wpmgr
Two-factor authentication

WordPress two-factor authentication for site users, enforced per role

Require TOTP authenticator codes, email codes, or backup codes for chosen WordPress user roles, enforced at the login screen. Grace logins, remember-device windows, and wp-config recovery constants mean operators are never locked out.

Stolen passwords are the leading cause of WordPress site compromises, and most 2FA implementations lock operators out when they lose a device

A strong password alone does not stop credential stuffing, phishing, or a leaked database. Two-factor authentication closes that gap but only if the implementation handles device loss and recovery gracefully. An overly strict 2FA setup that locks administrators out of production sites creates a security control that is worse than having none.

How it works

Under the hood

The steps that make it work, and what each one does.

1

Choose which roles require 2FA

Configure 2FA requirements per WordPress user role from the WPMgr dashboard. Administrator, editor, author, contributor, and subscriber roles can each be set to required, optional, or not available.

2

Users set up their preferred method

Users who are required to set up 2FA are guided through the setup flow on their next login. They can choose a TOTP authenticator app or an email code delivered to their WordPress email address.

3

Backup codes for device loss

Each user generates a set of single-use backup codes during setup. Codes are hashed in the database and can be regenerated from the user profile at any time while 2FA is set up.

4

Recovery via wp-config constants

Every 2FA control that could affect admin access has a documented wp-config constant for recovery. If a user is locked out and has lost their backup codes, an operator with server access can disable 2FA for that user.

2FA enforcement per rolesite-users
AdministratorRequired
4/4
EditorRequired
3/5
AuthorOptional
1/8
SubscriberOff
--

Enter authenticator code

4
2
7
·
·
·

Backup codes and wp-config recovery available

What's included

Every capability ships in the open-source release.

TOTP authenticator app

Compatible with any TOTP authenticator app. The setup flow generates a QR code and a manual entry key. Replay protection burns each code after use.

Email code fallback

Users can choose to receive a one-time code by email instead of using an authenticator app. Email codes expire after a short window.

Single-use backup codes

Each user receives a set of backup codes during setup. Codes are single-use and hashed in the database. Generating a new set of codes immediately invalidates the previous set.

Per-role enforcement

2FA requirements are configured per WordPress user role. Administrator and editor roles can be required while subscriber and contributor remain optional.

wp-config recovery constants

Every 2FA control that could block access has a documented recovery constant in wp-config.php. Operators with server access can always recover a locked-out user.

Audit log of all 2FA events

Setup, successful logins, failed attempts, and backup code use are all recorded in the tamper-evident audit log.

FAQ

Questions answered

Common questions about this feature.

Self-host it, read the code, and run your whole fleet.

Free and open source. No per-site fee. The full release is on GitHub.