Secure WordPress login with this two factor authentication (TFA) plugin. Users for whom it is enabled will require a one-time code in order to log in. From the authors of UpdraftPlus – WP’s #1 backup/restore plugin, with over a million active installs.
Are you completely new to TFA? If so, please see our FAQ.
Features (please see the “Screenshots” for more information):
- Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others).
- Displays graphical QR codes for easy scanning into apps on your phone/tablet
- TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers)
- TFA can be turned on or off by each user
- TFA can be required for specified user levels, after a defined time period (e.g. require all admins to have TFA, once their accounts are a week old) (Premium version)
- Supports front-end editing of settings, via [twofactor_user_settings] shortcode (i.e. users don’t need access to the WP dashboard). (The Premium version allows custom designing of any layout you wish).
- Works together with “Theme My Login” (https://wordpress.org/plugins/theme-my-login/) (both forms and widgets)
- Includes support for the WooCommerce and Affiliates-WP login forms
- Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled)
- WP Multisite compatible (plugin should be network activated)
- Simplified user interface and code base for ease of use and performance
- Added a number of extra security checks to the original forked code
- Emergency codes for when you lose your phone/tablet (Premium version)
- Administrators can access other users’ codes, and turn them on/off when needed (Premium version)
Read this! http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
How Does It Work?
This plugin uses the industry standard algorithm TOTP or HOTP for creating One Time Passwords. These are used by Google Authenticator, Authy, and many other OTP applications that you can deploy on your phone etc.
A TOTP code is valid for a certain time. Whatever program you use (i.e. Google Authenticator, etc.) will show a different code every so often.
This plugin began life as a friendly fork and enhancement of Oscar Hane’s https://wordpress.org/plugins/two-factor-auth/
This plugin requires PHP version 5.3 or higher and support for PHP mcrypt. The vast majority of PHP setups will have these. If not, ask your hosting company.
- Search for ‘Two Factor Authentication’ in the ‘Plugins’ menu in WordPress.
- Click the ‘Install’ button. (Make sure you picks the right one)
- Activate the plugin through the ‘Plugins’ menu in WordPress.
- Find site-wide settings in Settings -> Two Factor Authentication ; find your own user settings in the top-level menu entry “Two Factor Auth”.
If you want to add a section to the front-end of your site where users can configure their two-factor authentication settings, use this shortcode: [twofactor_user_settings]
- What is two factor authentication?
Basically, it’s to do with securing your logins, so that there’s more than one link in the chain needing to be broken before an unwanted intruder can get in your website.
By default, your WordPress accounts are protected by only one thing: your password. If that’s broken, then everything’s wide open.
“Two factor” means adding a second requirement. Usually, this is a code that comes to a device you own (e.g. phone, tablet) – so, someone can’t get into your website without getting hold of your device. You can get a longer answer from Wikipedia.
Sometimes it is also called multi-factor authentication instead of two-factor – because someone could secure their systems with as many factors as they like.
- Why should I care?
Read this: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
- How does two factor authentication work?
Since “two factor authentication” just means “a second something is necessary to get in”, this answer depends upon the particular set-up. In the most common case, a numeric code is shown on your phone, tablet or other device. This code be sent via an SMS; this then depends on the mobile phone network working. This plugin does not uses that method. Instead, it uses a standard mathematical algorithm to generate codes that are only valid once each, or for only for 30 seconds (depending on which algorithm you choose). Your phone or tablet can know the code after it has been set up once (often, by just scanning a bar-code off the screen).
- What do I need to set up on my phone/tablet (etc.) in order to generate the codes?
This depends on your particular make of phone, and your preferences. Google have produced a popular app called “Google Authenticator”, which is a preferred option for many people because it is easy to use and can be set up via just scanning a bar code off your screen – follow this link, and ignore the first paragraph that is talking about 2FA on your Google account (rather than being relevant to this plugin).
- What if I do not have a phone or tablet?
Many and various devices and programs can generate the codes. One option is an add-on for your web browser; for example, here are some apps and add-ons for Google Chrome. Wikipedia lists various programs for different computers.
- I lost my device that has pass-codes – or, they don’t work. What to do?
If your pass-code used to work, but no longer does, then check that the time on your device that generates them is accurate.
If you cannot get in and need to disable two-factor authentication, then add this to your wp-config.php file, using FTP or the file manager in your hosting control panel:
Add it next to where any other line beginning with “define” is.
Alternatively, if you have FTP or cPanel access to your web hosting space, you can de-activate the plugin; see this article: https://updraftplus.com/understanding-wordpress-installs-plugins/
- What are HOTP and TOTP?
These are the names of the two mathematical algorithms that are used to create the special codes. These are industry-standard algorithms, devised by expert cryptographers. HOTP is less popular, but the device that generates the codes does not need to know the correct time (instead, the codes are generated in a precise sequence). TOTP is much more popular, and generates codes that are only valid for 30 seconds (and so your device needs to know the time). I’d recommend TOTP, as HOTP can be annoying if something causes the sequences to get out of sync.
- What is the shortcode to use for front-end settings?
This plugin is a godsend. High level of functionality, yet simple to set up. A big thank you to the devs for all the hard work! 🙂
This 2FA plugin is the best one I used, thanks for developers’ great work.
Cette extension est tout simplement facile à installer et à paramétrer, puis à utiliser.
Je l’installe systématiquement sur les sites importants.
Et pour remercier le créateur de l’extension, je m’occupe de sa traduction en français 😉
Works just fine, adds about a thousand per cent of security to your site.
Thank you for making this available to us :o)
If you don’t pay for a premium version, you can’t even enable an option to require 2 factor authentication for all users. In other words, each user needs to enable 2FA manually for his account. What a crap.
Very well made plugin. Register for recovery codes. Free version has good, basic features. Great job. The only things I miss are a) for the admin to manage users 2FA without logging into the user account, and b) to be able to set a secret manually, so users may share/use the same one across several sites.
Contributors & Developers
“Two Factor Authentication” is open source software. The following people have contributed to this plugin.Contributors
“Two Factor Authentication” has been translated into these 5 locales: French, Russian, Chinese (Taiwan), English (Australia), English (New Zealand). Thank you to the translators for their contributions.
Interested in development?
1.2.21 – 22/Feb/2017
- TWEAK: Update jquery-qrcode library to latest release (0.14.0)
- TWEAK: Explicitly encode spaces in WordPress usernames (apparently resolves a problem with a particular iPhone app)
1.2.20 – 17/Feb/2017
- TWEAK: Work around a bug seen with strlen() on one particular PHP install
- FIX: The line purporting to show the current UTC time was in fact taking your WordPress timezone into account. It has now been adjusted to show both to avoid ambiguity.
- FIX: 1.2.18 used a PHP 5.4+ only function, whereas we support PHP 5.3+
1.2.17 – 09/Feb/2017
- FIX: Fix support for login widgets from Theme My Login
1.2.16 – 30/Jan/2016
- FIX: Fix issue whereby if you were already logged in and managed to visit a login form, you would not be asked for a TFA code
1.2.15 – 23/Jan/2017
- FEATURE: Add support for login widgets from Theme My Login
- UPDATER: (Premium version): update to the latest updater class, including the new ability to automatically update
1.2.14 – 02/Jan/2017
- TWEAK: Add missing internationalisation headers to the main plugin file
1.2.13 – 31/Aug/2016
- TWEAK: Internationalisation implementation was not previously compatible with wordpress.org’s translation system
1.2.12 – 20/May/2016
- FEATURE: Compatibility with https://wordpress.org/plugins/use-administrator-password/ – when TFA is enabled on an account, the TFA credentials of the user whose password was supplied are allowed (and required)
1.2.11 – 18/May/2016
- TWEAK: Update bundled select2 to version 4.0.2
- FIX: If the [twofactor_user_qrcode] shortcode (Premium version) was used without other short-codes, then the code would not display
1.2.10 – 31/Mar/2016
- TWEAK: Prefer openssl, if present, to the deprecated mcrypt. Note that if you migrate a site from a server without openssl to a server without mcrypt, then because of mcrypt’s non-compliant padding, you will need to either install php-mcrypt on the new server, or disable TFA (via define(‘TWO_FACTOR_DISABLE’, true); in your wp-config.php) to allow users to be able to log in. This also applies if the source site did have openssl, but for users who hadn’t logged in since installing this update.
- TWEAK: Make the $simba_two_factor_authentication_premium object globally available
- COMPATIBILITY: Mark as tested on WP 4.5
1.2.8 – 12/Dec/2015
- FEATURE: Add support for the Affiliates-WP login form
- TWEAK: Defeat WooCommerce loading an old version of the select2 script onto the TFA settings page, and breaking the user selector (should work this time)
1.2.6 – 11/Nov/2015
- TWEAK: Defeat WooCommerce loading an old version of the select2 script onto the TFA settings page, and breaking the user selector
- TWEAK: Tested on WordPress 4.4
- TWEAK: Use h1 for heading style on admin page, not h2
- FIX: The “You’ll need to use TFA to login in future” link for users for whom TFA is compulsory (Premium) was to the wrong page
1.2.4 – 09/Nov/2015
- TWEAK: Make window settings filterable
1.2.3 – 19/Oct/2015
- FIX: Fix bug in 1.2.2 that could lock out users without TFA settings
1.2.2 – 16/Oct/2015
- TWEAK: Display dashboard notice if TWO_FACTOR_DISABLE is defined in wp-config.php, to prevent time wasted wondering why nothing is happening
1.2.1 – 08/Oct/2015
- FEATURE: (Premium version) – Require users (of configured roles) to use TFA (optionally after a configurable amount of time)
1.1.21 – 25/Aug/2015
- TRANSLATIONS: Translation files can now be used (translators welcome!)
- TRANSLATION: Swedish translation added, courtesy of Bo Sving
1.1.19 – 20/Aug/2015
- TWEAK: Remove a pointless nonce check
1.1.18 – 01/Aug/2015
- COMPATIBILITY: Tested with WP 4.3 (RC1) and WooCommerce 2.4 (RC1) – no issues found (i.e. previous releases believed to be already compatible)
- FIX: When the admin is showing codes for other users, QR codes were not displaying correctly since 1.1.13
1.1.17 – 22/May/2015
- TWEAK: Introduce convenience method for developers wanting to verify that TFA is active (Premium)
- FIX: Fix operation of [twofactor_conditional] shortcode (Premium)
- FIX: Fix fatal error introduced in convenience method in 1.1.16
1.1.15 – 13/May/2015
- FIX: Fix conflict with ‘reset password’ form with “Theme My Login” plugin
1.1.14 – 12/May/2015
- FIX: Add TFA support to the WooCommerce login-on-checkout form (previously, TFA-enabled users could not log in using it)
1.1.13 – 11/May/2015
- TWEAK: Use jquery-qrcode to generate QR codes, replacing external dependency on Google
- TWEAK: Update bundled select2 library to 4.0.0 release (was rc2)
1.1.12 – 22/Apr/2015
- FIX: Fix corner-case where the user’s login looked like an email address, but wasn’t the account address. In this case, a OTP password was always requested.
- FIX: When the username does not exist, front-end should not request TFA code.
1.1.11 – 21/Apr/2015
- TWEAK: Prevent PHP notice if combining with bbPress
- TWEAK: Added more console logging if TFA AJAX request fails
- TWEAK: Add some measures to overcome extraneous PHP output breaking the AJAX conversation (e.g. when using strict debugging)
1.1.10 – 20/Apr/2015
- SECURITY: Fix possible non-persistent XSS issue in admin area (https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html)
- FIX: Don’t get involved on “lost password” forms (intermittent issue with “Theme My Login”)
1.1.9 – 15/Apr/2015
- TESTING: Tested with “Theme My Login” – https://wordpress.org/plugins/theme-my-login/ – no issues
- TWEAK: Do a little bit of status logging to the browser’s developer console on login forms, to help debugging any issues
- TWEAK: Add a spinner on login forms whilst TFA status is being checked (WP 3.8+)
- TWEAK: Make sure that scripts are versionned, to prevent updates not being immediately effective
- TWEAK: Make sure OTP field on WooCommerce login form receives focus automatically
1.1.8 – 14/Apr/2015
- FIX: Fix an issue on sites that forced SSL access to admin area, but not to front-end, whereby AJAX functions could fail (e.g. showing latest code)
- FIX: Version number was not shown correctly in admin screen since 1.1.5
- TWEAK: Show proper plugin URI
1.1.7 – 10/Apr/2015
- FIX: Fix plugin compatibility with PHP 5.6
- FIX: TFA was always made active on XMLRPC, even when the user turned it off
1.1.6 – 09/Apr/2015
- TWEAK: Change various wordings to make things clearer for new-comers to two-factor authentication.
1.1.5 – 07/Apr/2015
- FEATURE: Admin users (Premium version) can show codes belonging to other users, and activate or de-activate TFA for other users.
- PREMIUM: Premium version has now been released: https://www.simbahosting.co.uk/s3/product/two-factor-authentication/. Features emergency codes, personal support, and more short-codes allowing you to custom-design your own front-end page for users.
- TWEAK: Premium version now contains support link to the proper place (not to wordpress.org’s free forum)
- TWEAK: Added a constant, TWO_FACTOR_DISABLE. Define this in your wp-config.php to disable all TFA requirements.
- FIX: Fix a bug introduced in version 1.1.2 that could prevent logins on SSL-enabled sites on the WooCommerce form when not accessed over SSL
1.1.3 – 04/Apr/2015
- TWEAK: Provide “Settings saved” notice when user’s settings are saved in the admin area (otherwise the user may be wondering).
1.1.2 – 03/Apr/2015
- FEATURE: Don’t show anything on the WooCommerce login form unless user is using 2FA (i.e. behave like WP login form)
- FEATURE: Added 9 new shortcodes for custom-designed front-end screens (Premium – forthcoming)
1.1.1 – 30/Mar/2015
- Support added for multisite installs. (Plugin should be network-activated).
- Support added for super-admin role (it’s not a normal WP role internally, so needs custom handling)
- Tested + compatible on upcoming WP 4.2 (tested on Beta 3)
- Re-add option to require 2FA over XMLRPC (without specific code, XMLRPC clients don’t/can’t use 2FA – but requiring it effectively blocks hackers who want to crack your password by using this weakness in XMLRPC)
1.0 – 20/Mar/2015
- First version, forked from Oskar Hane’s https://wordpress.org/plugins/two-factor-auth/
- Support for email “two-factor” removed (email isn’t really a second factor, unless you have multiple email accounts and guard where your “lost login” emails go to)
- Use AJAX to refresh current code (rather than reloading the whole page)
- Added WordPress nonces and user permission checks in relevant places
- Shortcode twofactor_user_settings added, for front-end settings
- User interface simplified/de-cluttered