WordPress sites that rely on usernames and passwords alone face nonstop login attacks. Bots cycle through stolen credential lists every minute of every day. The symptom appears in the WordPress dashboard audit log. Failed login attempts arrive from dozens of IP addresses, sometimes succeeding on a forgotten account.
This tutorial covers WordPress two-factor authentication setup from start to finish. By the end, your admin account uses TOTP codes from Google Authenticator. Your team has a grace period to enroll. Recovery codes are saved safely for lost-phone scenarios.
What You’ll Need
- WordPress version: 6.5 or newer (older versions miss application password support).
- Permissions needed: Administrator on the WordPress dashboard. Hosting panel access is not required.
- Time to complete: 15 minutes for your admin account. Add 5 minutes per additional user during team rollout.
- Difficulty level: Beginner. Anyone who has installed a plugin before can finish this setup.
- Prerequisites: A smartphone with Google Authenticator, Authy, or 1Password installed. None of these cost money.
Step 1: Install the WP 2FA Plugin
Open your WordPress dashboard at /wp-admin. Navigate to Plugins → Add New. Type “WP 2FA” into the search box at the top right. Look for the plugin published by Melapress with over 100,000 active installs. Click Install Now next to that listing. Wait for the install to finish, then click Activate.
[SCREENSHOT: wp-2fa-plugin-search-result]
The plugin loads its first-run wizard automatically after activation. If the wizard does not appear, go to WP 2FA → Settings in the left sidebar and start it manually. The wizard walks you through method choice and admin enrollment in one flow. Set aside 10 uninterrupted minutes before starting Step 2.
Step 2: Choose a Two-Factor Method in the Wizard
Click Let’s Get Started on the first wizard screen. Pick “One-time code via 2FA app (TOTP)” as the primary method. TOTP codes work without an internet connection and resist SIM-swap attacks. Email codes are fine as a backup but should never be the primary method on an admin account.
[SCREENSHOT: wp-2fa-wizard-method-selection]
Click Next. The wizard shows a QR code on screen. Keep this browser tab open and pick up your phone for the next step. Closing the tab cancels enrollment and forces a restart of the wizard from the beginning.
Step 3: Scan the QR Code with Google Authenticator
Open Google Authenticator on your phone. Tap the plus icon at the bottom right. Pick Scan a QR code. Point your phone camera at the QR code on your computer screen. Google Authenticator adds a new entry labeled “WordPress” or your site name. A 6-digit code appears that refreshes every 30 seconds.
[SCREENSHOT: google-authenticator-scan-qr]
Type the current 6-digit code into the wizard field on your computer. Click Verify. The wizard confirms your account is now protected and offers a download for recovery codes. Do not skip this confirmation. An unverified setup leaves the account in a half-enrolled state that locks you out on next login.
Step 4: Set the Grace Period for Other Users
Navigate to WP 2FA → Settings → Policies. Set “Require 2FA for these users” to All Users for full protection. Pick “Administrator and Editor only” instead if your team has more than 20 contributors and needs a phased rollout.
[SCREENSHOT: wp-2fa-grace-period-settings]
Set the grace period to 7 days. This gives users one week to enroll before the plugin blocks their next login. Click Save Changes. The plugin emails enrollment instructions to every covered user automatically. Each user follows the same QR-code flow you ran in Step 3. Users who ignore the email see a reminder banner on every dashboard login until they enroll. After 7 days, the plugin blocks login until enrollment finishes.
Step 5: Download and Store Recovery Codes
Click Download Backup Codes on the wizard’s last screen. The plugin generates 10 single-use codes. Each code logs you in once if your phone is lost or stolen. Save the codes in a password manager such as 1Password, Bitwarden, or LastPass.
[SCREENSHOT: wp-2fa-recovery-codes-download]
Print a paper copy and store it in a locked drawer as a final backup. The codes do not expire until you regenerate them. After all 10 are used, return to WP 2FA → My Account → Recovery Codes and click Regenerate. Test login with one code now to confirm the codes work before you actually need them.
Troubleshooting
Error: “Invalid 2FA code” appears even though the 6-digit code is fresh.
Fix: Sync your phone’s clock to network time. Open the Google Authenticator menu, tap Settings, then Time correction for codes, and tap Sync now.
Error: Locked out of the WordPress dashboard with no phone access.
Fix: Use one of the 10 recovery codes you downloaded in Step 5. Enter the recovery code instead of a TOTP code at the login screen.
Error: A team user keeps skipping enrollment past the grace period.
Fix: Go to WP 2FA → Users, find the account, and click Force Re-enroll. The user is logged out and prompted to enroll on next login attempt.
Error: The QR code does not appear during the wizard.
Fix: Disable any ad-blocker or privacy plugin in your browser, then reload the WP 2FA setup page.
Quick Recap
- Installed WP 2FA from Melapress and activated the first-run wizard.
- Picked TOTP codes via Google Authenticator as the primary method.
- Enrolled the admin account by scanning a QR code and verifying the first code.
- Set a 7-day grace period for other users with auto-emailed enrollment.
- Downloaded 10 single-use recovery codes and stored them safely for lockout situations.
Pair this with the WordPress hardening guide for the next layer of login defense. Official plugin documentation lives at wp2fa.io/docs.