WP 2FA review: Safeguarding your WordPress site from unauthorized access
WP 2FA is one of the most well-known dual-factor authentication plugins. But is it worth the hype? In this expert WP 2FA review, we take a close look at its features and how it works to help you decide if it's right for your WordPress website.
This is a detailed review of WP 2FA, one of the most popular two-factor authentication WordPress plugins. In this in-depth WP 2FA review, we'll dive into the following:
- WP 2FA's top features and benefits.
- Its pricing options.
- How to set up the WP 2FA plugin on your site.
- Our verdict — whether we recommend it or not.
Let's begin our review of WP 2FA with a rundown of how the plugin works and ways it can benefit your WordPress website.
An overview of the WP 2FA plugin
WP 2FA is a robust two-factor authentication plugin that shields WordPress websites from unauthorized access by adding an extra verification layer to the login process.
Nowadays, it's pretty common for hackers to log into websites by guessing passwords or carrying out brute force and automated password-guessing attacks.
The WP 2FA plugin allows site admins to add two-factor authentication for all website users, such as admins, customers, subscribers, and others. Adding dual-factor authentication makes it infinitely harder for hackers to gain access to a website because even if they manage to figure out a user's WordPress password, they still won’t be able to log in without clearing the second authentication step.
Because hackers can target any type of site — personal portfolio sites, small blogs, membership sites, online stores, etc. this security plugin is useful for any type of WordPress website.
WP 2FA is a freemium two-factor authentication plugin developed and maintained by Melapress (formerly WP White Security). While there are several two-factor authentication plugins available, WP 2FA is one of the most popular, with 60K active installs on WordPress.org, lots of positive user reviews, and an active, friendly support team.
In the next section, we'll look at some key features that make WP 2FA one of the best two-factor authentication plugins.
WP 2FA's standout features
WP 2FA is a comprehensive dual-factor authentication plugin. Here are some of its top features:
User-friendly interface
Upon installation, all users are guided through a quick setup wizard that breezes them through the configuration steps.
All in all, it makes it super easy to add two-factor authentication to websites and set up 2FA for user accounts. The entire processes can be completed in minutes, even for non-techie folks.
Multiple two-factor authentication methods
WP 2FA supports several authentication methods, including email, authenticator apps, SMS, and more.
This level of flexibility makes it easier for all users to find a method that suits their needs and preferences without compromising security.
Multiple backup login methods
In case users lose access to their primary dual-factor authentication method, WP 2FA supports backup login methods so they can still access their accounts safely.
For example, if a user typically uses an authenticator app and their phone gets stolen or is out of charge, it provides backup security codes that they can use to log in to their accounts.
Customizable policies
Not every website user will require a second authentication factor to access your site, so the plugin allows you to configure two-factor authentication policies based on user roles. For example, if you run an ecommerce site that sells footwear, you can enforce strict two-step authentication requirements for high-risk roles like administrators, shop managers, or content editors, while making it optional for customer accounts.
You can also define grace periods, which give first-time users extra time to enable second-factor authentication for their account before it becomes compulsory.
Trusted devices
Users can mark their devices as "trusted", meaning they won’t have to complete the second-factor authentication step every time they log in from that specific device.
This enhances your site's user experience (UX) by reducing friction for repeat logins and maintains a high level of security as it protects your website from unauthorized access on untrusted devices.
White label user interface
The white label option enables you to customize all user-facing interfaces, such as the login page or the two-factor authentication user setup wizard to match your website’s branding.
This creates a seamless user experience (UX) and helps build trust, as the entire login experience feels consistent and professional.
How to set up the WP 2FA plugin
WP 2FA provides an easy-to-use setup wizard to help you enable two-factor authentication on your WordPress website. In this section, I'll walk you through the steps in the wizard so you can get set up quickly.
Step 1: Set up two-factor authentication and backup methods
Follow these steps to add the plugin to WordPress and choose the core dual-factor authentication and backup methods:
- Install and activate the WP 2FA plugin on your WordPress site.
- Upon installation, the setup wizard should initiate automatically. Alternatively, you can navigate to the Users → Your Profile page and locate the "WP 2FA Settings" section at the bottom. Then click the "Configure Two-factor authentication (2FA)" button to launch the setup wizard.
- Click "Let's Get Started!" on the welcome screen of the setup wizard to begin the configuration process.
- You will be prompted to select your preferred authentication method on the next screen. There are two options to choose from:
- Generate a one-time code using a 2FA app of your choice (recommended).
- Receive a one-time code via email.
- After selecting your preferred authentication method, click "Continue Setup" to proceed to the next step.
- Next, you need to choose backup two-factor authentication methods for users in the event their primary method fails, such as if they misplace their phone. Note that the plugin's free version only offers backup codes as a backup two-factor authentication method. You'll need to upgrade to WP 2FA premium to gain access to additional alternative two-factor authentication options.
- Click "Continue Setup" to move to the next step.
Step 2: Customize two-factor authentication policies
Follow these steps to tailor how the two-factor authentication policies work for all users:
- This screen allows you to make two-factor login compulsory for some or all users (recommended). To require 2FA for every user on your site, simply choose the "All users" option and select "Continue Setup".
- If you chose to make two-factor authentication mandatory for all users in the previous step, the next screen will let you exempt certain users or roles from this requirement. Simply type in their usernames or roles to exclude them from two-factor authentication.
- Next, click "Continue Setup" to decide when users must start using two-factor authentication. You can choose from two options:
- Require immediate two-factor authentication usage
- Define a grace period for setup
- If you choose to offer a grace period, you can specify how long it'll be. By default, the grace period is 3 days, which works for most websites but you can adjust it as needed. You can also decide what happens to users who don't set up two-factor authentication after the grace period. The options are to allow login but restrict dashboard access or prevent them from being able to log in at all.
- Lastly, click "All Done" to conclude the setup wizard.
Congratulations, you've now enabled two-factor authentication on your WordPress site! You'll see a success message and a "Configure 2FA Now" button for your own WordPress user account. Click this button to set up your personal two-factor authentication.
Step 3: Set up two-factor authentication for your account
Once two-factor authentication is enabled on your WordPress site, WP 2FA will start a new wizard to guide you through setting up two-factor authentication for your own WordPress user account. Similarly, other site users will be prompted to do this when they try to log in to the website.
Follow these steps to add two-factor authentication to your own account.
1. Select your preferred 2FA method
- The first step is to choose your preferred two-factor authentication method. In this tutorial, I'll opt for a one-time code via an authenticator app. (Note that other options may appear based on your plan and earlier selections in the setup wizard).
- Select "One-time code via 2FA app", followed by the "Next Step" button. This will generate and display both a QR code and a text code on the screen. You can either use an authenticator app on your mobile device to scan the QR code or manually enter the text code.
2. Enter the 2FA code on your website
- Open your desired authenticator app and tap "+" or "Add account". In this tutorial, I used Authy, however, the process is similar for most apps.
- Allow camera access when prompted and select "Scan QR Code".
- Scan the QR code on your computer screen. The app will begin to save the account automatically as soon as it recognizes the QR code.
- Edit the logo and nickname if desired, then tap "Save" to save the account.
- The app will now show a one-time password which you'll need to enter in your site's login screen. Head back to your computer and click "I'm Ready" in the two-factor authentication setup wizard.
- To verify your one-time password, enter the code from your mobile app into the "Authentication Code" field before it expires.
- Click "Validate & Save" to complete the setup.
- Next, click "Generate List of Backup Codes" to create backup codes as an alternate login method for times when you can't access your primary two-factor authentication method (such as if you lose your phone). Once generated, you can download the codes to a secure location on your computer, print them and store them safely, or email them to yourself so you can easily access them if needed.
- Lastly, click "I'm Ready, Close the Wizard" to complete the wizard.
That's it! You've set up two-factor authentication for your personal WordPress user account on that website.
An overview of your website's updated login process
If you've followed the steps so far, you'll have successfully enabled two-factor authentication on your website.
When users next log in, they'll see a notice about setting up two-factor authentication for their own user accounts, including the grace period deadline (if any). They can choose to set up two-factor authentication immediately or be reminded the next time they attempt to log in.
Clicking "Configure 2FA now" starts them on the same process you went through in the previous section.
After setting up 2FA, the login process changes a bit. Users will still enter their username and password as usual. Once their login credentials are accepted, a second screen will appear requesting them to clear the second authentication step.
Users must enter the code to complete the login process and access your site. If they don't have their phone, they can use the backup code generated during the setup process instead.
And that's it! Your website is much better protected. Even if a hacker obtains a user's username and password, they can't log in without the user's phone or backup codes.
WP 2FA pricing
It wouldn't be a complete WP 2FA review without looking at its pricing options. What's the cost to gain access to WP 2FA's robust feature set?
WP 2FA follows a freemium pricing model. They offer the core features for free and more advanced features for a premium. Luckily for users, all versions pack a punch. They have three tiers:
- Free: The Free plan lets you set up two-factor authentication for all users for free. It also supports multiple 2FA methods and 2FA backup methods.
- Premium: The Premium plan includes everything in the free version plus additional 2FA methods, the option to set up trusted devices, one-click WooCommerce integration, and lots more.
- Enterprise: The Enterprise plan includes everything in the Premium version, along with complete white labeling options, the option to add a custom slide to the two-factor authentication setup wizard, and priority support.
Verdict of the WP 2FA review: Is this two-factor authentication plugin worth the hype?
Now, it's time to answer the question posed at the start of this in-depth WP 2FA review: Is the WP 2FA plugin worth the hype?
Short answer: yes.
Setting up two-factor authentication is one of the easiest ways to beef up your site's security and there's no better plugin for this than WP 2FA.
All in all, WP 2FA is the best solution to add dual-two-factor authentication to your WordPress site. It is super easy to set up for site admins and other user accounts. It's packed with a robust feature set, provides solid support options, has a great track record, and offers tremendous value for money.
Add WP 2FA and shield your WordPress site from unauthorized access today!