How to Enable Two-Factor Auth (2FA) for WordPress

When running a WordPress site, security should be first and foremost at the front of your mind. One of the best ways to prevent malicious users from accessing your /wp-admin area is enabling two-factor auth (2FA) for WordPress.

The easiest way to enable two factor auth for WordPress is the use the Wordfence Security plugin freely available on the WordPress plugin directory.

Installing Wordfence

The first step to getting two-factor auth enabled for your WordPress site is to install Wordfence. To do that:

  1. Log in WordPress and go to Plugins.
  2. Click “Add New”.
  3. Search for “Wordfence”
  4. Install and activate Wordfence
Showing Wordfence installed in the WordPress admin.
Wordfence installed

Configuring Wordfence

Now that Wordfence is installed you’ll need to enable and configure two-factor auth. To do that click the “Wordfence” menu that appeared after activation and then go to the “Login Security” sub-menu.

Wordfence 2FA activation screen.
Login Security (local site, not this one)

Now you’ll need to choose two factor authentication. I personally use FreeOTP (iOS, Android). Once your authenticator application is installed, scan the code and create the authenticator entry on your phone. Be sure to download your recovery codes too, just in case your phone is bricked, lost, or otherwise unavailable.

Testing Two-Factor Auth Out

Now that two-factor authentication is enabled for your WordPress site, you need to try it out! Log out of your admin, and now when you log back in you’ll be presented with this screen:

Wordfence 2FA code entry
Two Factor Auth enabled

Go to your authenticate app, press the entry for your site, enter the code, and log in!


Wordfence makes is really easy to set up 2FA on WordPress. With it being this easy, it’s hard to justify not having it. After all, even if someone manages to get your password they still won’t be able to log in unless the can compromise your phone too. If you’re worried about performance, this feature of Wordfence doesn’t effect your site’s performance in a meaningful way (which can not be said about Wordfence’s other features). All in all, the Wordfence team has done a great job making this level of security accessible to the wider WordPress community.

Need automatic updates for your premium plugins & themes? Check out Kernl.