Best Two-Factor Authentication Plugins for WordPress

Two-Factor Authentication, (aka Two-Step Verification, 2FA) is an additional layer of security you can add to your WordPress login page. With 2FA it is virtually impossible for attackers to login to your WordPress, even if they guess your user’s password. Two-factor authentication is also good to help mitigate WordPress brute force attacks.

Read our article An Introduction to Two-Factor Authentication in WordPress for a detailed explanation of what it is and how it works. WordPress does not have 2FA by default, so you need a plugin to enable it. Below is a compilation of some of the best Two-Factor Authentication WordPress plugins currently available. At the end of the article I also explain why some of the popular 2FA plugins were not included in this compilation.

Google Authenticator

Google Authenticator is the first Two-Factor Authentication WordPress plugin I have used. It is available for free and is the most simple, easy to setup plugin. It is also the most basic one. Setting up 2FA for your WordPress cannot be easier. Once you install the plugin visit your profile page, enable the Google Authenticator Settings and scan the QR code with the Google Authenticator app on your smartphone.

Configuring the Google Authenticator plugin

That’s it, you are all setup. The next time you want to login to your WordPress you will be asked for a username, password and the code from the Google Authenticator app to login.

A WordPress login with two-factor authentication configured

Being the simplest plugin also means it has a few shortcomings:

  1. The users for whom 2FA is not enabled still have the Google Authenticator input field on the login prompt, which can be confusing. You can use the plugin Google Authenticator – Per User Prompt to disable the prompt.
  2. There is no global option to enable and enforce 2FA for all WordPress users. As an administrator you have to enabled it for every user individually.
  3. It does not support backup codes, so if you lose your phone the only way to login back to your WordPress is to delete the plugin via FTP or SSH.


Two-Factor is also a free plugin and is very easy to setup. Once installed navigate to your WordPress user profile page to set 2FA. You can configure any of the following 2FA methods:

  • Email (authentication codes are sent via email)
  • Time Based One-Time Password (codes are generated via the Google Authenticator app)
  • Universal 2nd Factor (requiring a third party device)

Configuring WordPress 2FA with Two-Factor plugin

Similar to the Google Authenticator plugin, Two-Factor does not have a global setting to enforce 2FA for all users, but 2FA has to be enabled for every user individually. The good thing about the Two-Factor WordPress plugin is that it supports backup codes, so if for some reason you cannot generate the second factor to login to your WordPress, you can use one of the backup codes.

WordPress 2-Step Verification

WordPress 2-Step Verification is an improvement on both of the plugins mentioned above. It is also free and very easy to setup; once installed navigate to your WordPress user profile page and configure the Two-Factor Authentication settings. It supports:

  • Time Based One-Time Password (codes are generated via the Google Authenticator app)
  • Email (authentication codes are sent via email)

Configuring the WordPress 2-Step Verification plugin

The WordPress 2-Step Verification plugin also supports backup codes, so if for some reason you cannot provide the second factor you can use them to login. The other useful features that this plugin has are Trust this Computer and App passwords.

You can use the Trust this Computer in case you always login from the same computer, and you won’t be asked for the one-time code during login for 30 days.

The App passwords can be used to generate a permanent password for applications that connect to your WordPress and cannot prompt for the one-time security code during the login process. So if you have an app on your phone that connects to your WordPress you can still use it. App passwords are long, randomly generated passwords that you only have to provide once. They can also be revoked.

The only shortcoming the WordPress 2-Step Verification plugin has is that every WordPress user has to enable 2FA, and as an administrator you cannot enforce it.

Unloq Two Factor Authentication

The Unloq Two Factor Authentication plugin is probably the neatest free 2FA plugin I have seen. The only limitation it has is that you have to install Unloq’s own smartphone app to get started. Though this should not stop you from using the Unloq plugin.

Getting started is really easy; install the plugin and activate your Unloq account by simply specifying your email address. Once you confirm the one-time code which you receive via email, you can specify which of the Two-Factor Authentication methods should be enabled:Configuring 2FA on WordPress with Unloq

You can also send an invitation to all of your WordPress users from one central location:

Configuring 2FA for all your WordPress users

Once users receive the invite, they have to scan the QR code with the Unloq smartphone app to get started, that’s it. What I really like in this WordPress plugin is that:

  1. It supports Push Notifications, so instead of having to enter a one-time code each time you want to login to WordPress you are asked to approve the login from the smartphone app.
  2. It supports both OTP and email as a second factor for authentication.
  3. You have a central location from where you can manage all the users.
  4. You can use the same login / setup for multiple WordPress websites that you manage.

Other Popular Two-Factor Authentication Plugins

There are a few other popular Two-Factor authentication WordPress plugins you can use for WordPress, such as:

  • Rublon
  • Google Authenticator – Two Factor Authentication (2FA) by MiniOrange

Though the above have a number of limitations that make the free edition almost useless. For example Rublon, which we had reviewed a few years back have limited their free version to only one user. The free version of Google Authenticator by MiniOrange is limited to one user as well, and also limits the number of one-time passwords.

Which 2FA WordPress Plugin Should You Use?

With so many different options, which Two-Factor Authentication WordPress plugin should you use?

All the above mentioned WordPress plugins are good, and all of them help you improve the security of your WordPress login page. The differences between all of them are the features, the different types of second factor they support, different ways of setting them up, different interfaces etc. So it all depends on what you really need.

Have you used any of the above mentioned WordPress plugins? Do you have something to add to the above review? Leave a comment below and let us know which Two-Factor Authentication WordPress plugin you are using and why you are using it in the comments below.

The post Best Two-Factor Authentication Plugins for WordPress appeared first on WP White Security.

*** This is a Security Bloggers Network syndicated blog from WP White Security authored by Robert Abela. Read the original post at: