Does WordPress have built-in 2FA?

No. WordPress does not include two-factor authentication by default. You need to install a plugin to add 2FA. The most widely used options are WP 2FA, Google Authenticator (miniOrange), Two Factor Authentication (David Nutbourne), and Wordfence Security.

Which WordPress 2FA plugin is best?

WP 2FA by Melapress is the most user-friendly option with a setup wizard and support for multiple methods. Wordfence includes 2FA as part of a broader security suite. For simple TOTP-only 2FA with minimal bloat, the Two Factor plugin by WordPress.org contributors is an excellent lightweight choice.

Can I require 2FA for all WordPress users?

Yes. Most 2FA plugins include a policy setting that makes 2FA mandatory for specific roles (administrators, editors, etc.) or all users. Users who have not set up 2FA can be given a grace period before being locked out.

Does WordPress.com support 2FA?

Yes. WordPress.com (the hosted platform) has built-in two-step authentication. Go to your WordPress.com account settings, click Security, and enable Two-Step Authentication. This is separate from self-hosted WordPress.org sites.

How to Enable 2FA on WordPress

WordPress powers over 40% of all websites, making it the single most targeted platform for brute-force login attacks. Your wp-admin login page is constantly being probed by automated bots testing common passwords. Two-factor authentication stops these attacks completely — even if an attacker somehow obtains your password, they cannot access your site without the second factor.

WordPress.com vs Self-Hosted WordPress.org

There are two different WordPress products, and they handle 2FA differently. WordPress.com is the hosted platform — it has built-in two-step authentication in account settings and no plugin is required. WordPress.org is the self-hosted software that most sites run — it requires a plugin to add 2FA because the feature is not built in. This guide covers both.

Enabling 2FA on WordPress.com

Sign in to WordPress.com and click your avatar.
Go to Account Settings → Security → Two-Step Authentication.
Click Get Started and choose your method: authenticator app, SMS, or security key.
For authenticator app: scan the QR code, enter the confirmation code.
Save the backup codes provided.

Adding 2FA to Self-Hosted WordPress (Plugin)

The recommended plugin is WP 2FA by Melapress (free on WordPress.org). It has over 60,000 active installations and a setup wizard that makes configuration straightforward.

In your WordPress dashboard, go to Plugins → Add New.
Search for WP 2FA and click Install, then Activate.
The setup wizard launches automatically. Follow the steps to configure your 2FA policy.
Choose which user roles require 2FA (recommended: at minimum, Administrator).
Select the allowed 2FA methods — TOTP authenticator app is the most secure option.
Each user who needs 2FA will be prompted to set it up on their next login.

Also consider: The Two Factor plugin maintained by WordPress core contributors is a lightweight alternative with no upsells. For sites that already use Wordfence for security scanning, Wordfence's built-in 2FA is convenient as it requires only one plugin.

Setting Up Your Authenticator App

Once the plugin is active and you begin the 2FA setup as a user, you will see a QR code. Open your authenticator app (Google Authenticator, Authy, 1Password, Bitwarden, or any TOTP-compatible app), add a new account, scan the QR code, and enter the 6-digit confirmation code. From that point forward, logging into wp-admin requires both your password and the current code from your app.

Enforcing 2FA for All Users

In WP 2FA's settings, you can make 2FA mandatory for specific roles. Under WP 2FA → Policies, set "Enforce 2FA" for Administrators and Editors at minimum. You can set a grace period (e.g. 3 days) to allow existing users time to set up 2FA before they are locked out. New users will be prompted to configure 2FA on first login.

Protecting wp-admin Beyond 2FA

2FA is the most impactful single change, but combining it with a few additional measures significantly hardens your WordPress login. Consider renaming the login URL from the default /wp-login.php using a plugin like WPS Hide Login — this eliminates the majority of automated bot attacks before they even reach the login form. Limit login attempts using a plugin like Limit Login Attempts Reloaded. And keep WordPress core, plugins, and themes updated — many WordPress compromises exploit vulnerabilities in outdated software, not just weak passwords.

Recovery If You Are Locked Out

If you lose access to your 2FA device, use your backup codes — these should have been saved during setup. If you have no backup codes, an administrator can disable 2FA for your account from the WordPress dashboard under WP 2FA settings. If you are the only administrator and cannot log in, you can deactivate the 2FA plugin by renaming its folder via FTP or cPanel's file manager, which disables it and lets you log in normally. Once in, re-enrol 2FA from scratch and save your backup codes this time.

How to Enable 2FA on WordPress

WordPress.com vs Self-Hosted WordPress.org

Enabling 2FA on WordPress.com

Adding 2FA to Self-Hosted WordPress (Plugin)

Setting Up Your Authenticator App

Enforcing 2FA for All Users

Protecting wp-admin Beyond 2FA

Recovery If You Are Locked Out

Related Articles

2FA for Business

Is SMS 2FA Safe?

Best Authenticator Apps

Related Articles

Security
2FA for Business
Read →

Security
Is SMS 2FA Safe?
Read →

Guide
Best Authenticator Apps
Read →