Over the years, the need for increased security has become more apparent. The internet has become a place where personal information is shared and stored. This makes it vulnerable to hackers and other malicious users who want to gain access to your data.

We’ll look at what 2FA is, how it can be implemented in WordPress and make the onboarding process for your users as seamless as possible.

What is two-factor authentication (2FA)?

Two-factor authentication (2FA) adds an extra security layer to online accounts. Without this extra layer of protection, your account is vulnerable even if you use a strong password.

2FA is a method of confirming your identity by requiring a second form of identification after entering your username and password. This means even if someone gets your password, they still need more information before being able to successfully log in.

It should not be considered a substitute for strong passwords. Rather, it’s an additional layer of security by requiring something you have in addition to your username and password.

The downside is that it adds an extra step to the login process. It may be confusing if you’re not used to it and it can be frustrating for many people, who see this additional step as inconvenient or an unnecessary addition.

Many online services offer 2FA as an opt-in feature, which means that many users do not activate it. Knowing the benefits it can provide, what steps can we take to make 2FA more accessible and easier to use?

Methods for generating one-time passwords

Time-based one-time passwords (TOTP)

2FA is often associated with TOTP, the short-lived numeric codes that change every 30 seconds, and must be reentered when expired.

When you enable TOTP on an account, a secret key is created which is used to generate the one-time passwords. You can use an authenticator app or a physical token. The onboarding process usually involves scanning a QR code—saving you from having to type out your secret key. Popular authenticator apps include Google Authenticator and Authy. Password managers like 1Password can also store your secret key and generate one-time passwords for you when needed.

To prevent locking yourself out, a series of backup codes are usually issued. The backup codes can be used in case you lose access to your authenticator app or physical token.

If you’re starting to switch off—I don’t blame you! It’s too much for some professionals to handle, let alone the average person. For the technically inclined, this all becomes second nature. You get used to logging in by entering a username and password, followed by a one-time password.

Implementing 2FA across an organisation can be a challenging and time-consuming process. Documentation, training and even handholding for people who need it. Some may be uncomfortable using their personal smartphones for work purposes. Which authenticator app is best? What happens if you loose access to the phone? How do you transfer the secret keys to a new device? Where should the backup codes be stored?

Email/SMS codes

Another way to set up 2FA is by using email or SMS text message codes. They are easy to understand, implement and use.

After you enter your username and password, a code is sent to your email or mobile phone. You then enter this code, which is valid for a short period of time.

If your email account or phone number is compromised, an attacker might be able to get hold of your 2FA codes. But while the codes are not foolproof, they are still more secure than passwords alone.

Two-Factor WordPress plugin

The Two-Factor WordPress plugin adds 2FA to WordPress. It is built as a standalone feature plugin which may be merged into WordPress core in the future, but for now lives as its own plugin.

The plugin is open source, built and maintained by a team of volunteers including core contributors and members of the WordPress Security Team.

The plugin is available from the WordPress.org plugin repository. It supports several types of 2FA including TOTP and email codes.

Handy code snippet which enables email-based 2FA for all administrator users

With Two-Factor, 2FA is not enabled by default; it relies on users going through the initial setup process and the assumption that they will choose to keep 2FA enabled. When new users are created, 2FA must be made part of the onboarding process or the benefit of 2FA will be lost.

This snippet checks whether any methods have been enabled by the user, and—if not—enables email-based 2FA. This provides a good level of protection without requiring any action on the part of the user.

The code currently runs for administrators and editors, roles that have elevated permissions. However, it can be adjusted to include other user roles as well.

We’ve developed this further at Kanuka Digital. We rolled out the snippet to our clients’ sites via an mu-plugin. With a few modifications for our workflow across environments—local, staging and production.

We run MailHog on our local and staging environments—a tool that stops us from sending outbound emails by mistake. We’ve disabled email-based 2FA on our local and staging environments to make the lives of our developers easier. It saves time by eliminating the need to check MailHog for 2FA tokens.


Whether you’re a small business owner, large corporation, or simply someone concerned about online security, protecting your data has become increasingly important.

2FA is an important step in securing your online accounts, and it’s one that you should be taking if you haven’t already. Adding 2FA to all of your online accounts is a good way to stay safe online and keep hackers out.

As a WordPress developer, the Two-Factor plugin is an excellent way to add 2FA security to your WordPress site and make it more secure. Enabling email-based 2FA by default for users with elevated permissions is relatively simple, without introducing the complexity of TOTP management to your end-users.

I hope this article has given you a better idea of how to set up 2FA for your WordPress site. If you have any questions, feel free to get in touch.