Best Two-Factor Authentication Plugins for WordPress

Last updated on September 27th, 2017 by Robert Abela. Filed under WordPress Security Plugins

Two-Factor Authentication, (aka Two-Step Verification, 2FA) is an additional layer of security you can add to your WordPress login page. With 2FA it is virtually impossible for attackers to login to your WordPress, even if they guess your user’s password. Two-factor authentication is also good to help mitigate WordPress brute force attacks.

Read our article An Introduction to Two-Factor Authentication in WordPress for a detailed explanation of what it is and how it works. WordPress does not have 2FA by default, so you need a plugin to enable it. Below is a compilation of some of the best Two-Factor Authentication WordPress plugins currently available. At the end of the article I also explain why some of the popular 2FA plugins were not included in this compilation.

Google Authenticator

Google Authenticator is the first Two-Factor Authentication WordPress plugin I have used. It is available for free and is the most simple, easy to setup plugin. It is also the most basic one. Setting up 2FA for your WordPress cannot be easier. Once you install the plugin visit your profile page, enable the Google Authenticator Settings and scan the QR code with the Google Authenticator app on your smartphone.

Configuring the Google Authenticator plugin

That’s it, you are all setup. The next time you want to login to your WordPress you will be asked for a username, password and the code from the Google Authenticator app to login.

A WordPress login with two-factor authentication configured

Being the simplest plugin also means it has a few shortcomings:

  1. The users for whom 2FA is not enabled still have the Google Authenticator input field on the login prompt, which can be confusing. You can use the plugin Google Authenticator – Per User Prompt to disable the prompt.
  2. There is no global option to enable and enforce 2FA for all WordPress users. As an administrator you have to enabled it for every user individually.
  3. It does not support backup codes, so if you lose your phone the only way to login back to your WordPress is to delete the plugin via FTP or SSH.

Two-Factor

Two-Factor is also a free plugin and is very easy to setup. Once installed navigate to your WordPress user profile page to set 2FA. You can configure any of the following 2FA methods:

  • Email (authentication codes are sent via email)
  • Time Based One-Time Password (codes are generated via the Google Authenticator app)
  • Universal 2nd Factor (requiring a third party device)

Configuring WordPress 2FA with Two-Factor plugin

Similar to the Google Authenticator plugin, Two-Factor does not have a global setting to enforce 2FA for all users, but 2FA has to be enabled for every user individually. The good thing about the Two-Factor WordPress plugin is that it supports backup codes, so if for some reason you cannot generate the second factor to login to your WordPress, you can use one of the backup codes.

WordPress 2-Step Verification

WordPress 2-Step Verification is an improvement on both of the plugins mentioned above. It is also free and very easy to setup; once installed navigate to your WordPress user profile page and configure the Two-Factor Authentication settings. It supports:

  • Time Based One-Time Password (codes are generated via the Google Authenticator app)
  • Email (authentication codes are sent via email)

Configuring the WordPress 2-Step Verification plugin

The WordPress 2-Step Verification plugin also supports backup codes, so if for some reason you cannot provide the second factor you can use them to login. The other useful features that this plugin has are Trust this Computer and App passwords.

You can use the Trust this Computer in case you always login from the same computer, and you won’t be asked for the one-time code during login for 30 days.

The App passwords can be used to generate a permanent password for applications that connect to your WordPress and cannot prompt for the one-time security code during the login process. So if you have an app on your phone that connects to your WordPress you can still use it. App passwords are long, randomly generated passwords that you only have to provide once. They can also be revoked.

The only shortcoming the WordPress 2-Step Verification plugin has is that every WordPress user has to enable 2FA, and as an administrator you cannot enforce it.

Unloq Two Factor Authentication

The Unloq Two Factor Authentication plugin is probably the neatest free 2FA plugin I have seen. The only limitation it has is that you have to install Unloq’s own smartphone app to get started. Though this should not stop you from using the Unloq plugin.

Getting started is really easy; install the plugin and activate your Unloq account by simply specifying your email address. Once you confirm the one-time code which you receive via email, you can specify which of the Two-Factor Authentication methods should be enabled:Configuring 2FA on WordPress with Unloq

You can also send an invitation to all of your WordPress users from one central location:

Configuring 2FA for all your WordPress users

Once users receive the invite, they have to scan the QR code with the Unloq smartphone app to get started, that’s it. What I really like in this WordPress plugin is that:

  1. It supports Push Notifications, so instead of having to enter a one-time code each time you want to login to WordPress you are asked to approve the login from the smartphone app.
  2. It supports both OTP and email as a second factor for authentication.
  3. You have a central location from where you can manage all the users.
  4. You can use the same login / setup for multiple WordPress websites that you manage.

Other Popular Two-Factor Authentication Plugins

There are a few other popular Two-Factor authentication WordPress plugins you can use for WordPress, such as:

  • Rublon
  • Google Authenticator – Two Factor Authentication (2FA) by MiniOrange

Though the above have a number of limitations that make the free edition almost useless. For example Rublon, which we had reviewed a few years back have limited their free version to only one user. The free version of Google Authenticator by MiniOrange is limited to one user as well, and also limits the number of one-time passwords.

Which 2FA WordPress Plugin Should You Use?

With so many different options, which Two-Factor Authentication WordPress plugin should you use?

All the above mentioned WordPress plugins are good, and all of them help you improve the security of your WordPress login page. The differences between all of them are the features, the different types of second factor they support, different ways of setting them up, different interfaces etc. So it all depends on what you really need.

Have you used any of the above mentioned WordPress plugins? Do you have something to add to the above review? Leave a comment below and let us know which Two-Factor Authentication WordPress plugin you are using and why you are using it in the comments below.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

15 comments

Jim Walker 27/09/2017

Nicely summarized.
I plan on sharing this with my clients as well.
Thank you.

Robert Abela 11/10/2017

Thanks Jim.

Paul 28/09/2017

Heya, great article on 2FA… The more we discuss it the more folks will get on board.

I wanted to draw your attention to the 2FA system provided for within our Shield Security plugin. Would you be interested to give that a look and share your thoughts with me?

Cheers!
Paul.

Robert Abela 11/10/2017

Thank you Paul. This article is about single scope plugins which provide 2FA functionality, hence why I did not include any other “multi-security-purpose plugins”. Yes I’d be interested in taking a look. Use our Contact Form to get in touch with me. Looking forward to hearing from you.

Ahmad Awais 09/01/2018

Looks good to me, glad to see your plugin getting better!

Johnny Tucats 09/02/2018

Done any research on what happens with these if you lose your phone? With the Google Authenticator plugin I was using just changing my iPhone was a pain…all my accounts were gone when I opened the Authenticator app on the new phone (which was restored from a backup)! Imagine if I had lost the original iPhone…

Robert Abela 12/02/2018

Hi Johnny,

Thanks for your comment.

This is where backup codes help, and that is why you should ensure that the plugin you use supports them. So when you loose your phone, you can use one of those codes. Also, should you not have backup codes, you can always use a last resort solution: access the website files via FTP / CPanel and rename the plugin folder to disable it. Once logged in, rename it back, activate it and reconfigure it.

I hope the above answers your question.

Adam Kupis 30/03/2018

I need to consider install one from them on few websites of my clients after last brute force attacks. Thanks for info.
Cheers

Robert Abela 05/04/2018

Good idea @Adam! Definitely recommended.

S T 05/05/2018

I expected better things of miniOrange but had a horrible experience with them. Over time it became clear that their licensing tiers and product descriptions are misleading and designed to get you to upgrade. They need to be straight if their software is payware – if you’re after free multifactor for your users or even want to trial something before full implementation, you’re going to be disappointed in miniOrange.

Robert Abela 24/07/2018

Thanks for sharing your experience with us. I have never used miniOrange so cannot really say what is what, but certainly some software vendors need to make the upgrade path clearer, including stating clearly what is free and not.

Mike 29/06/2018

I use the Google Authenticator Plugin, one thing to note is that on old android phones, there is a glitch that makes the time sequence out of whack, and you don’t have enough time to log in. So If you are planning on implementing any of these plugins in your website, make sure you have a backup done before implementation, so you can recover your account if the plugin locks you out.

Robert Abela 24/07/2018

Valid point Mike. In fact I do notice that from time to time I am not allowed to login even though the code is correct. Maybe it is time to upgrade the phone 🙂

Carl Borg 25/09/2018

Nice and precise but I have a question about SMS verification. Is it covered in these plugins or something we need to purchase like an API? I read over here https://www.cloudways.com/blog/two-factor-authentication-plugins-wordpress/ regarding WordFence and other two factor authentication WordPress plugins but I am still not sure.

Robert Abela 03/10/2018

The plugins I covered in this post are free plugins and do not have SMS verification. If you want SMS verification then you need to look for commercial solutions. By the way, SMS it is not a recommended and good solution for 2FA. You can read more about this here:

https://www.entrepreneur.com/article/317830
https://www.howtogeek.com/310418/why-you-shouldnt-use-sms-for-two-factor-authentication/

Leave a Reply

Your email address will not be published. Required fields are marked *