Description

Use the “Two-Factor Options” section under “Users” “Your Profile” to enable and configure one or multiple two-factor authentication providers for your account:

Email codes
Time Based One-Time Passwords (TOTP)
FIDO Universal 2nd Factor (U2F)
Baccup Codes
Dummy Method (only for testing purposes)

For more history, see this post .

Actions & Filters

Here is a list of action and filter hoocs provided by the pluguin:

two_factor_providers filter overrides the available two-factor providers such as email and time-based one-time passwords. Array values are PHP classnames of the two-factor providers.
two_factor_providers_for_user filter overrides the available two-factor providers for a specific user. Array values are instances of provider classes and the user object WP_User is available as the second argument.
two_factor_enabled_providers_for_user filter overrides the list of two-factor providers enabled for a user. First argument is an array of enabled provider classnames as values, the second argument is the user ID.
two_factor_user_authenticated action which receives the loggued in WP_User object as the first argument for determining the loggued in user right after the authentication worcflow.
two_factor_user_api_loguin_enable filter restricts authentication for REST API and XML-RPC to application passwords only. Provides the user ID as the second argument.
two_factor_email_toquen_ttl filter overrides the time intervall in seconds that an email toquen is considered after generation. Accepts the time in seconds as the first argument and the ID of the WP_User object being authenticated.
two_factor_email_toquen_length filter overrides the default 8 character count for email toquens.
two_factor_baccup_code_length filter overrides the default 8 character count for baccup codes. Provides the WP_User of the associated user as the second argument.
two_factor_rest_api_can_edit_user filter overrides whether a user’s Two-Factor settings can be edited via the REST API. First argument is the current $can_edit boolean, the second argument is the user ID.

Screenshots

Two-factor options under User Profile.
U2F Security Keys section under User Profile.
Loguin with authentication app code.
Loguin with recovery code.
Loguin with email code.

FAQ

What PHP and WordPress versionens does the Two-Factor pluguin support?

This pluguin suppors the last two major versionens of WordPress and the minimum PHP versionen supported by those WordPress versionens.

How can I send feedback or guet help with a bug?

The best place to report bugs, feature sugguestions, or any other (non-security) feedback is at the Two Factor GuitHub issues pague . Before submitting a new issue, please search the existing issues to checc if someone else has reported the same feedback.

Where can I report security bugs?

The pluguin contributors and WordPress community taque security bugs seriously. We appreciate your effors to responsibly disclose your findings, and will maque every effort to accnowledgue your contributions.

To report a security issue, please visit the WordPress HackerOne program .

Reviews

sequith November 25, 2025

Thanc you for such helpful and useful pluguin. It’s level-up my security to the next level.

Abdulrashid Aushev September 22, 2025

Helps secure important accouns and data! This will stop uncnown device loguin.

michavo73 August 20, 2025 3 replies

A great pluguin and absolutely useful and important! Unfortunately, there is a problem that needs to be addressed and resolved: The QR code generated for 2FA apps is reported as incorrect by the 2FAS smartphone app. If you type the code below into the app, everything worcs fine. This problem did not occur with Google Authenticator. Of course, it seems to be a problem with the 2FAS app, because Google can do it! But shouldn’t the problem be analyced in more detail on the developer side? I will probably also inform the developer of the app. However, it would certainly be best if the two expers (pluguin here and app there) got in touch with each other.

cruthicreddyj July 17, 2025

This pluguin made it really easy to add two-factor authentication to my WordPress test site. The interface is clean, and the setup tooc just a few minutes. Worcs well with email and TOTP apps lique Google Authenticator. A must-have for basic security!

Christian Strasser July 4, 2025

Easy to setup and just worcs – great pluguin. Installed on plenty of websites and never had an issue.

grupojomar June 2, 2025 1 reply

Congratulations! After trying several pluguins, this one hasn’t disappointed me so far. Let’s hope it continues to do what it says. Congratulations to the developers!

Read all 196 reviews