Two Factor Authentication

From £19.00 (you can pay in GB pounds sterling, euros or US dollars) / 12 months

Scroll down the page to see screenshots of this plugin in action.

“Two Factor Authentication” (TFA) is a tried-and-tested way to secure your WordPress site from unwanted logins.

By default, WordPress is protected only by a password. Once somebody guesses your password, they have all access. “Two Factor” security is about adding a second factor. This plugin uses the most popular implementation of TFA: one-time codes that are shown on your phone/tablet/other device, but which do not require you to be connected to a network (i.e. you don’t need to be online/receiving SMSes, etc.).


  • Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).
  • Displays graphical QR codes for easy scanning into apps on your phone/tablet
  • TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)
  • TFA can be turned on or off by each user
  • TFA can be made compulsory for chosen user roles (e.g. for all admins and editors), after a configurable time period to allow them to set it up (e.g. after 7 days)
  • Supports front-end editing of settings – any layout you wish (using standard WordPress shortcodes)
  • Site owners can allow “trusted devices” on which TFA codes are only asked for a chosen number of days (instead of every login); e.g. 30 days
  • Includes native support for the built-in WordPress, WooCommerce, Theme My Login, Elementor, Affiliates-WP, CozmosLabs Profile Builder, Gravity Forms User Registration add-on, Ultimate Member, Ultimate Membership Pro, bbPress and WP Members login forms; also supports any login form at all via appending your TFA code to your password (e.g. works with login forms that don’t follow internal WP conventions)
  • Optional anti-bot protection on WooCommerce login forms, hiding the existence of the form unless JavaScript is active.
  • Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)
  • Encrypt the TFA-generating secret keys using an on-disk encryption key, so that an attacker would need to break into both your WordPress database and your files in order to break TFA codes (as well as breaking a user’s password in order to use them).
  • WP Multisite compatible (plugin should be network activated)
  • Simplified user interface and code base for ease of use and performance
  • Emergency codes for when you lose your phone/tablet
  • Administrators can access other users’ codes, and turn them on/off when needed
  • Translatable – we have a website where you can easily add translations into your own language, if you wish
  • Alert users if someone appears to have found out their password, as indicated by successfully entering a password but repeatedly entering an incorrect TFA code.

All WordPress versions from 3.4 onwards, including the current release, are supported.


Plugin FAQs for this particular plugin can be read here. FAQs which apply to all our commercial plugins can be read here.


The user is asked for their one-time password, after successfully entering their username and password on the WP login form:

User being asked to enter their one-time code (after successfully entering their username/password)

This is what the user sees if they enter their pass-code wrongly:

What the user sees if they enter their one-time code incorrectly

The user is asked for their one-time password, after successfully entering their username and password on the WooCommerce login form:

The user being asked to enter their one-time login code on a WooCommerce login form

This is what the user sees if they enter their pass-code wrongly:

What the user sees if they enter their two-factor code wrongly on a WooCommerce login form

This screen is of the user editing their two-factor settings in the WP dashboard:

User settings (in the WP admin area)

The user’s settings can also be made available to edit on the front-end, via a shortcode:

User settings (in the front-end)

Site-wide settings for the plugin:

Site-wide settings

Setting policy to require TFA:

Requiring TFA

Trusted devices:

Trusted devices

Emergency codes:


Adjusting other users’ TFA codes as an administrator:


Designing your own page for users, using shortcodes:

Designing your own page for users, using shortcodes


The following short-codes are available:

twofactor_user_settings : This short-code will display the whole user configuration. Use this to allow your users to get/set their TFA settings. Alternatively, to design the page yourself, you can use the individual short-codes, following:

twofactor_user_settings_enabled : Display the option to turn TFA on or off.

twofactor_user_qrcode : Display the user’s QR code for scanning.

twofactor_user_emergencycodes : Display the user’s emergency codes.

twofactor_user_advancedsettings : Display the user’s advanced settings (e.g. selecting TOTP or HOTP).

twofactor_user_privatekeys : Display the user’s private keys. Use the ‘type’ parameter, with values ‘full’ (default), ‘plain’, ‘base32’ or ‘base64’ to control exactly what is displayed.

twofactor_user_privatekeys_reset : Display a link for the user to reset (change) their private key.

twofactor_user_currentcode : Display the current TFA code.

twofactor_user_presstorefresh : Wrap this shortcode around any HTML that you want to cause the current TFA code (displayed by the twofactor_user_currentcode shortcode) to refresh when clicked.

twofactor_conditional : Wrap this shortcode around any content that you wish to be displayed only if the condition is met. The condition is specified by the “onlyif” parameter, with valid values: active, inactive, available, unavailable. The content will be shown depending on whether the user has TFA available (i.e. the administrator has allowed it for their user level)/activated. You can use this, for example, to display notices to your users to suggest that they activate TFA, or to remind them that it is available, etc.

Additional information

Licence type

Single site licence (£19 / £24), Up to 5 sites (£29 / £39), Up to 25 sites (£59 / £69)

Renewal type

Automatic renewal (subscription – discounted), Manual renewal

Support and updates

As is usual with paid WordPress plugins, this plugin comes with 12 months of personal support and access to new releases. (After 12 months, you can renew if you want to keep on accessing new releases – but you are free to not do so; you will not lose access to your already-installed version). Our refund policy is published here.

The sidebar you added has no widgets. Please add some from theWidgets Page