Title: Configify 2FA
Author: Configify
Published: <strong>June 16, 2026</strong>
Last modified: June 16, 2026

---

Search plugins

![](https://ps.w.org/configify-2fa/assets/banner-772x250.png?rev=3577873)

![](https://ps.w.org/configify-2fa/assets/icon-256x256.png?rev=3577873)

# Configify 2FA

 By [Configify](https://profiles.wordpress.org/configify/)

[Download](https://downloads.wordpress.org/plugin/configify-2fa.1.0.0.zip)

 * [Details](https://wordpress.org/plugins/configify-2fa/#description)
 * [Reviews](https://wordpress.org/plugins/configify-2fa/#reviews)
 *  [Installation](https://wordpress.org/plugins/configify-2fa/#installation)
 * [Development](https://wordpress.org/plugins/configify-2fa/#developers)

 [Support](https://wordpress.org/support/plugin/configify-2fa/)

## Description

Configify 2FA adds Two-Factor Authentication to every important action on your WordPress
site, all configurable from a single settings page.

Choose the method that fits your audience:

 * Google Authenticator (TOTP) — RFC 6238 compliant. Works with Google Authenticator,
   Authy, Microsoft Authenticator, 1Password, Bitwarden, and any TOTP app.
 * Math CAPTCHA — Server-side arithmetic challenge. No external dependencies. Works
   offline.
 * Google reCAPTCHA — v2 (checkbox) or v3 (invisible, score-based).

Protect any combination of:

 * Login (wp-login.php + WooCommerce)
 * Registration (WordPress + WooCommerce)
 * Forgot Password
 * Change / Reset Password
 * Comment Submission

#### What makes Configify 2FA different

Security Audit Dashboard — Every 2FA event (success, failure, lockout, setup, method
change) is recorded with username, IP address, user agent, and timestamp. Filter,
search, and export to CSV directly from your admin panel.

Trusted Device Memory — After verifying, users can choose to trust their current
device for a set number of days. Subsequent logins from that device skip the 2FA
step. Tokens are cryptographically random and bound to the user agent. Admins can
revoke trusted devices per user from the profile screen.

Brute-Force Lockout — Repeated 2FA failures trigger a configurable lockout by user
and IP address to stop automated attacks.

Email OTP Fallback — When TOTP is active but a user has not yet set up their authenticator
app, a 6-digit one-time code is sent to their email address as a fallback.

Per-Role Enforcement — Require 2FA only for Administrators, Editors, or any custom
role. Leave all unchecked to apply to every role.

WooCommerce Support — Hooks into WooCommerce login, registration, lost password,
and account password change, not just the default WordPress forms.

#### Security Details

 * TOTP implementation is pure PHP with no third-party library dependency. Secrets
   are stored in WordPress user-meta and never exposed in plain text.
 * Math CAPTCHA answers are stored in server-side transients with a 10-minute TTL
   and consumed on first use.
 * Pending login sessions are stored in a custom database table, expire after 10
   minutes, and are purged daily via WP-Cron.
 * Trusted device tokens are cryptographically random (48 characters), hashed with
   wp_hash() before storage, and bound to the user agent string.
 * All form submissions require a WordPress nonce in addition to the 2FA challenge.
 * TOTP verification includes a clock-skew tolerance of plus or minus two 30-second
   windows to account for imprecise device clocks.

### External Services

This plugin connects to the following external services. No data is ever sent to
Configify servers.

#### Google reCAPTCHA

This plugin can use Google reCAPTCHA to protect forms. It is only active when the
admin selects reCAPTCHA as the 2FA method.

It sends the user’s IP address and a browser interaction token to Google’s servers
each time a protected form is submitted.

This service is provided by Google LLC: [Terms of Service](https://policies.google.com/terms),
[Privacy Policy](https://policies.google.com/privacy).

#### goQR.me QR Code API

This plugin uses the goQR.me API (api.qrserver.com) to generate QR code images for
Google Authenticator setup. It is only used when a user clicks “Generate QR Code”
on the Settings page while TOTP is the active method.

It sends the TOTP URI — which contains the site name, the user’s email address, 
and the TOTP secret — to api.qrserver.com to generate the QR code image. The service
does not store or log QR code contents. The generated image is cached for approximately
30 seconds and then deleted.

This service is provided by goQR.me: [Terms of Service](https://goqr.me/legal/tos-api.html),
[Privacy Policy](https://goqr.me/privacy-safety-security/).

#### WooCommerce Compatibility

Configify 2FA integrates with WooCommerce out of the box with no additional configuration.
It hooks into:

 * woocommerce_process_login_errors
 * woocommerce_process_registration_errors
 * woocommerce_lostpassword_form
 * woocommerce_edit_account_form
 * woocommerce_save_account_details_errors

#### Privacy

Configify 2FA stores the following data locally on your server:

 * A TOTP secret and confirmation flag in wp_usermeta.
 * Trusted device token hashes and expiry timestamps in wp_usermeta.
 * Pending session tokens in a custom table (wp_c2fa_sessions) — deleted automatically
   after 10 minutes.
 * Security audit log entries in a custom table (wp_c2fa_audit_log) — pruned automatically
   after the configured retention period (default 90 days).

All data is removed when the plugin is deleted (via uninstall.php).

## Screenshots

[⌊Settings page — method selection⌉⌊Settings page — method selection⌉[

Settings page — method selection

[⌊Protected actions and role restrictions⌉⌊Protected actions and role restrictions⌉[

Protected actions and role restrictions

[⌊Google Authenticator (TOTP) setup⌉⌊Google Authenticator (TOTP) setup⌉[

Google Authenticator (TOTP) setup

[⌊Google reCAPTCHA setup⌉⌊Google reCAPTCHA setup⌉[

Google reCAPTCHA setup

[⌊Math CAPTCHA setup⌉⌊Math CAPTCHA setup⌉[

Math CAPTCHA setup

[⌊Backup codes⌉⌊Backup codes⌉[

Backup codes

[⌊Security audit log dashboard with search and export⌉⌊Security audit log dashboard
with search and export⌉[

Security audit log dashboard with search and export

[⌊2FA verification screen on wp-login.php⌉⌊2FA verification screen on wp-login.php⌉[

2FA verification screen on wp-login.php

[⌊Trusted device option on the verification screen⌉⌊Trusted device option on the
verification screen⌉[

Trusted device option on the verification screen

## Installation

 1. Upload the configify-2fa folder to /wp-content/plugins/, or install via the WordPress
    admin plugin uploader.
 2. Activate the plugin via Plugins > Installed Plugins.
 3. Go to Settings > Configify 2FA and choose your 2FA method.
 4. Enable the actions you want to protect and click Save Settings.

#### Google Authenticator Setup

 1. Select Google Authenticator (TOTP) as the active method.
 2. Users visit their Profile page, scroll to the Two-Factor Authentication section,
    and click Set up Authenticator App.
 3. They scan the QR code with any TOTP-compatible app and enter the first 6-digit 
    code to confirm.
 4. Future logins will require the 6-digit code from the app.

#### Google reCAPTCHA Setup

 1. Obtain a free site key and secret key at https://www.google.com/recaptcha/admin/
    create
 2. Select Google reCAPTCHA as the active method.
 3. Enter your keys under the Google reCAPTCHA Options section and save.

## FAQ

### Can I use multiple 2FA methods at once?

No. One method is active site-wide. This keeps the user experience consistent. Different
methods per role may be considered for a future release.

### What happens if a user loses their phone or authenticator app?

An admin can go to Users > Edit User > Two-Factor Authentication and click Reset
TOTP. The user will then receive an email one-time code on their next login if the
email fallback option is enabled.

### Does TOTP work offline?

Yes. TOTP codes are generated locally in the authenticator app using a shared secret
and the current time. No internet connection is needed after the initial setup scan.

### Does it work with WooCommerce?

Yes. All five protected actions (login, registration, forgot password, change password,
comment submission) hook into WooCommerce equivalents automatically.

### Is it compatible with caching plugins?

Yes. The 2FA verification pages are handled dynamically and are not cached. Math
CAPTCHA tokens are stored server-side, not in the page output.

### Will activating this plugin lock me out?

No. The plugin only activates 2FA on the specific actions you enable. If you accidentally
lock yourself out with TOTP, an administrator can reset TOTP for any user from Users
> Edit User.

### Is Google reCAPTCHA GDPR compliant?

Google reCAPTCHA sends the user’s IP address and browser data to Google. You may
need to disclose this in your site’s privacy policy. The Math CAPTCHA method involves
no external data transfers.

### Does the plugin send data to Configify servers?

No. No data of any kind is sent to Configify servers. See the External Services 
section above for full details on what external connections the plugin can make.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“Configify 2FA” is open source software. The following people have contributed to
this plugin.

Contributors

 *   [ Configify ](https://profiles.wordpress.org/configify/)
 *   [ Bhumi Patel ](https://profiles.wordpress.org/bhumiitpath/)

[Translate “Configify 2FA” into your language.](https://translate.wordpress.org/projects/wp-plugins/configify-2fa)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/configify-2fa/), check
out the [SVN repository](https://plugins.svn.wordpress.org/configify-2fa/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/configify-2fa/) 
by [RSS](https://plugins.trac.wordpress.org/log/configify-2fa/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.0

 * Initial release.
 * Google Authenticator (TOTP), Math CAPTCHA, and Google reCAPTCHA v2/v3 methods.
 * Protects login, registration, forgot password, change password, and comment submission.
 * WooCommerce integration for all protected actions.
 * Security audit log with CSV export.
 * Trusted device memory — remember a verified device for a configurable number 
   of days.
 * Brute-force lockout after configurable failed attempts.
 * Email OTP fallback for TOTP when app not yet configured.
 * Per-role enforcement.
 * Branding options with opt-in credit display.
 * Full uninstall cleanup.

## Meta

 *  Version **1.0.0**
 *  Last updated **2 days ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 5.8 or higher **
 *  Tested up to **7.0**
 *  PHP version ** 7.4 or higher **
 * Tags
 * [2FA](https://wordpress.org/plugins/tags/2fa/)[login](https://wordpress.org/plugins/tags/login/)
   [security](https://wordpress.org/plugins/tags/security/)[two factor authentication](https://wordpress.org/plugins/tags/two-factor-authentication/)
   [woocommerce](https://wordpress.org/plugins/tags/woocommerce/)
 *  [Advanced View](https://wordpress.org/plugins/configify-2fa/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/configify-2fa/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/configify-2fa/reviews/)

## Contributors

 *   [ Configify ](https://profiles.wordpress.org/configify/)
 *   [ Bhumi Patel ](https://profiles.wordpress.org/bhumiitpath/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/configify-2fa/)