Documentation Security Enable Two-Factor Authentication

Enable Two-Factor Authentication

Strengthen your WordPress admin login security by requiring a second verification step. This guide walks you through enabling TOTP-based 2FA for your Wp Admin managed sites.

Overview

Two-Factor Authentication (2FA) adds a critical layer of security to your WordPress dashboard. Even if a password is compromised, unauthorized users cannot access your site without the second factor. Wp Admin supports Time-based One-Time Passwords (TOTP) using standard authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator.

Prerequisites

  • Administrator access to your WordPress site
  • A smartphone or desktop with an authenticator app installed
  • Wp Admin Security plugin activated (auto-installed on all managed plans)

Setup Steps

  1. Access Security Settings Log in to your WordPress admin panel. Navigate to Wp Admin > Security > Two-Factor Authentication.
  2. Initiate Setup Click Enable 2FA next to your user profile. A QR code and manual entry key will appear.
  3. Scan with Authenticator App Open your preferred authenticator app. Select "Add Account" → "Scan QR Code" and point your camera at the displayed code.
  4. Verify Configuration Enter the 6-digit code generated by your app into the verification field and click Verify & Activate.
  5. Complete Setup You will be prompted to save your backup codes. Store them securely before clicking Finish Setup.
ℹ️
Tip: After enabling, you'll be prompted for a 2FA code every time you log in to /wp-admin. Sessions are remembered for 48 hours by default.

Backup Codes

Wp Admin generates 10 single-use backup codes when you enable 2FA. These are your emergency access keys if you lose your device or can't receive codes.

⚠️
Important: Each backup code can only be used once. Download or print them immediately. Wp Admin cannot recover lost codes.
Feature Details
Code Format16-character alphanumeric strings
Valid UsageOnce per code, expires after use
RegenerationAvailable in 2FA settings (requires current 2FA verification)

Force 2FA via wp-config.php

For agency sites or strict compliance requirements, you can enforce 2FA for all administrators by adding the following constant to your wp-config.php file:

/** Require Two-Factor Authentication for Administrators */ define('WPADMIN_FORCE_2FA', true); define('WPADMIN_2FA_REQUIRE_ROLES', ['administrator', 'editor']);

After saving, users without 2FA enabled will be blocked from accessing the dashboard until they complete setup. Wp Admin's staging environment allows safe testing before production deployment.

Troubleshooting

Invalid Code / Time Sync Error

If your codes are consistently rejected, your device's system time may be out of sync with the server. TOTP relies on precise time alignment. Ensure your phone/computer date & time are set to auto-update. Alternatively, use the Resync Time option in the Wp Admin 2FA settings.

Lost Access / Locked Out

If you lose your authenticator device and have no backup codes, contact Wp Admin support with proof of ownership. Our team can temporarily disable 2FA after identity verification, following our security protocol.

Plugin Conflicts

Some login customization or membership plugins may interfere with the 2FA redirect flow. If you experience login loops, temporarily switch to a default theme and disable third-party authentication plugins. Use our conflict detection tool at Wp Admin > Diagnostics.

Still having trouble?

Our security specialists are available 24/7 to help you configure and troubleshoot two-factor authentication securely.

Contact Wp Admin Support →