Best Two-Factor Authentication Plugins for WordPress

Last updated on March 20th, 2020 by Robert Abela. Filed under WordPress Security

Two-Factor Authentication (2FA) or Two-Step Verification is an additional layer of security you add to your WordPress login pages. With 2FA it is virtually impossible for attackers to hijack your WordPress user, even if they guess the password. Two-factor authentication is also good to help mitigate WordPress brute force attacks. If you are interested in learning more on 2FA and how it works read  an introduction to Two-factor authentication in WordPress.

An out of the box install of WordPress does not have 2FA. You need a third party plugin to enable it on your website. So in this article I am going to highlight a list of the best Two-Factor Authentication WordPress plugins available.

Note: two-factor authentication does not replace the need to use strong passwords on your WordPress websites.

WP 2FA

WP 2FA is a free WordPress two-factor authentication plugin developed by us. We went the extra mile to make this plugin very easy to use for both the administrator managing the website, and also the users. Upon installing the plugin you are presented with a setup wizard. Users setup 2FA on their accounts via a wizard as well, so they do not need to have any technical expertise and do not need the helpdesk’s assistance.

[SCREENSHOT]

WP 2FA supports multiple two-factor authentication protocols (such as TOTP and HOTP) and backup codes. The features that make this WordPress 2FA plugin unique are:

  • 2FA policies; website administrators can require all the users, or a number of users to enable 2FA,
  • Administrators can also configure which 2FA methods the users can use,
  • A grace period to configure 2FA (configurable by admin) for users who are required to use 2FA,
  • The plugin automatically locks users who are required to use 2FA but fail to configure it within the grace period,
  • Administrator can exclude specific user(s) or all users with a role from the 2FA policies.

When administrators require users to setup two-factor authentication, the plugin sends the users an email. The users also get a notification in the WordPress dashboard (screenshot below).

[SCREENSHOT]

Download the free WP 2FA 

Two-Factor

Two-Factor is also a free plugin and is well maintained. The 2FA settings are available in your WordPress user profile page. You can configure any of the following 2FA methods:

  • Authentication codes via email
  • One-time codes with the Google Authenticator app (Time Based One-Time Password)
  • Universal 2nd Factor (requiring a third party device)

Configuring WordPress 2FA with Two-Factor plugin

The Two-Factor plugin does not have a global setting to enforce 2FA for all website users. The website administrator has to enable it individually for every user. Two-Factor also supports backup codes, so if you cannot generate the second factor to login to your WordPress, you can use one of the backup codes.

Google Authenticator

Google Authenticator is the first Two-factor authentication plugin I used. It is free and is the most simple 2FA WordPress plugin. Therefore it is also the most basic one. Once you install the plugin visit your profile page, enable the Google Authenticator Settings and scan the QR code with the Google Authenticator app on your smartphone. Read Google authenticator app for WordPress 2FA for instructions of how to use the app.

Configuring the Google Authenticator plugin

The next time you want to login to your WordPress website you will be asked for the username, password, and the code from the Google Authenticator app. However, being simple also means this plugin has a few shortcomings:

 

  1. The Google authenticator code placeholder is added to every user’s login page, which can be confusing. Use the Google Authenticator – Per User Prompt plugin to disable the prompt.
  2. There is no global option to enforce 2FA for all WordPress users. As an administrator you have to enabled it for every user individually.
  3. It does not support backup codes, so if you lose your phone the only way to login back to your WordPress is to delete the plugin via FTP or SSH.

WordPress 2-Step Verification

WordPress 2-Step Verification is another free 2FA plugin for WordPress. It is easy to setup; once installed you can configure Two-factor authentication from your WordPress user profile page. The plugin supports the following 2FA protocols:

  • Time Based One-Time Password (codes are generated via the Google Authenticator app)
  • Email (authentication codes are sent via email)

Configuring the WordPress 2-Step Verification plugin

The WordPress 2-Step Verification plugin also supports backup codes, which you can use if you loose access to your primary 2FA code generator. The other useful features that this plugin has are Trust this Computer and App passwords.

The Trust this Computer setting is useful if you always use the same computer. If you use it, the plugin won’t be asked for the one-time code during login for 30 days.

This plugin also has App passwords. They are permanent passwords for applications that connect to your WordPress and do not support 2FA. For example, if you have an app on your phone that connects to your website.

The only shortcoming the WordPress 2-Step Verification plugin has is that every user has to enable 2FA. Website administrators cannot enforce it.

Unloq Two Factor Authentication

Another good WordPress 2FA plugin is the Unloq Two Factor Authentication plugin. However, to use this plugin you have to install Unloq’s own smartphone app.

Getting started is easy; install the plugin and activate your Unloq account. You can do so by specifying your email address. Once you confirm the one-time code you receive via email, you can specify which of the Two-Factor Authentication methods to use:Configuring 2FA on WordPress with Unloq

You can also send an invitation to all of your WordPress users from a central location:

Configuring 2FA for all your WordPress users

Once users receive the invite, they need to scan the QR code with the Unloq smartphone app to get started. I like this plugin because of:

  1. Push Notifications; instead of entering a one-time code each time you want to login you are asked to approve the login from the smartphone app.
  2. It works with both OTP and email as a second factor for authentication.
  3. You have a central location from where you can manage all the users.
  4. You can use the same login / setup for multiple WordPress websites that you manage.

Which Two-factor authentication plugin should you use?

With so many different options, it is hard to make a choice. If you are looking for a basic good plugin go for Two-Factor or Uniloq, which have a bit more features than WordPress 2-Step Verification and Google Authenticator.

If you want a good all rounder plugin that is easy to setup and use and hassle free, supports backup codes, and allows you to require users to enable 2FA use WP 2FA.

Using the Google Authenticator app

To generate one time codes for two-factor authentication on WordPress you need the Google Authenticator app. Refer to how to use the Google Authenticator app to learn about all the functions of the app and how to use it.

WordPress Hosting, Firewall and Backup

This Website is:

17 comments

Jim Walker 27/09/2017

Nicely summarized.
I plan on sharing this with my clients as well.
Thank you.

Robert Abela 11/10/2017

Thanks Jim.

Paul 28/09/2017

Heya, great article on 2FA… The more we discuss it the more folks will get on board.

I wanted to draw your attention to the 2FA system provided for within our Shield Security plugin. Would you be interested to give that a look and share your thoughts with me?

Cheers!
Paul.

Robert Abela 11/10/2017

Thank you Paul. This article is about single scope plugins which provide 2FA functionality, hence why I did not include any other “multi-security-purpose plugins”. Yes I’d be interested in taking a look. Use our Contact Form to get in touch with me. Looking forward to hearing from you.

Ahmad Awais 09/01/2018

Looks good to me, glad to see your plugin getting better!

Johnny Tucats 09/02/2018

Done any research on what happens with these if you lose your phone? With the Google Authenticator plugin I was using just changing my iPhone was a pain…all my accounts were gone when I opened the Authenticator app on the new phone (which was restored from a backup)! Imagine if I had lost the original iPhone…

Robert Abela 12/02/2018

Hi Johnny,

Thanks for your comment.

This is where backup codes help, and that is why you should ensure that the plugin you use supports them. So when you loose your phone, you can use one of those codes. Also, should you not have backup codes, you can always use a last resort solution: access the website files via FTP / CPanel and rename the plugin folder to disable it. Once logged in, rename it back, activate it and reconfigure it.

I hope the above answers your question.

Adam Kupis 30/03/2018

I need to consider install one from them on few websites of my clients after last brute force attacks. Thanks for info.
Cheers

Robert Abela 05/04/2018

Good idea @Adam! Definitely recommended.

S T 05/05/2018

I expected better things of miniOrange but had a horrible experience with them. Over time it became clear that their licensing tiers and product descriptions are misleading and designed to get you to upgrade. They need to be straight if their software is payware – if you’re after free multifactor for your users or even want to trial something before full implementation, you’re going to be disappointed in miniOrange.

Robert Abela 24/07/2018

Thanks for sharing your experience with us. I have never used miniOrange so cannot really say what is what, but certainly some software vendors need to make the upgrade path clearer, including stating clearly what is free and not.

Mike 29/06/2018

I use the Google Authenticator Plugin, one thing to note is that on old android phones, there is a glitch that makes the time sequence out of whack, and you don’t have enough time to log in. So If you are planning on implementing any of these plugins in your website, make sure you have a backup done before implementation, so you can recover your account if the plugin locks you out.

Robert Abela 24/07/2018

Valid point Mike. In fact I do notice that from time to time I am not allowed to login even though the code is correct. Maybe it is time to upgrade the phone 🙂

Carl Borg 25/09/2018

Nice and precise but I have a question about SMS verification. Is it covered in these plugins or something we need to purchase like an API? I read over here https://www.cloudways.com/blog/two-factor-authentication-plugins-wordpress/ regarding WordFence and other two factor authentication WordPress plugins but I am still not sure.

Robert Abela 03/10/2018

The plugins I covered in this post are free plugins and do not have SMS verification. If you want SMS verification then you need to look for commercial solutions. By the way, SMS it is not a recommended and good solution for 2FA. You can read more about this here:

https://www.entrepreneur.com/article/317830
https://www.howtogeek.com/310418/why-you-shouldnt-use-sms-for-two-factor-authentication/

Brian 28/11/2019

Sorry I’m a bit late to the party here. I don’t understand why 2FA is not deemed as 100% hacker proof. I’m using Two Factor. It works perfectly by sending the code to my email. How can any hacker get round that?

Robert Abela 04/12/2019

It works well, however, it has got its shortcomings. For example if an attacker hacks / gains access to your email, then he can practically reset the password and login to the website. On the other hand, if you use one time codes via a mobile app for logins, unless the attacker steals your mobile, it is virtually impossible to break 2FA. It is not recommended to use email or SMS for 2FA. Preferably you should use one time codes generated via a mobile app.

Leave a Reply

Your email address will not be published. Required fields are marked *