How to Set Up Two-Factor Authentication in WordPress

A password is a single point of failure. Once someone has it — through a data breach on another site, a phishing email, or a simple guess — they have your WordPress dashboard too. I’ve seen this happen to site owners who had a strong, unique password but no second layer behind it, and the difference two-factor authentication makes in practice is significant.

Two-factor authentication, usually shortened to 2FA, asks for a second piece of proof after the password — a code from an app, an emailed code, or a physical security key. Even if an attacker has your password, they can’t log in without that second factor. WordPress doesn’t include this by default, but adding it takes about ten minutes.

This guide covers setting up 2FA on a self-hosted WordPress site using a free plugin, without needing a security suite or paid add-on.

Quick Answer

Install a dedicated two-factor authentication plugin, such as the official Two Factor plugin, then enable it from each user’s profile page under Users in wp-admin. Once enabled, that user needs both their password and a code from an authenticator app (or another configured method) to log in.

Why This Matters

Most successful WordPress break-ins don’t involve a clever exploit — they involve a password that was reused, leaked, or weak enough to guess. Automated bots run through lists of known-breached credentials against login pages all day, every day, testing the same email-and-password combinations that leaked from unrelated sites years ago. Even with login attempt limits in place, a correct password on the first try still gets an attacker straight in — rate limiting only slows down guessing, it doesn’t stop a password that’s already known.

2FA closes that gap. In my experience, it’s the single highest-impact change you can make to login security, because it protects against the failure mode that actually happens most often — a compromised password — rather than the more exotic attacks site owners tend to worry about instead. It also gives you a useful signal: if you ever get an unexpected authenticator prompt you didn’t trigger, that’s an early warning your password has leaked somewhere.

Step-by-Step Instructions

1. Install a 2FA Plugin

In wp-admin, go to Plugins → Add New and search for “Two Factor”. Install and activate the Two Factor plugin maintained by the WordPress core contributor team — it’s free, has no upsell tiers, and is kept current with WordPress releases.

2. Get an Authenticator App

Before configuring the plugin, install an authenticator app on your phone — Google Authenticator, Authy, or 1Password all work. These apps generate a new six-digit code every 30 seconds, based on a shared secret set up in the next step. No internet connection is needed to generate codes once set up.

3. Enable 2FA on Your Account

Go to Users → Profile and scroll to the Two-Factor Options section. Choose TOTP (Time Based) as the provider, scan the displayed QR code with your authenticator app, then enter the six-digit code it generates to confirm the pairing. Click Update Profile to save.

4. Generate Backup Codes

Still on the profile page, generate a set of one-time backup codes and store them somewhere other than your phone — a password manager or printed copy in a safe place. If you lose your phone, these are the only way back into your account without direct database access.

5. Test Before You Log Out

Before closing your current session, open a private browser window and log in from scratch using your password and a fresh code from the authenticator app. This confirms the pairing actually works while you still have a logged-in session to fall back on if something’s misconfigured.

6. Require It for Other Users

2FA is opt-in per user by default, which means other admins or editors on the site won’t have it unless they set it up themselves. If more than one person has dashboard access, ask each of them to complete steps 3 to 5 on their own account, and check back after a week to confirm everyone has. A site with several dashboard users and 2FA on only one account is still exposed — the plugin doesn’t enforce this for you automatically.

Practical Tips

  • Set up 2FA on the admin account first — it’s the one attackers target hardest, since the username is often guessable or already known from public author pages.
  • Pair 2FA with a non-default login URL — it won’t stop a targeted attack, but it cuts out the automated scanners that only ever try /wp-login.php.
  • Store backup codes outside the same device your authenticator app runs on. A lost or wiped phone with codes stored in the same phone’s notes app defeats the purpose.
  • If you manage several WordPress sites, use one authenticator app for all of them rather than mixing tools — it makes the six-digit code habit consistent and means you’re not hunting for the right app when you’re trying to log in quickly.

Common Mistakes

  • Enabling it only for yourself. A site with five admin users and 2FA on just one account is still one weak password away from a breach.
  • Skipping backup codes. Without them, a lost or reset phone means locking yourself out of your own site.
  • Treating 2FA as a replacement for a strong password. It’s an additional layer, not a substitute — keep using long, unique passwords alongside it.
  • Not testing the setup before logging out. Confirming the pairing works while your original session is still active saves a stressful support ticket to your host if the code doesn’t sync correctly.

When to Use This vs Alternatives

A dedicated 2FA plugin is the right choice for most sites — it’s free, focused, and doesn’t add the overhead of a full security suite. If you’re already running a broader security plugin as part of hardening your WordPress install, check whether it already includes 2FA before adding a second plugin, since running two authentication plugins together can cause login conflicts.

Authenticator apps aren’t the only option. Email-based codes are simpler to set up but weaker, since they depend on the security of the inbox they’re sent to. Physical security keys using WebAuthn are stronger again, but overkill for most single-site owners and better suited to agencies managing several client logins where the added cost and setup time are easier to justify. For a typical WordPress site, an authenticator app hits the right balance of security and convenience.

Conclusion

Two-factor authentication turns a stolen or guessed password from a break-in into a dead end. Set it up on every admin account this week, starting with the guidance in the step-by-step guide to building a WordPress website if you’re still working through your site’s initial security setup.