Two-Factor Authentication (2FA) or Two-Step Verification is an additional layer of security you add to your WordPress login pages. With 2FA it is virtually impossible for attackers to hijack your WordPress user, even if they guess the password. Two-factor authentication is also good to help mitigate WordPress brute force attacks. If you are interested in learning more on 2FA and how it works read an introduction to Two-factor authentication in WordPress.
An out of the box install of WordPress does not have 2FA. You need a third party plugin to enable it on your website. So in this article I am going to highlight a list of the best Two-Factor Authentication WordPress plugins available.
Note: two-factor authentication does not replace the need to use strong passwords on your WordPress websites.
WP 2FA is a free WordPress two-factor authentication plugin we developed. We went the extra mile to make this plugin very easy to use for both the administrator managing the website, and also the users. Upon installing the plugin you are presented with a setup wizard. Users setup 2FA on their accounts via a wizard as well, so they do not need to have any technical expertise and do not need the helpdesk’s assistance.
WP 2FA supports multiple two-factor authentication protocols (such as TOTP and HOTP) and also 2FA backup codes. The features that make this WordPress 2FA plugin unique are:
- 2FA policies; website administrators can make 2FA mandatory to all WordPress users,
- Administrators can also configure which 2FA methods users can use,
- A grace period to configure 2FA (configurable by admin) for users who are required to use 2FA,
- The plugin automatically locks users who are required to use 2FA but fail to configure it within the grace period,
- Administrator can exclude specific user(s) or all users with a role from the 2FA policies.
When administrators require users to setup two-factor authentication, the plugin sends the users an email. The users also get a notification in the WordPress dashboard (screenshot below).
Two-Factor is also a free plugin and is well maintained. The 2FA settings are available in your WordPress user profile page. You can configure any of the following 2FA methods:
- Authentication codes via email
- One-time codes with the Google Authenticator app (Time Based One-Time Password)
- Universal 2nd Factor (requiring a third party device)
The Two-Factor plugin does not have a global setting or 2FA policies to enforce 2FA on website users. The website administrator has to enable it individually for every user. Two-Factor also supports backup codes, so if you cannot generate the second factor to login to your WordPress, you can use one of the backup codes.
Google Authenticator is the first Two-factor authentication plugin I used. It is free and is the most simple 2FA WordPress plugin, which means it is also the most basic one. Once you install the plugin visit your profile page, enable the Google Authenticator Settings, and scan the QR code with the Google Authenticator app on your smartphone. Read Google authenticator app for WordPress 2FA for instructions of how to use the app.
The next time you want to login to your WordPress website you will be asked for the username, password, and the code from the Google Authenticator app. However, being simple also means this plugin has a few shortcomings:
- The Google authenticator code placeholder is added to every user’s login page, which can be confusing. Use the Google Authenticator – Per User Prompt plugin to disable the prompt.
- There is no global option to enforce 2FA for all WordPress users. As an administrator you have to enabled it for every user individually.
- It does not support backup codes, so if you lose your phone the only way to login back to your WordPress is to delete the plugin via FTP or SSH.
WordPress 2-Step Verification
WordPress 2-Step Verification is another free 2FA plugin for WordPress. It is easy to setup; once installed you can configure Two-factor authentication from your WordPress user profile page. The plugin supports the following 2FA protocols:
- Time Based One-Time Password (codes are generated via the Google Authenticator app)
- Email (authentication codes are sent via email)
The WordPress 2-Step Verification plugin also supports backup codes, which you can use if you loose access to your primary 2FA code generator. The other useful features that this plugin has are Trust this Computer and App passwords.
The Trust this Computer setting is useful if you always use the same computer. If you use it, the plugin won’t be asked for the one-time code during login for 30 days.
This plugin also has App passwords. They are permanent passwords for applications that connect to your WordPress and do not support 2FA. For example, if you have an app on your phone that connects to your website.
The only shortcoming the WordPress 2-Step Verification plugin has is that every user has to enable 2FA. Website administrators cannot enforce it.
Unloq Two Factor Authentication
Another good WordPress 2FA plugin is the Unloq Two Factor Authentication plugin. However, to use this plugin you have to install Unloq’s own smartphone app.
Getting started is easy; install the plugin and activate your Unloq account. You can do so by specifying your email address. Once you confirm the one-time code you receive via email, you can specify which of the Two-Factor Authentication methods to use:
You can also send an invitation to all of your WordPress users from a central location:
Once users receive the invite, they need to scan the QR code with the Unloq smartphone app to get started. I like this plugin because of:
- Push Notifications; instead of entering a one-time code each time you want to login you are asked to approve the login from the smartphone app.
- It works with both OTP and email as a second factor for authentication.
- You have a central location from where you can manage all the users.
- You can use the same login / setup for multiple WordPress websites that you manage.
Which is the best two-factor authentication plugin?
With so many different options, it is hard to make a choice. If you are looking for a very basic plugin go for Two-Factor or Uniloq, which has a bit more features than WordPress 2-Step Verification and Google Authenticator.
If you want a good all rounder two-factor authentication plugin that is easy to setup and use and hassle free, supports backup codes, and has policies to enforce two-factor authentication, we highly recommend the WP 2FA plugin for WordPress.
Using the Google Authenticator app
To generate one time codes for two-factor authentication on WordPress you need the Google Authenticator app. Refer to how to use the Google Authenticator app to learn about all the functions of the app and how to use it.