Plugin Directory

Two Factor Auth

Secure WordPress login with Two Factor Auth. Users will have to enter an One Time Password when they log in.


  • Added spanish translation, thanks to Andrew Kurtis at WebHostingHub for that.
  • Added settings section to change the OTP email from address and name on admin settings page. Thanks to Denny Cherry at Denny Cherry & Associates Consulting for that.


  • Inserting the TFA Form as first element in form. Enables sending the form with return-key in all browsers.
  • Updated Tested up to version to 3.9.1



  • Last release introduced a email login bug that is fixed in this version.


  • You can now enter an email address instead of an username to generate an OTP email.


  • Successfully tested in WP 3.8


  • All new layout on the login page. Now the OTP field and button won't be shown until an activated user has entered their login details. Users that belongs to non activated groups will not see any difference from a regular login form.
  • Fixed an error where a PHP NOTICE was shown on user settings page when WP_DEBUG was set to true. (thnx Thomas van der Beek)


Just added "Tested up to" tag in readme since it works fine in WP 3.7. Next version with some updates will come soon.


  • Just updated the "Tested up to" tag in readme. It works fine.


  • XMLRPC users are now availale to post again. Settings for this is in Settings->TFA.
  • Added a help text when the OTP-button on ligon page is clicked so people know that the OTP is coming to their email.


  • The plugin now checks all login forms, not depending on form field names.


  • Added support for HOTP!
  • If HOTP is going close to off sync, the user is noticed.
  • Fixed an unclosed <strong> on admin settings page.
  • Email delivery users always use the site default algorithm.


  • Added German translation (Thanks Michael Schwark)
  • Added Chilean Spanish translation (Thanks Michael Schwark)
  • Fixed css property bug on OTP button so it looks nice in all browsers.


  • Fixed a bug where the button on the lost password page got disabled.


  • Added language/localization support. Please send me your translations .po-files
  • get_users needs WP 3.1.0. Changing the requirements for the plugin.


  • Added PHP 5.3 check at activation
  • Added mcrypt support check at activation
  • Removed namespace in the Base32 class for better PHP support.


  • Made the button on the login page blue so it's more clear that it's a button.
  • Fixed some typos.


  • All keys and panic codes are now encrypted in the database, as they should be.
  • Panic codes are now based on your key.
  • Users find their settings in root level of the admin menu.
  • Only user roles with TFA activated see the admin menu item.
  • Nicer/cleaner UI for users.
  • Upgrade script for older installations. Must be executed by admin right after plugin update. Manually.
  • Refactored all code and made it class based.


Fixed a bug where a OTP could be used twice.


  • Added limitation to one login per time window (30 seconds).


  • Fixed a bug where emails for some installations didn't work. Thanks to Matías at http://www.periodicoellatino.es for the help.
  • Change to jQuery for making a POST request because of easier cross browser support.


Fixed so users get alerted of they don't enter a username before clicking the OTP button on the login page.


  • Added TOTP as the OTP generator. Compatible with Google Authenticator and other third party auth apps.
  • Added user settings page where they can activate usage of third party apps instead of email delivery of code.
  • Added OTP field to standard login form instead of a middle page.
  • Added Panic Codes which users can use if they loose their phone, change email etc.
  • Removed second login screen.
  • Updated admin settings page. Admins can now change user delivery of codes back to email if users loose their phone etc.


  • Fixed warning message on admin settings page (thanks Joi)
  • Hooks into a filter now so other plugins like Better WP Security, Limit Login Attemps etc. get a chance to log a failed login
  • Error message are now displayed when the entered code was wrong
  • Code length is not fixed any more. It can be 5 or 6 characters. Removed som easy to mix charaters as well (1 and I).


  • Admin settings menu where you can choose which user roles that will have this activated. There will still be a second screen where the not activated user roles enter their password, but the One Time Password field is hidden.


  • Removed password field from regular login page and added it to the second page where the user now enters both the emailed code and the password.


  • Initial release

Requires: 3.1.0 or higher
Compatible up to: 3.9.8
Last Updated: 2014-7-1
Active Installs: 900+


4.8 out of 5 stars


0 of 3 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

0 people say it works.
0 people say it's broken.

100,1,1 100,2,2 100,1,1 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1 100,2,2 100,2,2 100,2,2 100,1,1 100,1,1 100,2,2 100,2,2
100,1,1 100,1,1 100,1,1 100,1,1
100,1,1 100,1,1 100,2,2
100,1,1 100,1,1
100,4,4 100,1,1 100,1,1