WordPress two-factor authentication for site users, enforced per role
Require TOTP authenticator codes, email codes, or backup codes for chosen WordPress user roles, enforced at the login screen. Grace logins, remember-device windows, and wp-config recovery constants mean operators are never locked out.
Stolen passwords are the leading cause of WordPress site compromises, and most 2FA implementations lock operators out when they lose a device
A strong password alone does not stop credential stuffing, phishing, or a leaked database. Two-factor authentication closes that gap but only if the implementation handles device loss and recovery gracefully. An overly strict 2FA setup that locks administrators out of production sites creates a security control that is worse than having none.
Under the hood
The steps that make it work, and what each one does.
Choose which roles require 2FA
Configure 2FA requirements per WordPress user role from the WPMgr dashboard. Administrator, editor, author, contributor, and subscriber roles can each be set to required, optional, or not available.
Users set up their preferred method
Users who are required to set up 2FA are guided through the setup flow on their next login. They can choose a TOTP authenticator app or an email code delivered to their WordPress email address.
Backup codes for device loss
Each user generates a set of single-use backup codes during setup. Codes are hashed in the database and can be regenerated from the user profile at any time while 2FA is set up.
Recovery via wp-config constants
Every 2FA control that could affect admin access has a documented wp-config constant for recovery. If a user is locked out and has lost their backup codes, an operator with server access can disable 2FA for that user.
Enter authenticator code
Backup codes and wp-config recovery available
What's included
Every capability ships in the open-source release.
TOTP authenticator app
Compatible with any TOTP authenticator app. The setup flow generates a QR code and a manual entry key. Replay protection burns each code after use.
Email code fallback
Users can choose to receive a one-time code by email instead of using an authenticator app. Email codes expire after a short window.
Single-use backup codes
Each user receives a set of backup codes during setup. Codes are single-use and hashed in the database. Generating a new set of codes immediately invalidates the previous set.
Per-role enforcement
2FA requirements are configured per WordPress user role. Administrator and editor roles can be required while subscriber and contributor remain optional.
wp-config recovery constants
Every 2FA control that could block access has a documented recovery constant in wp-config.php. Operators with server access can always recover a locked-out user.
Audit log of all 2FA events
Setup, successful logins, failed attempts, and backup code use are all recorded in the tamper-evident audit log.
Questions answered
Common questions about this feature.
Self-host it, read the code, and run your whole fleet.
Free and open source. No per-site fee. The full release is on GitHub.