Secure Login and Two-Factor Authentication solution for WordPress

WordPress Two Factor Authentication – Two Step Login Verification

The WordPress (secure login) Two Factor Authentication Plugin enhances the security of your website by providing a login verification method for users.
With support for four authentication methods, including Google Authenticator, Mobile Phone SMS, unique email codes, or email links, this robust WP 2fa plugin ensures top-notch account security.
Admins can customize preferred authentication for each user or role and restrict logins by specific IP addresses or device IDs with the Two-Factor Authentication Plugin.

WordPress Two Factor Authentication Plugin Description

The password is the standard security implementation in the computer world. However, passwords can be guessed, hacked, or intercepted.

To combat these weaknesses you should install two factor authentication login verification, which provide a secret login key with one time passwords (OTP) that are not vulnerable to brute-force attacks.


Securing Users Accounts

Unlike passwords, two factor authentication (2FA) is a two-step process that asks for an additional unique identification.

Examples are: sending OTP to your mobile phone, sending OTP to your email account, or by using an external service such as Google Authenticator

The WordPress Secure 2FA Login plugin offers a robust solution with multiple two factor authentication methods.

It lets the WordPress administrator choose from four different options to secure their WordPress site login.

The WordPress login screen which includes an additional step for email verification
The WordPress login screen which includes an additional step for email verification

Two-Factor Authentication Methods

The WordPress two step authentication plugin can employ the following authentication methods:

  1. Google Authenticator – Require secret from Google’s secure app
  2. Mobile Phone SMS – Send a text message with a one-time key
  3. Email Code – Send a message with a one-time use code
  4. Email Link – Send a message with a one-time use link
  5. Email Code or SMS Code – Let the user a choice between sending a message with a one-time use code via email or SMS

WordPress 2FA Admin Dashboard

Setting the Protection Method
Setting the Protection Method
The WordPress 2FA plugin also lets the WordPress administrator define which user roles require two-factor login credentials. The admin can of course apply our enhanced security check for all users.

Google Authenticator

The Google Authenticator is a free application which can be used on iPhones or an Android-based smartphones.

It provides an extra security level for the login process.

The GA application constantly generates a one-time code which is valid for a short period of time.

The users has to enter that code in addition to his login and password in order to access his account.

Example of OTP Codes in Google Authenticator App
Example of OTP Codes in Google Authenticator App

Limit Logins by Number of IPs and Devices

Login blocked from a new IP address
Login blocked from a new IP address
Restrict how many IPs and/or devices can log in to each account and apply yet another security layer!

For example, only allow the admin to log in from a specific computer. If someone tries using another device or IP, the login won't work.

Learn how to use the feature.


Collecting Login Statistics

The WordPress 2FA Plugin allows to collect statistics about all logins that were made using 2FA protection on your site.

The statistics dashboard shows the detailed information about the user, login method, device and browser info, user's IP address, status of the login and login attempt time.

Login Statistics Dashboard
Login Statistics Dashboard

User and Admin Notifications

Notifying Users About New Security Feature
Notifying Users About New Security Feature
Each 2FA protection method has it's own email template for notifying users, either it's a message about creating a GA secret for the user, or SMS & email verifications.

Optionally, you can set additional email addresses which will receive a notification with login info (code or verification link) every time somebody tries to login.

And one more notification allows you to inform your users that you enabled new login security feature on your site.


Using WordPress 2FA Plugin

  • Improve WordPress site security – Add an additional unique level of security to each user account with a secret key, helping to block hackers, bots, malicious users and other unwanted intruders
  • Define which accounts need enhanced password security – Admin can define which account type needs OTP security access
  • Define 2FA Expiration time – Admin can define how long each verification option is valid until the user needs to generate a new one
  • Define time to logout – Admin can define how long each user can use their recent OTP login, in case they are not active for a defined amount of time


WordPress Two-Factor Authentication Plugin Additional Resources


2FA-Related Blog Resources

WordPress Two Factor Authentication Features

Please check the user guide to learn more about this plugin.

2FA Methods

Google Authenticator

Google Authenticator

Require users to enter a unique code generated by their Google Authenticator app. Google uses Time-based One Time Passwords (TOTP) and HMAC-based One Time Passwords (HOTP) to protect your website.

Email Verification

Email Verification

Send a unique link to the users’ email each time they try to log in.

Mobile Phone SMS

Mobile Phone SMS

Send a SMS to users with the one-time password when they try to log in. The plugin uses the reliable Amazon SMS service (AWS SNS).

Email Code

Email Code

Send a unique code to the users’ email each time try to log in.

Control Access

Access by User

Access by User

Enable two-factor authentication method for chosen users.

IP Limit

IP Limit

Define how many IP address each user role can use to log in.

Override Password

Override Password

Choose users who will only need the secondary authentication method. They won’t require a password.

Auto Logout

Auto Logout

Define the time for automatic logout after some period of inactivity or activity.

Limit Login from Specific IPs

Limit Login from Specific IPs

The WordPress Two Factor Authentication Plugin can let you limit logins from a defined set of IP addresses.

Limit Login Attempts From the Same IP

Limit the number of failed login attempts from the same IP address. Define the number of attempts and set a time limit for each specific login page.

Admin Notifications

Admin can define a list of email addresses to which each user 2FA notification is sent. In such case when a user login, the notification is sent to the user and also to the list of email addresses set by admin.

Access by Role

Access by Role

Define which user roles need enhanced 2FA. Require an extra layer of security for users who are prone to using a weak or common password.

Device Limit

Device Limit

Choose how many devices each user can use to log in.

Define Expiration

Define Expiration

Define the duration of each code sent to the user once expired, the user will need to generate a new code.

Define Code Characters and Length

Define Code Characters and Length

Define the length of the randomly generated verification code and what characters it may consist of.

Trusted Device

Trusted Device

Users can choose trusted devices for specific number of days. This way they don’t need to login everytime when they visit site.

Specific User Settings

Admin can turn off or reset 2FA setting per each user while editing the user profile from the admin dashboard. Admin can also view and send the user a QR code so the user can scan it with Google Authenticator app.

Utilities

Customize Notifications

Customize Notifications

All notifications, including SMS and email templates, can be easily customized. You can also provide users info about their login attempts: login time, IP and used browser.

Statistics

Statistics

Collect statistics about all login attempts which were made with the enabled protection method and track the login success rate.

Code Expiration Countdown

Code Expiration Countdown

Display the countdown in the login form to inform users about when the code expires.

Separated Fields

Separated Fields

Show separated fields for Google Authenticator protection method to make the interface more user-friendly.

User Roles Manager

User Roles Manager

Easily create, duplicate and delete user roles. Edit basic user capabilities with a simple and user-friendly interface.

Notify Users About Enabling 2FA

Notify Users About Enabling 2FA

Notify your site users about enabling 2FA protection on your site. You can either notify all users or only those ones that are required to use 2FA. Optionally, you can skip users which are already notified. The notification message is customizable.

Statistics Dashboard

Statistics Dashboard

Monitor the details about 2FA logins using the statistics dashboard. It shows the info about the user, login method, device and browser info, IP address, status of the login and login attempt time.

Customizable Login Instructions

Customizable Login Instructions

Add instructions to the login form. You can customize this message by using HTML and media content.

Labels

Labels

All frontend labels can easily be changed to any language so the user interface will speak your language.

WordPress Secure Login Plugin Plans and Pricing

PLANSEssentialAdvancedUltimate
Price includes 1 year support/updates. Manual renewal with 40% discount, not a subscription $49 $69 $119
Number of Websites / License Activations 1310
BASIC FEATURES
Google Authenticator Support IncludedIncludedIncluded
SMS Verification IncludedIncludedIncluded
Email Link Verification IncludedIncludedIncluded
Email Code Verification IncludedIncludedIncluded
ADDITIONAL RESTRICTIONS
Access by User IncludedIncludedIncluded
Access by Role IncludedIncludedIncluded
IP Limit IncludedIncludedIncluded
Device Number Limit IncludedIncludedIncluded
Override Password IncludedIncludedIncluded
Define Expiration IncludedIncludedIncluded
Auto Logout IncludedIncludedIncluded
Define Code Characters and Length IncludedIncludedIncluded
Limit Login from Specific IPs IncludedIncludedIncluded
Limit Login Attempts From the Same IP IncludedIncludedIncluded
Trusted Device IncludedIncludedIncluded
TOOLS
User Roles Manager IncludedIncludedIncluded
Customize Notifications IncludedIncludedIncluded
Notify Users About Enabling 2FA IncludedIncludedIncluded
Statistics IncludedIncludedIncluded
Separated Fields IncludedIncludedIncluded
Customizable Login Instructions IncludedIncludedIncluded
Labels IncludedIncludedIncluded
ADD-ONS
CM HTTPS SSL Plugin Not includedIncludedIncluded
CM Email Blacklist Registration Plugin Not includedNot includedIncluded
CM Admin Tools Plugin Not includedNot includedIncluded
CM Site Access Restriction Plugin Not includedNot includedIncluded
SUPPORT
Product Knowledge Base Included Included Included
Priority email support Included Included Included
Product updates Included Included Included
PLANSEssentialAdvancedUltimate
Number of Websites / License Activations 1310
Price includes 1 year support/updates. Manual renewal with 40% discount, not a subscription $49 $69 $119

WordPress Two Step Authentication Related Plugins

WordPress Two Factor Authentication Plugin Related Use Case Tutorials


WordPress Two Factor Authentication Plugin Additional Use Cases

  • Protect Admin Accounts – If your site has sensitive information, it’s a good idea to protect powerful user as much as possible. Add Google Authenticator as a secondary password and feel at ease
  • Only SMS – Allow users with the Subscriber role to log in only with the SMS link, so that they don’t have to remember and manage their passwords

WordPress Two Factor Authentication Frequently Asked Questions

Does the SMS two factor authentication work in any country?

Yes. You can use it in any country which is covered by Amazon SNS service. You can see the list of countries here

Does the SMS two factor authentication cost money?

Yes. You need to sign up to Amazon SNS and choose your plan. More information about pricing for the SMS notifications can be found here

Does the two factor service cost additional money?

Out of the 4 available options Google Authenticator, Email link verification and email code are free for unlimited use. The only service which costs money is the Amazon SNS. Pricing for the SNS service can be found here

How to use the Google Authenticator authentication?

The Google Authenticator app can be downloaded to an iPhone or an Android

It’s a free app. Once installed, you need to do an initial setup and after the setup it will produce a unique code to login to the site. Learn how to use it on Install Google Authenticator – Android – Google Account Help

How can the SMS service send a text if I don't have the user's mobile phone number?

Once you activate the SNS service, a new user field is added to the user profile with the user’s mobile phone number. The first time the user logs in, the system sends them an email asking them to enter their mobile phone number. Once they do this, the information is saved in their user profile.

Can I set the 2FA to only work for admin users?

Sure. You can define that only users with admin roles have to use the two factor authentication. All other users will be logged in normally.

Can each user use a different 2FA method?

No, this is not supported. Once the admin sets the preferred 2FA method, all users which are included in the 2FA setting will be using the set method. The admin can change the method which will also require all users to use the new method.

Will it work with WooCommerce Form?

Yes. Since version 1.4.5 we have added support to include the 2FA method in the WooCommerce form.

Secure Login and Two-Factor Authentication Image Gallery

Back-end Gallery

Customer Reviews for the 2FA Plugin

We Accept All Major Credit Cards
Accepted payment methods include all Credit Cards and PayPal