5 Best Two-Factor Authentication (2FA) Plugins for WordPress
Want to ensure the complete security of your WordPress website? Setting up a two-factor authentication plugin (2FA) is a step in the right direction.
With a 2FA in place, you can rest assured that only authorized users will access your WordPress admin. Typically, this type of security measure is used to mitigate brute-force attacks on the WordPress login page.
Since WordPress does not offer two-factor authentication, you need a third-party plugin to enable it. In this article, we have covered the 10 most popular 2FA plugins that you can set up right away to protect your website from hackers and bots. Let’s dive in.
Table of Contents
5 Best WordPress Two-Factor Authentication Plugins
The most popular WordPress 2FA plugins are:
- ProfilePress 2-Factor Authentication
- WP 2FA
- Rublon Two-Factor Authentication
- Duo Two-Factor Authentication
- Google Authenticator
Let’s take a detailed look at each of the plugins.
1. ProfilePress 2-Factor Authentication
ProfilePress is an excellent WordPress membership and user management plugin that offers 2-factor authentication security feature. With this plugin, you can implement 2FA for both administrators managing websites and users like subscribers and contributors. We recommend using this plugin if you are running a membership site or any website with a lot of users.
Want to instead let your WordPress users log in to your website without a password but via a one-time URL sent to their email address, which expires after a short while? The passwordless login feature is just perfect.
Let’s look at the main features of the plugin. When you start setting it up, it’s easy to notice that the developers have gone the extra mile to make the plugin very easy to use.
ProfilePress supports a single authentication – TOTP (time-based one-time code). Still, you have the option to choose from several authenticator applications such as e.g. Google Authenticator, Authy, Microsoft Authenticator, Okta Verify, Duo Security, 1Password, and LastPass.
In case you accidentally delete the authenticator application, ProfilePress offers 2FA backup codes or recovery codes that you can use to access your WordPress admin. If users are locked out and can’t access their accounts, administrators can disable 2FA from the WordPress admin dashboard.
If you want to create a custom dedicated login page for users, simply create a new page and use this shortcode: [profilepress-2fa-setup], and the 2FA will appear.
ProfilePress is a premium plugin, and you can get the plugin from here.
NOTE: We have covered a step-by-step guide on how to set up ProfilePress at the end of the article. Please jump to that section to learn how to use the plugin.
2. WP 2FA
WP 2FA is built by Melapress (Formerly WP White Security) and is known for developing powerful security and admin plugins.
WP 2FA supports multi-authentication protocols like HOTP (HMAC-based One-time Password) and TOTP (time-based one-time code). As a site admin, you have the power to configure which 2FA methods users need to follow. Admins can also make two-factor authentication mandatory for all users who’d get a notification on their WordPress dashboard or an email asking to configure 2FA on their account.
You can force users to configure 2FA or set a grace period instantly. If users don’t set up two-factor authentication within the grace period, they are locked out of the website. Administrators would have to unlock the users manually.
WP 2FA supports multiple 2FA apps like Google Authenticator, Authy, and FreeOTP, to name a few.
There is a free version and a pro version of the plugin. The pro version offers white labeling, more backup methods, reports, etc.
3. Rublon Two-Factor Authentication
A traditional two-factor authentication plugin requires users to enter a one-time password each time they log in to the WordPress admin. But with Rublon, you can authenticate by clicking on a link sent to your email or by scanning the code on your login page.
Rublon Two-Factor Authentication works out of the box and requires no configuration.
That said, if you want the plugin to work like any other 2FA plugin, it can. Just install the plugin, download and activate the Rublon app on your smartphone, and verify the authentication request by scanning the QR code generated on your website.
The free version is available for one user. To add authentication to more users’ accounts, you must buy the premium plan, which starts at $30 per month.
4. Duo Two Factor Authentication
Duo Two-Factor Authentication is the only plugin that offers a wide range of authentication methods: push notifications, one-time passcodes generated by the Duo app or by OATH-compliant hardware, one-time passcodes sent as SMS messages, and passcodes sent via phone calls.
The downside of using this plugin is that it has a slightly complex setup process. First, you need to sign up for the service on their website and then connect the service with your site using an integration key, Secret Key, and API hostname. Get the keys and verify them by following this help doc.
When the plugin is set up, you can select the user roles for which you want to enable two-factor authentication.
The free version of the plugin offers authentication to only 10 users. If you want to use the plugin for more users, you will need to pay $3 per user per month. Check out the pricing comparison here.
5. Google Authenticator
Google Authenticator is the most basic two-factor authentication plugin we have used. You need the Google Authenticator app to use this plugin. It supports the standard authentication methods, i.e., TOTP and HOTP.
The two-factor authentication can be enabled on a per-user basis, and each user will have their own settings.
It’s one of the few 2FA plugins that can be used even if you don’t have a smartphone. You can generate secret codes using this web-based application – https://gauth.apps.gbraad.nl
It has no backup code, but there is a way to gain access to your site even when you have accidentally deleted the Google Authenticator app from your smartphone. Simply install this premium app called Authenticator Plus. It can use your SD card to restore existing Google Authenticator settings.
The plugin is free of cost, and you can get it from here.
How to Set Up a Two-Factor Authentication Plugin
Setting up any of the 2FA plugins we have covered previously is super easy. In this section, we are walking you through the process of setting up the ProfilePress 2-Factor Authentication plugin. Here we go:
Step 1: Activating Two-Factor Authentication
Install the ProfilePress plugin, and then to activate the two-factor authentication, go to ProfilePress > Addons > Two-Factor Authentication (2FA) and toggle the activation switch on.
Step 2: Setting Up ProfilePress Two-Factor Authentication
Go to Settings > Two-Factor Authentication. Here, you can add user roles for whom you want to activate two-factor authentication. The instructions are easy to follow. So we suggest taking a few moments to set up this page.
Step 3: Setting Up Two-Factor Authentication on Your Account
Download and install any one of the following 2FA applications on your smartphone: Google Authenticator, Authy, Microsoft Authenticator, Okta Verify, Duo Security, 1Password, and LastPass.
Then go to ProfilePress > Account Settings. Open the 2FA app and either scan the QR code on the Account Setting page or enter the activation code manually.
Two-factor can also be set up from the default profile page in the WordPress dashboard.
And that’s it. You now have two-factor authentication activated on your WordPress website.
Add a Two-Factor Authentication Plugin to WordPress Today
Two-factor authentication only adds a layer of security to your login page to further harden the overall security of your WordPress website. It does not offer complete security. To secure your website completely, you need to add additional security, such as reCAPTCHA and a firewall. Also, consider backing up your website regularly so that when things go wrong, you can get your website up and running in no time.
That’s it for this one, folks! We hope you found our guide helpful in choosing a Two-Factor authentication plugin for your WordPress website.