generated key from the setup wizard into the LastPass app.

5. Click I’m Ready within the WP 2FA setup wizard.

Scan the QR code to link LastPass app with WP 2AF plugin.

6. Scanning the QR code generates a one-time password in the LastPass app. Enter the code into the given field within the WP 2FA wizard and click Finish.

Enter the authentication code from LastPass to WP 2FA.

7. If your website has multiple admin users and roles, select Continue & configure the settings to set up general plugin rules for these users.

Configure 2FA for multiple users.

8. Check the box to define the authentication method for other users and click Continue Setup.

Chose the 2FA method that is to be applied to other admin users.

9. Apply the 2FA to all users or limit the authentication to specific users. Select Continue Setup to proceed.

Apply 2FA to specific users and roles.

10. If authentication is a requirement for all users, implement exceptions to this rule by excluding individual users and roles. Click Continue Setup.

Enter a user or role that is excluded from 2FA.

11. Decide if other users should configure 2FA immediately or set an extended time-frame for them to comply. Select Continue Setup to proceed.

Set a time-frame for users to comply with 2FA.

12. Check the box to inform WordPress users via email to implement 2FA and select All done.

Notify users that 2FA is now in place.

13. Losing or getting locked out of a phone would prevent you from accessing the WordPress account. Click Generate backup codes to create ten static backup codes and avoid getting locked out.

Generate backup codes for WP 2FA.

14. Download or Print the generated codes and store them in a secure location.

Download or Print the WP 2FA backup codes.

To modify plugin settings from the WordPress dashboard, click Two-factor Authentication within the Settings menu.

Modifying setting in the WP 2FA plugin in WordPress.

Accessing the WordPress admin page is now only possible after entering a one-time password the LastPass app generates.

Option 2: Setting up 2FA with Google Authenticator

After installing and activating the Google Authenticator – WordPress Two Factor Authentication plugin:

1. Select the Logout and Configure option.

Logout to configure Google Authenticator by miniOrange.

2. Enter your WordPress credentials and Log In.

Login to WordPress account to configure Google Authenticator.

3. Select the Google/Authy/Microsoft Authenticator option to enable one-time password app-based authentication.

Select the one-time password delivery method for the Google Authenticator plugin.

4. Install the Google Authenticator app on your mobile device.

Instal the Google Authenticator mobile app.

5. Select Google Authenticator from the dropdown menu and use your phone to scan the QR code.

6. Once the scan is complete, a verification code appears in the Google Authenticator mobile app. Enter the 6-digit code in the Code field within the setup wizard.

7. Click Verify and Save.

Enter verification code to connect Google Authenticator plugin with app.

8. Select Download Codes to download and store a set of backup codes. These codes allow you to log in to the WordPress account if you no longer have access to your phone.

9. Click Finish to complete the setup process.

Download backup codes for Google Authenticator plugin in WordPress.

Entering the credentials to access WordPress prompts the system to ask for the authentication code from the Google Authenticator mobile app. Submitting the correct code grants access to the WordPress admin.

Log in to the WordPress admin by entering verification code from app.

To modify plugin settings, select the Two Factor option in the miniOrange 2-Factor menu. Access the Settings tab to change general plugin settings.

Modify Google Authenticator settings in WordPress.

The Settings section in the free version provides limited options for managing two-factor authentication and controlling users and roles.


You have successfully implemented 2FA in WordPress and increased your WordPress admin security. Even the most sophisticated attacks will find it hard to compromise your website.

Explore the Best Payment Authentication Methods and Tools to secure and upgrade other segments of your online business.

About the author
Vladimir Kaplarevic
Vladimir is a resident Tech Writer at CCBill. He has more than 8 years of experience in implementing e-commerce and online payment solutions with various global IT services providers. His engaging writing style provides practical advice and aims to spark curiosity for innovative technologies.
Talk to a Merchant Support Specialist