Products in Cart:                 CloseView full shopping cart
Secure Login and Two-Factor Authentication solution for WordPress

CM Secure Login Pro | Secure Two-Factor Authentication (2FA) WP Plugin

Secure Login and Two-Factor Authentication solution for WordPress main image

Provide two-factor authentication for your WordPress users via Google Authenticator. Mobile Phone SMS, and unique email code and email links. This robust WordPress two-factor authentication plugin offers the best account security for your WordPress users

Show more

Choose a preferred method for each user or role

Show less

WordPress Two-Factor Authentication TFA Description

The password is the standard security implementation in the computer world. However, passwords can be guessed, hacked, or intercepted.

To combat these weaknesses you should install two-factor authentication methods, which provide a secret login key with one time passwords (OTP) that are not vulnerable to brute-force attacks

Securing Users Accounts

Unlike passwords, two-factor authentication (2FA) is a two-step process that asks for an additional unique identification.

Examples are: sending OTP to your mobile phone, sending OTP to your email account, or by using an external service such as Google Authenticator

The Secure WordPress Login plugin from CreativeMinds offers a robust solution with multiple two-factor authentication methods.

It lets the WordPress administrator choose from four different options to secure their WordPress site login.

The WordPress login screen which includes an additional step for email verification
The WordPress login screen which includes an additional step for email verification

Two-Factor Authentication Methods

The two-factor authentication (2FA) plugin from CreativeMinds can employ the following authentication methods:

  1. Google Authenticator – Require secret from Google’s secure app
  2. Mobile Phone SMS – Send a text message with a one-time key
  3. Email Code – Send a message with a one-time use code
  4. Email Link – Send a message with a one-time use link

The WordPress Two-Factor Authentication plugin also lets the WordPress administrator define which user roles require two-factor login credentials. The admin can of course apply our enhanced security check for all users.

Limit Logins by Number of IPs and Devices

Restrict how many IPs and/or devices can log in to each account and apply yet another security layer!

For example, only allow the admin to log in from a specific computer. If someone tries using another device or IP, the login won't work.

Learn how to use the feature.

Login blocked from a new IP address
Login blocked from a new IP address

Using One Time Passwords (OTP) and the User Registration Plugin

  • Improve WordPress site security – Add an additional unique level of security to each user account with a secret key, helping to block hackers, bots, malicious users and other unwanted intruders
  • Define which accounts need enhanced password security – Admin can define which account type needs OTP security access
  • Define 2FA Expiration time – Admin can define how long each verification option is valid until the user needs to generate a new one
  • Define time to logout – Admin can define how long each user can use their recent OTP login, in case they are not active for a defined amount of time

WordPress Two-Factor Authentication Plugin Localization

Localization Support

All Front-End labels can easily be changed to any language so the user interface will speak your language.
Plugin Labels Settings
Plugin Labels Settings
Enhance-Security- - Two-Factor Authentication WordPress plugin

2FA Plugin Use Cases

  • Protect Admin Accounts – If your site has sensitive information, it’s a good idea to protect powerful user as much as possible. Add Google Authenticator as a secondary password and feel at ease
  • Only SMS – Allow users with the Subscriber role to log in only with the SMS link, so that they don’t have to remember and manage their passwords

WordPress Two-Factor Authentication Plugin Related Use Cases

WordPress Two-Factor Authentication Plugin Additional Resources

2FA-Related Blog Resources

WordPress Two Factor Authentication Features

2FA Methods

Google Authenticator – Require users to enter a unique code generated by their Google Authenticator app. Google uses Time-based One Time Passwords (TOTP) and HMAC-based One Time Passwords (HOTP) to protect your website. Learn more
Mobile Phone SMS – Send a SMS to users with the one-time password when they try to log in. The plugin uses the reliable Amazon SMS service (AWS SNS). Learn more
Email Verification – Send a unique link to the users’ email each time they try to log in. Learn more
Email Code – Send a unique code to the users’ email each time try to log in. Learn more

Control Access

Access by User – Set a different two-factor authentication method for each user
Access by Role – Define which user roles need enhanced 2FA. Require an extra layer of security for users who are prone to using a weak or common password
IP Limit – Define how many IP address each user role can use to log in. Learn more.
Device Number – Choose how many devices each user can use to log in. Learn more.
Override Password – Choose users who will only need the secondary authentication method. They won’t require a password


Define Expiration – Define the duration of each code sent to the user Once expired, the user will need to generate a new code
Customize Notifications – All notifications, including SMS and email templates, can be easily customized
External Login Form – Add external login forms using a simple shortcode


WordPress Two Step Authentication Related Plugins

CM Registration Pro
Registration and Invitation Codes
This plugin adds a registration and login popup to your WordPress site. This plugin supports invitation codes, email verification, reCaptcha and more. Wordpress login and email registration uses Ajax for on page support.
[ Video]  [ Userguide]
CM WordPress HTTPS Pro
WordPress HTTPS SSL Plugin
Automatically redirect from HTTP to HTTPS. Generate a free SSL certificate from the trusted Let's Encrypt service and force your entire website to support SSL.
[ Video]  [ Userguide]
FAQ Knowledge Base and Widget
This plugin builds a frequently asked question (FAQ) knowledge base on your WordPress site. The plugin allows your WordPress users to search the frequently asked questions (FAQ) and vote for the best answers. Categorize frequently asked questions or create a FAQ forum for users.
[ Video]  [ Userguide]
CM Table of Contents Pro
Table of Contents
Add a table of contents to any page or post on your WordPress site. Define the different sections of the user-generated table of contents with any tag or CSS class included in the page or post content.
[ Video]  [ Userguide]
Export User Data
Export User Data
Export user data and meta data into comprehensive CSV or Excel files. Export users by role and registration date range and use filters to select the user data you need. All functionalities of the plugin are in a single, slick, screen.
[ Video]  [ Userguide]
CM WordPress HTTPS Pro
WordPress HTTPS SSL Plugin
Automatically redirect from HTTP to HTTPS. Generate a free SSL certificate from the trusted Let's Encrypt service and force your entire website to support SSL.
[ Video]  [ Userguide]

WordPress Two Factor Authentication Frequently Asked Questions

Does the SMS two factor authentication work in any country?

Yes. You can use it in any country which is covered by Amazon SNS service. You can see the list of countries here

Does the SMS two factor authentication cost money?

Yes. You need to sign up to Amazon SNS and choose your plan. More information about pricing for the SMS notifications can be found here

Does the two factor service cost additional money?

Out of the 4 available options Google Authenticator, Email link verification and email code are free for unlimited use. The only service which costs money is the Amazon SNS. Pricing for the SNS service can be found here

How to use the Google Authenticator authentication?

The Google Authenticator app can be downloaded to an iPhone or an Android

It’s a free app. Once installed, you need to do an initial setup and after the setup it will produce a unique code to login to the site. Learn how to use it on Install Google Authenticator – Android – Google Account Help

How can the SMS service send a text if I don't have the user's mobile phone number?

Once you activate the SNS service, a new user field is added to the user profile with the user’s mobile phone number. The first time the user logs in, the system sends them an email asking them to enter their mobile phone number. Once they do this, the information is saved in their user profile.

Can I set the 2FA to only work for admin users?

Sure. You can define that only users with admin roles have to use the two factor authentication. All other users will be logged in normally.

Can each user use a different 2FA method?

No, this is not supported. Once the admin sets the preferred 2FA method, all users which are included in the 2FA setting will be using the set method. The admin can change the method which will also require all users to use the new method.

Will it work with WooCommerce Form?

Yes. Since version 1.4.5 we have added support to include the 2FA method in the WooCommerce form.

Secure Login and Two-Factor Authentication Image Gallery

Back-end Gallery

Customer Reviews for the 2FA Plugin

Version 1.7.0 from the 7th Aug 2022

  • Bugfix in statistics feature
  • Updated nonce error message

Version 1.6.9 from the 2nd Aug 2022

  • Improvement in statistics feature

Secure Login and Two-Factor Authentication Release Notes

Version 1.6.8 from the 29th Dec 2021

  • Added statistics feature

Version 1.6.7 from the 18th June 2021

  • Bugfix related to license package 1.9.1

Version 1.6.6 from the 23rd May 2021

  • Updated license package to version 1.9.1

Version 1.6.5 11th May 2021

  • Update requires at least WordPress 5.4.0

Version 1.6.4 26th Feb 2021

  • Bugfix related to store device with “Send confirmation link to user’s email address” protection method
  • Bugfix related to store IP address with “Send confirmation link to user’s email address” protection method

Version 1.6.3 7th Feb 2021

  • Improved settings description

Version 1.6.2 8th Jan 2021

  • Bugfix related to version 1.6.1

Version 1.6.1 2nd Jan 2021

  • Added new hooks
  • Added new setting called logout mode now user able to set logout with active time
  • Bugfix related to disable passwords feature

Version 1.6.0 15th Sep 2020

  • Bugfix related to protection method
  • Added to change after redirect URL with email code protection method

Version 1.5.9 24th Aug 2020

  • Bugfix related to validate the password before sending the Code/Link/SMS

Version 1.5.8 11th June 2020

  • Added support with ultimate member login form
  • Improvement in SMS protection method
  • Updated license package 1.9.0

Version 1.5.7 8th June 2020

  • Small JS Bug fix

Version 1.5.6 8th June 2020

  • Added support for per user IP restrictions
  • Added support for Device type restrictions
  • Bug fixes

Version 1.5.5 9th April 2020

  • Added protection verified for up to days

Version 1.5.4 7th April 2020

  • Optimized code

Version 1.5.2 25th Feb 2020

  • Added support to auto redirect to back link URL from email

Version 1.5.1 8th Jan 2020

  • Added support to test AWS SNS API in settings tab
  • Bugfix related to email link confirm page backlink url

Version 1.5.0 27th Oct 2019

  • Bugfix in send auth code to additional email feature

Version 1.4.9 12th Oct 2019

  • Added option to enable/disable login instructions

Version 1.4.8 25th Sep 2019

  • Compatible with Peepso login
  • Added css on buttons
  • Updated license package 1.8.9

Version 1.4.7 13th Dec 2018

  • Compatible with “Login Widget With Shortcode” plugin

Version 1.4.6 23rd Nov 2018

  • Bugfix related to session

Version 1.4.5 15th Nov 2018

  • Added support with woocommerce login form

Version 1.4.4 13th Sep 2018

  • Fixed phone number for the SMS update issue in edit profile section.

Version 1.4.3 31st Aug 2018

  • Fixed twice click issue on buttons.
  • Updated license package

Version 1.4.2 16th Aug 2018

  • Added new option in settings that allow users to choose between “Send Code via Email” / “Send Code via SMS” in login page.

Version 1.4.1 5th Aug 2018

  • Updated login instructions default URL
  • Updated license package

Version 1.4.0 17th Oct 2017

  • Added option to set the user’s phone number on the “Add new user” page in wp-admin.

Version 1.3.0 11th Oct 2017

  • Added option to change the SMS/email code length and define the characters set.
  • Fixed some issue with logging-in when using the email link.
  • Fixed error with email code – it was calling sms ajax action.

Version 1.2.0 8th Aug 2017

  • Added option to send the notification email with the email/SMS code or the confirmation link to an additional email address for chosen roles

Version 1.1.4 8th Aug 2017

  • Fixed bug with multiple AJAX calls

Version 1.1.3 11th July 2017

  • Added option to send the Google Authenticator secret reminder email to a user

Version 1.1.2 11th July 2017

  • Added a back link on the login confirmation screen after confirmed by the email link
  • Added option to send the notification email only to roles that have to use the protection

Version 1.1.1 10th July 2017

  • Added feature to notify all users about the protection by sending the email
  • Added instructions text that can be displayed on the login form
  • Minor adjustments

Plugin First Release 18th June 2017

Do you need additional functionality?

We can implement additional features, change the interface and integrate external resources. Get in touch with us!

We Accept All Major Credit Cards
Accepted payment methods include all Credit Cards and PayPal