Using 2FA Logins for WordPress – WPQuickies

In this lunchtime #WPQuickies, I show you how to implement Two Factor Authentication (2FA) for secure WordPress logins.

What Is 2FA?

Aka multi-factor authentication, two-factor authentication adds a secondary layer of security to your regular username and password combination login.

2FA is usually implemented using a secondary device such as a mobile phone, key fob or a USB stick that is only accessible to you.

Something easy for you to carry around and access at all times.

The format of 2FA is usually numeric or alphanumeric code, varying in length, which times out after some time, usually 60 seconds.

Authentication codes that expire after a set time are also known as One Time Passwords (OTPs).

The codes can be generated from an app, directly from your key-fob or USB stick, SMS or email.

In addition to logging in with your regular username and password, any system configured to use 2FA will also ask for the authentication code.

You must enter the correct code before it times out and generates a new 2FA code.

Expiring codes on a device that only you can access makes it difficult for a hacker to log in using guessing or brute force attacks.

How Secure Is 2FA?

Two-factor authentication is not infallible.

If a hacker manages to get physical access to your authentication method, they can use it to log in.

So, don’t lose your authentication device!

SIM Hijacking

As many 2FA codes are sent via SMS to a registered phone number, SIM hijacking has become prevalent.

Sim hijacking is where a bad actor convinces a mobile phone carrier to change the SIM card associated with a phone number.

The bad actor then gets access to the phone number and can receive the 2FA codes sent to that number via SMS messages.

This type of hack usually requires social engineering to convince the current phone owner to read out a SIM transfer code disguised as a parcel tracking number or fake order ID.

Authenticator Apps

There have been hacks targeting the authenticator apps themselves, trying to find a way to intercept the codes generated by the mobile phone app.

A few articles in 2020 detailing how Android malware could read the 2FA codes generated by the Google Authenticator app.


2FA Security Levels


Direct 2FA security USB sticks like the YubiKey generally offer the best type of security as they are a self-contained system, difficult to hack and require biometrics (your fingerprint) to work.

There is a GitHub plugin repository for connecting your YubiKey to WordPress for logins.

Smartphone Apps

Smartphone authenticator apps are the second-best type of 2FA security.  There is a chance somebody could steal the codes if a bad actor places malware onto the phone’s operating system.

2FA codes sent via SMS messages are not very secure because SMS messages are transferred in unencrypted plain text and move through several networks before ending up on your phone.  

A bad actor could theoretically intercept the codes anywhere along the transmission network.

Email OTP codes, in general, are the least secure method of implementing 2FA, again because they are transferred through multiple networks in plain text.

How To Use 2FA Logins For WordPress

The easiest way to enable 2FA logins for WordPress is to use the Wordfence security plugin along with the Google Authenticator app for your smartphone.

Google Authenticator App

You can download the Google Authenticator app from Google Play for Android phones or from the Apple App Store

Google Authenticator icon
google authenticator set up first account
google authenticator codes


Once you have installed and activated Wordfence, navigate to Wordfence > Login Security

You will see a screen similar to this one.

Wordfence 2FA setup

he steps are very simple to complete.

Simply scan the QR code into your smartphone’s Google Authenticator app and enter the generated code in the field in the 2nd column and press activate.

Before leaving this page, download the backup codes to somewhere private and safe.

You can use these codes if you are unable to use the Google Authenticator app on your smartphone.

Once 2FA is activate, the next time you login to WordPress, after you enter your username and password, you will be asked to enter the 2FA code for the account.

WordPress login with 2FA enabled

For more detailed setup instructions, see the Wordfence blog

Other Google Authenticator Plugin

If you don’t want to use Wordfence or you use some other security firewall plugin, you can also use the minOrange Google Authenticator plugin at

The setup is similar to Wordfence where you scan a QR code and enter the corresponding code to activate 2FA security for your logins.


Using 2FA for your WordPress logins significantly increases your level of security.

You should be using 2FA on all of your WordPress sites.


Join me every Thursday at 1 pm Sydney time for some more WPQuickies – WordPress tips and tricks in thirty minutes or less.

Broadcasting live on YouTube and Facebook.

Suggest a #WPQuickies Topic

If you have a WordPress topic you’d like to see explained in 30 mins or under, fill out the form below.

Watch Previous WPQuickies

setting up cloudflare for wordpress - WPQuickies

Setting Up Cloudflare For WordPress

Was this article helpful?

Get Your Free Security Fundamentals eBook

Enhance your website security with this free, quick and easy to implement guide.

Keep In Touch


Wil is a dad, WordPress consultant, WordPress developer, business coach and mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.

Leave a Comment

Your email address will not be published. Required fields are marked *