2FAS Light – Google Authenticator


Secure your WordPress Administration area with 2FAS Light plugin

Every time you log in to a WP-admin panel, 2FAS Light plugin checks if the device has already been trusted. In case the device has not been trusted, the user will be asked for a security code generated by Google Authenticator mobile app.

2FAS plugin also works with other mobile applications that generate tokens, such as: Microsoft Authenticator, Authy, Free OTP, 2STP, OTP Auth.

Install & use

You do not need to register, create a special account, log in or take any other complicated action to use 2FAS Light plugin. All you need to do is install it and activate it in your WordPress. What is more 2FAS Light plugin does not communicate with any external sites. All data needed to make plugin work properly are stored in WordPress database.

Free for all users

Some WordPress plugins are free for only one user as they require fees when you want other users to join you. 2FAS Light plugin is entirely free for all WordPress users.

Get instant protection against:

Brute-force attacks

When undergoing a brute-force attack, your password can be discovered by the attacker. This is the only vulnerability you will experience with 2FAS Light. 2FAS Light’s intelligent security feature provides a finite amount of time in which the attacker access the correct token. After the access period has ended, the attacker is locked out for security reasons.

WordPress takeovers

Many people use the same password or a similar password for many online services. Repeatedly used passwords remain are vulnerable in cyberspace. Using the 2FAS Light plugin on your WordPress site makes access without a 2FAS Light registered device very difficult.

Phishing and keylogger attacks

If you’re not completely sure that the devices used by you or your sub-users are completely free of keyloggers and viruses, then using 2FAS Light to protect your WordPress site from security breaches is a great solution!

Any password discovery attempt is useless with 2FAS Light. Without the token generated by your 2FAS Light, conventional access to your WordPress site is almost impossible.


For more information check out our website at https://2fas.com

If you need our support, please contact us at support@2fas.com


  • The first step of the login process — providing the login and the password
  • The second step of the login process — providing the token on an untrusted device
  • Configuring the two-factor authentication in the 2FAS Light plugin


  1. Log in to your WordPress administration area and go to the “Plugins” menu option on the left side.
  2. Click the “Add New” button at the top of the page.
  3. Search for “2FAS Light” and click the “Install Now” button.
  4. When 2FAS Light successfully installs, click the “Activate” link.
  5. Go to the 2FAS Light menu option and follow the steps of the plugin wizard (scan the QR code and provide your token in order to verify it).
  6. That’s it! Now your WordPress administration area is protected by 2FAS Light.

Plugin requirements:

  • PHP 7.0 or newer (PHP 7.4 is recommended)
  • PHP extensions: GD, Multibyte String, OpenSSL, Json
  • WordPress 4.9 or newer
  • JavaScript enabled

Warning: The plugin is currently not compatible with multisite installations.

If you have any problems with the installation please contact us at support@2fas.com


Why do I need the 2FAS Light plugin?

If you’re not completely sure your devices or ones used by your sub-users are completely free of keyloggers and viruses, then it is a great solution.

Without the token generated by your smartphone, any password discovery attempt will be useless with 2FAS Light plugin.

Do I need to enter a token each time I log in to the WordPress admin?

No, it is not necessary. The 2FAS Light plugin determines whether or not the user is required to enter a token as an additional form of authentication.

What do I need to do to start using the 2FAS Light plugin?

The most common way to use the 2FAS Light plugin is to configure your smartphone to generate tokens. You can download any Time-based One-Time Password (TOTP) app (e.g. Google Authenticator, Authy, FreeOTP, etc.).

Can I use a browser extension instead of my smartphone to generate tokens?

Yes, you can; however, it isn’t as safe as using your smartphone.

The main idea of the two-factor authentication is based on using different devices or channels, which can verify a user. When you are using a browser extension, then you are not protected from malware or viruses, which can catch your token.

Is it free?

Yes, it is completely free.

You can either use it privately or for commercial usage without any fees.


December 24, 2020
Really like that you can add multiple users to use tokens and that it's so simple to set up
September 16, 2020
2FAS Light - Google Authenticato is a excelent plugin!
October 20, 2019
I've been using this plugin to 2 factor authenticate users on my site for a few months now, and I can attest that it's Campbell-Soup-good, Andy-Warhol-good, Battle For The Planet Of The Apes-good! Not sure it can get much gooder—as the popular saying goes, it does what it says on the can.
July 13, 2019
Ein unauffälliges Plugin, das sehr effektiv im Hintergrund arbeitet und das Backend des Blogs doppelt absichert. Funktioniert prima und störungsfrei.
May 29, 2019
I really like this plugin. The only issue I have is that I use a staging site and upon restoring I have to disable it as the restored site doesn't accept my second-factor key. The previous plugin I used worked fine on restore. The sites sit on the same server, so it doesn't appear to be time offset. If this worked it'd be 5 stars. Thanks!
Read all 27 reviews

Contributors & Developers

“2FAS Light – Google Authenticator” is open source software. The following people have contributed to this plugin.



3.0.2 (Jan. 8, 2021)

  • Fixed bug in custom column filter

3.0.1 (Jan. 4, 2021)

  • Fixed bug in custom column filter

3.0 (Dec.21, 2020)

  • Major update of plugin core
  • Dropped support for PHP 5.* Minimum required PHP version is now 7.0
  • Dropped support for WordPress < 4.9 Minimum required version is now 4.9
  • Changed login process – block account after 5 attempts
  • Added last login time to trusted devices

2.0 (Sep. 1, 2020)

  • Dropped support for PHP 5.4, 5.5. Minimum required PHP version is now 5.6
  • Dropped support for WordPress < 4.2 Minimum required version is now 4.2

1.3.0 (Jun. 22, 2020)

  • Added compatibility with Jetpack
  • Added link to plugin settings in plugin list
  • Fixed use plugins_url function

1.2.0 (Oct. 9, 2019)

  • Added compatibility with multisite
  • Minor frontend fixes
  • Fixed issue with deleting all plugin’s data during uninstallation
  • Fixed IP in trusted devices

1.1.5 (Apr. 16, 2019)

  • Fixed compatibility with plugins renaming login page

1.1.4 (Apr. 9, 2019)

  • Added compatibility with WooCommerce

1.1.3 (Mar. 6, 2019)

  • Constant DIRECTORY_SEPARATOR is not used anymore
  • Prevent direct access to twofas_light_init.php file

1.1.2 (Feb. 18, 2019)

  • Fixed setcookie function arguments

1.1.1 (Aug. 9, 2018)

  • Fixed PHP errors and warnings occurring during some actions
  • Added plugin’s requirements check during logging in
  • Review notice is shown to every administrator separately
  • Fixed timezones

1.1.0 (Jun. 18, 2018)

  • New layout
  • Improved TOTP time synchronization
  • Added voluntary plugin review request
  • Fixed trusted device cookie deletion
  • Trusted device deletion must be confirmed