The WordPress admin login page is the most attacked URL on any WordPress site. Credential stuffing bots run through millions of username and password combinations automatically, and a single successful login gives an attacker full admin access to your site. Two-factor authentication (2FA) stops this attack category almost entirely: even if a bot guesses your password correctly, it cannot complete login without the second factor.
Setting up 2FA on WordPress takes about five minutes and is one of the highest-value security measures available. Here is how to do it.
How Two-Factor Authentication Works
Standard login requires something you know: your password. Two-factor authentication adds a second requirement: something you have, typically your phone. After entering your password, you are prompted to enter a time-based one-time code generated by an authenticator app on your phone. The code changes every 30 seconds and is only valid once.
Even if an attacker has your password, they cannot log in without access to your phone. Credential stuffing bots operate at scale and cannot interact with a 2FA prompt, so they move on. This single measure eliminates the most common WordPress admin takeover vector.
Choosing a 2FA Plugin for WordPress
Several plugins handle 2FA on WordPress. The most reliable options are:
WP 2FA is one of the most complete dedicated 2FA plugins. It supports TOTP authenticator apps (Google Authenticator, Authy, 1Password), email codes as a fallback, and includes a setup wizard that can prompt users to configure 2FA when they next log in. It is compatible with WP Engine.
Two Factor is the official WordPress.org plugin from the WordPress security team, maintained by contributors including Automattic and Google engineers. It is lightweight, well-audited, and supports TOTP, email codes, and backup codes. A good choice if you want minimal overhead.
Wordfence includes 2FA as part of its broader security toolkit. If you are already using Wordfence for firewall and scanning, using its built-in 2FA avoids adding another plugin. Note that Wordfence on WP Engine should be configured carefully to avoid conflicts with WP Engine’s own firewall layer.
WP Engine 2FA. WP Engine provides two-factor authentication for the WP Engine dashboard itself (your hosting account), separate from WordPress admin 2FA. Both should be enabled independently.
How to Set Up 2FA on WordPress with WP 2FA
Step 1: Install and activate the WP 2FA plugin from the WordPress repository (Plugins, Add New, search WP 2FA).
Step 2: The setup wizard launches on activation. Choose TOTP (authenticator app) as the primary method. Choose email codes as a backup method for when your phone is unavailable.
Step 3: Configure the policy. Set 2FA as required for all administrator accounts at minimum. You can make it optional for other roles or require it for editors and authors depending on your site’s user base.
Step 4: On your phone, install an authenticator app if you do not have one. Google Authenticator, Authy, and 1Password all work. Scan the QR code shown in the WP 2FA setup screen to link your WordPress account to the app.
Step 5: Enter the six-digit code from your authenticator app to confirm setup. Generate and save backup codes in a secure location (a password manager) in case you lose access to your phone.
Step 6: Test the login flow from a private browsing window before ending your current session. Confirm the 2FA prompt appears and the code from your authenticator app logs you in correctly.
Additional Login Security Measures Worth Adding
Two-factor authentication is the most impactful single measure, but it works best alongside a few complementary protections.
Limit login attempts. A plugin like Limit Login Attempts Reloaded blocks an IP address after a defined number of failed login attempts, slowing down brute-force attacks even before they reach a 2FA prompt.
Change the login URL. Moving your login page from the default /wp-login.php to a custom URL with a plugin like WPS Hide Login means bots scanning for the standard login path never find the form. This is security through obscurity rather than a primary protection, but it reduces automated noise against your login page substantially.
Disable XML-RPC. WordPress’s XML-RPC endpoint can be used to attempt logins programmatically, bypassing the login page entirely. If you do not use XML-RPC for mobile apps or third-party integrations, disabling it removes another attack surface. For the broader security picture, see WordPress Security in 2026.
Frequently Asked Questions
What happens if I lose access to my authenticator app?
When setting up 2FA, generate backup codes and store them in a password manager or secure location. Each backup code works once. If you lose your phone and have no backup codes, you will need to access your site via SFTP or SSH to deactivate the 2FA plugin directly in the WordPress plugins directory, or contact your host’s support team for assistance.
Should I require 2FA for all WordPress users?
At minimum, require 2FA for all administrator accounts. For multi-author sites, requiring it for editors is also good practice since editors can publish content and potentially introduce malicious content. For subscriber-level users on membership sites, 2FA is worth considering but less critical since subscribers have limited site access.
Does WP Engine have its own 2FA?
Yes. WP Engine offers 2FA for your WP Engine dashboard account login, separate from WordPress admin 2FA. Both should be enabled. The WP Engine dashboard 2FA protects your hosting account (billing, environments, settings). WordPress admin 2FA protects access to your WordPress installation. They are independent and both necessary.
Does 2FA slow down the WordPress login process?
Minimally. Adding a 2FA code after your password adds about 10 seconds to the login flow. For the security benefit it provides against credential attacks, this is not a meaningful trade-off for most site owners and administrators.
