WordPress Two-Factor Authentication: Setup and Lockout Recovery
A strong password stops the casual attacker. It does nothing against credential stuffing, where a bot tries thousands of leaked password-and-email combos against your login page in seconds. Two-factor authentication (2FA) is the single cheapest fix for that - but on WordPress it's a plugin you configure yourself, not a switch that's on by default. Here's how to set it up properly, force it for every admin, and get back in if you ever lock yourself out.
Why 2FA matters more on WordPress than it seems
wp-login.php is a public URL. Anyone can find it, and automated bots hit it constantly with credentials pulled from other sites' data breaches. If even one admin or editor reuses a password that's leaked elsewhere, that account is one login attempt away from being owned. 2FA closes that gap: even with the correct password, an attacker also needs a code from your phone or a security key in their hand.
Picking a 2FA method
WordPress doesn't ship with 2FA, so you're choosing between a few plugin-based approaches. The three that matter:
| Method | How it works | Best for |
|---|---|---|
| TOTP authenticator app | Google Authenticator, Authy, or 1Password generate a 6-digit code that changes every 30 seconds | Most sites - free, works offline, no SMS cost |
| Email code | A one-time code is emailed on login | Backup method only - useless if the site's own mail is broken |
| Security key (WebAuthn/passkey) | A physical key (YubiKey) or device biometric confirms login | High-value sites, agencies managing client admin access |
For plugins, three cover almost every case:
- WP 2FA - free, straightforward TOTP setup, good enforcement policies for multi-user sites.
- Wordfence Login Security - free, pairs well if you're already running Wordfence's firewall.
- miniOrange 2FA - free tier plus SMS/security-key options if you need more than TOTP.
Skip plugins that bundle 2FA into a paid security suite you don't otherwise need - it's not worth the license cost just for this one feature.
Setting it up step by step
- Install and activate your chosen plugin from Plugins > Add New.
- Log in with your own account first and follow the on-screen QR code - scan it with your authenticator app, then enter the 6-digit code it generates to confirm the pairing.
- Save the backup/recovery codes the plugin shows you right now. Most plugins display these exactly once. Store them in a password manager, not a text file on the desktop.
- Test by logging out and back in fully - don't just trust the setup screen. If the code doesn't work, check the server time first (see the lockout section below).
Enforcing 2FA for every admin, not just yourself
Setting up 2FA on your own account protects you, but leaves every other admin and editor as the weak link. In WP 2FA, go to 2FA > Policies and set an enforcement rule: require 2FA for specific roles (Administrator and Editor at minimum) with a grace period of a day or two so nobody gets locked out mid-task. Wordfence and miniOrange have equivalent role-based policy screens.
If you manage a WordPress Multisite network, enforce the policy at the network level rather than per-site - a per-site setting won't apply to a subsite admin logging in through a different site's dashboard.
Symptom: locked out after enabling 2FA
Cause: almost always one of three things - the authenticator app's code doesn't match because the server's clock has drifted, the backup codes were never saved, or the plugin itself has a bug/conflict that broke the login screen entirely.
Fix:
- Clock drift: TOTP codes are time-based and only valid for a ~30 second window with a small tolerance either side. If your phone's clock is off, codes will fail even though everything else is correct. Check Settings on your phone for automatic time sync, or manually sync it, then try again immediately.
- Lost backup codes, but you have SSH/SFTP access: connect to the server and rename the plugin's folder in
wp-content/plugins/(for example,mv wp-2fa wp-2fa-disabled). WordPress deactivates any plugin it can't find on the next page load, which drops the 2FA requirement without touching anything else. Log in normally, then rename the folder back and reconfigure. - No file access, but you have phpMyAdmin: open phpMyAdmin from cPanel, go to the
wp_optionstable, and find rows whereoption_namematches the plugin's slug (e.g. anything starting withwp_2fa_). Deleting those rows resets the plugin to its unconfigured state on next login. Back up the table before you touch it. - You have WP-CLI access: this is the cleanest option - deactivate the plugin with a single command and skip the file-renaming altogether:
wp plugin deactivate wp-2fa --allow-root
Swap wp-2fa for the actual plugin slug you're running (check wp plugin list if you're not sure).
If none of that works
As a last resort, a direct database edit removes the 2FA requirement without needing plugin file access at all. In phpMyAdmin, run a query against wp_usermeta to clear the specific 2FA meta key the plugin stores per user (check the plugin's documentation for the exact key name, since it varies by plugin) - this is safer than deleting whole option rows because it's scoped to one account instead of the whole site's configuration.
Preventing the next lockout
- Save backup codes somewhere durable the moment they're generated - a password manager entry, not a sticky note or a screenshot on the same phone you're authenticating with.
- Keep one admin account 2FA-free but with an extremely strong, unique, password-manager-generated password, used only for emergency access via a trusted IP allowlist in
.htaccess. It's a deliberate trade-off for recoverability, not a loophole to leave open casually. - Confirm SSH or SFTP access works before you enable 2FA sitewide, not after you're locked out and need it.
- If you manage several client sites, standardize on one 2FA plugin across all of them - relearning a different recovery process under pressure at 11 p.m. is how minor lockouts turn into missed deadlines.
Prevention checklist
| Step | Why |
|---|---|
| Save backup codes immediately on setup | They're shown once - losing them means a file/database-level recovery every time |
| Enforce 2FA by role, with a grace period | Stops a bypassed admin account being the weak link |
| Verify SSH/SFTP/phpMyAdmin access works first | You'll need at least one of these if the plugin ever misbehaves |
| Keep server/phone clocks in sync | TOTP codes fail silently on clock drift, and it looks like a wrong code |
2FA is worth the ten minutes of setup friction. The lockout scenarios above are all recoverable in a few minutes once you know which door to use - the real risk is skipping 2FA altogether because it feels like one more thing that could go wrong.
Frequently asked questions
Does WordPress have built-in two-factor authentication?
No. Core WordPress has no native 2FA - you need a plugin like WP 2FA, Wordfence Login Security, or miniOrange to add it. Application passwords (introduced in WordPress 5.6) are a related but separate feature for API access, not a login 2FA method.
Can I use 2FA with a security plugin's REST API or app connections?
Yes, but use WordPress Application Passwords for those instead of your 2FA-protected login. Application passwords are scoped per-app and can be revoked individually without touching your main account's 2FA setup.
What happens if my phone is lost or replaced?
This is exactly what backup/recovery codes are for - enter one instead of a TOTP code to get back in, then re-pair the new phone's authenticator app from your account's 2FA settings. If you didn't save backup codes, you'll need the SSH/phpMyAdmin recovery steps instead.
Will 2FA slow down normal logins?
It adds one extra step - entering a 6-digit code after your password - which takes a few seconds. Most plugins offer a 'remember this device for 30 days' option so you're not prompted on every single login from the same browser.
Should I enforce 2FA for subscriber or customer accounts on a WooCommerce site?
Generally no. Enforce it for Administrator and Editor roles where a compromised account can change content or settings. Requiring it for customer-facing accounts adds friction to checkout without a proportional security benefit, since those accounts can't touch the site itself.