Two Factor Authentication
Secure WordPress login with this two factor authentication (TFA / 2FA) plugin. Users for whom it is enabled will require a one-time code in order to log in. From the authors of UpdraftPlus – WP’s #1 backup/restore plugin, with over two million active installs.
Are you completely new to TFA? If so, please see our FAQ.
Features (please see the “Screenshots” for more information):
- Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).
- Displays graphical QR codes for easy scanning into apps on your phone/tablet
- TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)
- TFA can be turned on or off by each user
- TFA can be required for specified user levels, after a defined time period (e.g. require all admins to have TFA, once their accounts are a week old) (Premium version), including forcing them to immediately set up (by redirecting them to the page to do so)
- Supports front-end editing of settings, via [twofactor_user_settings] shortcode (i.e. users don’t need access to the WP dashboard). (The Premium version allows custom designing of any layout you wish).
- Site owners can allow “trusted devices” on which TFA codes are only asked for a chosen number of days (instead of every login); e.g. 30 days (Premium version)
- Encrypt the TFA-generating secret keys using an on-disk encryption key, so that an attacker would need to break into both your WordPress database and your files in order to break TFA codes (as well as breaking a user’s password in order to use them)
- Works together with “Theme My Login” (both forms and widgets)
- Includes support for the WooCommerce and Affiliates-WP login forms
- Includes support for Ultimate Membership Pro
- Includes support for CozmosLabs Profile Builder
- Includes support for Ultimate Member login forms (Premium version)
- Includes support for Elementor Pro login forms (Premium version)
- Includes support for bbPress login forms (Premium version)
- Includes support for Easy Digital Downloads login forms (Premium version)
- Includes support for RegistrationMagic login forms (Premium version)
- Includes support for login forms from the Gravity Forms User Registration add-on (Premium version)
- Includes support for login forms (shortcode forms only) from Paid Memberships Pro (Premium version)
- Includes support for any and every third-party login form (Premium version) without any further coding needed via appending your TFA code to the end of your password
- Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)
- WP Multisite compatible (plugin should be network activated)
- Simplified user interface and code base for ease of use and performance
- Added a number of extra security checks to the original forked code
- Alert users if someone appears to have found out their password, as indicated by successfully entering a password but repeatedly entering an incorrect TFA code.
- Emergency codes for when you lose your phone/tablet (Premium version)
- When using the front-end shortcode (Premium version), require the user to enter the current TFA code correctly to be able to activate TFA
- Works together with “WP Members” (shortcode form)
- Administrators can access other users’ codes, and turn them on/off when needed (Premium version)
Why use TFA / 2FA ?
Read this! https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
How Does TFA / 2FA Work?
This plugin uses the industry standard TFA / 2FA algorithm TOTP or HOTP for creating One Time Passwords. These are used by Google Authenticator, Authy, and many other OTP applications that you can deploy on your phone etc.
A TOTP code is valid for a certain time. Whatever program you use (i.e. Google Authenticator, etc.) will show a different code every so often.
Plugin Notes
This plugin began life in early 2015 as a friendly fork and enhancement of Oscar Hane’s “two factor auth” plugin.
| Domain | Exposures | Headers | Last Checked |
|---|---|---|---|
| s*n*y*l*n*s.com (WP 7.0) | F | 2026-07-03 17:46:29 | |
| b*r*n*a*r*m*i*e.com | F | 2026-07-02 11:40:29 | |
| j*w*l*e*-*c*r*e*e*.de (WP 6.9.4) | F | 2026-06-14 18:41:55 | |
| h*p*o*h*r*p*i*s*h*o*s.c*.uk | F | 2026-06-11 12:09:38 | |
| f*e*s*y*e*e*s*i.com (WP 6.9.4) | F | 2026-06-03 22:36:39 | |
| u*b*n*a*a*t*o*k*.com (WP 6.9.4) | F | 2026-06-01 23:44:10 | |
| t*a*a*i*.com (WP 6.9.4) | F | 2026-05-31 07:24:09 | |
| b*s*t*l.net (WP 7.0) | F | 2026-05-30 17:49:28 | |
| f*a*w*r*d*o.com | F | 2026-05-29 16:19:34 | |
| k*n*h*.com | F | 2026-05-27 05:08:03 | |
| l*s*h*v*l*e*s*e*i*e*.be (WP 7.0) | F | 2026-05-26 18:02:14 | |
| a*n*t*m*r*n*e.fr | F | 2026-05-26 03:45:22 | |
| d*d*k*o*.store (WP 6.9.4) | F | 2026-05-26 00:04:43 | |
| s*a*r*z*c*d*m*.com | D | 2026-05-25 20:52:18 | |
| a*u*r*u*m*s*.com (WP 7.0) | F | 2026-05-24 07:36:38 | |
| x*-*b*e*k*t*r*0*a.de (WP 6.9.4) | F | 2026-05-23 10:11:15 | |
| k*i*z*c*e*.com (WP 7.0) | F | 2026-05-21 17:19:09 | |
| w*x*a*l*n*t.com | D | 2026-05-21 01:56:57 | |
| o*i*e*-*t*c*t.com | F | 2026-05-20 13:35:48 | |
| c*t*j*r*u*p*i*s.com (WP 6.1.10) | F | 2026-05-16 18:55:21 | |
| g*n*u*a*d.de (WP 6.8.5) | A | 2026-05-16 08:09:34 | |
| t*a*a*i*.de (WP 6.9.4) | F | 2026-05-13 11:08:05 | |
| e*p*r*t*x*.com (WP 6.9.4) | B | 2026-05-12 18:24:41 | |
| f*r*i*a*i*a.to | F | 2026-05-12 08:13:49 | |
| s*h*u*l*.de (WP 6.0.9) | F | 2026-05-12 01:50:19 | |
| j*v*m*s*o*l*n*.com (WP 6.9.4) | F | 2026-05-10 20:11:25 | |
| c*l*e*t*d*r*n*i*n*s.com | B | 2026-05-09 23:02:42 | |
| s*i*h*.eu | F | 2026-05-09 20:00:44 | |
| z*c*e*f*e*.store (WP 6.9.4) | F | 2026-05-09 14:34:48 | |
| l*y*l*e*z*n*.com (WP 6.4.1) | F | 2026-05-09 07:14:25 | |
| l*x*c*e*t*o*.com (WP 6.8.3) | D | 2026-05-09 04:16:20 | |
| w*b*o*p*u*.com | D | 2026-05-08 22:30:59 | |
| w*x*a*o*l*.site (WP 6.9.4) | D | 2026-05-08 16:22:56 | |
| p*o*e*t*v*q*a*i*y*o*u*i*n*.com | F | 2026-05-08 12:40:52 | |
| m*c*f*e*c*s*.com (WP 6.9.4) | F | 2026-05-07 20:11:13 | |
| f*a*w*r*d*n*.com | F | 2026-05-07 16:32:30 |