Plugin Two-Factor — WordPress.com

The Two-Factor plugin adds an extra layer of security to your WordPress login by requiring users to provide a second form of authentication in addition to their password. This helps protect against unauthorized access even if passwords are compromised.

Setup Instructions

Important: Each user must individually configure their two-factor authentication settings.

For Individual Users

Navigate to your profile: Go to «Users» → «Your Profile» in the WordPress admin
Find Two-Factor Options: Scroll down to the «Two-Factor Options» section
Choose your methods: Enable one or more authentication providers (noting a site admin may have hidden one or more so what is available could vary):
- Authenticator App (TOTP) – Use apps like Google Authenticator, Authy, or 1Password
- Códigos por correo electrónico – Receive one-time codes via email
- Backup Codes – Generate one-time backup codes for emergencies
- Dummy Method – For testing purposes only (requires WP_DEBUG)
Configure each method: Follow the setup instructions for each enabled provider
Set primary method: Choose which method to use as your default authentication
Save changes: Click «Update Profile» to save your settings

For Site Administrators

Plugin settings: The plugin provides a settings page under «Settings → Two-Factor» to configure which providers should be disabled site-wide.
User management: Administrators can configure 2FA for other users by editing their profiles
Security recommendations: Encourage users to enable backup methods to prevent account lockouts

Available Authentication Methods

Authenticator App (TOTP) – Recommended

Security: High – Time-based one-time passwords
Setup: Scan QR code with authenticator app
Compatibility: Works with Google Authenticator, Authy, 1Password, and other TOTP apps
Best for: Most users, provides excellent security with good usability

Backup Codes – Recommended

Security: Medium – One-time use codes
Setup: Generate 10 backup codes for emergency access
Compatibility: Works everywhere, no special hardware needed
Best for: Emergency access when other methods are unavailable

Códigos por correo electrónico

Security: Medium – One-time codes sent via email
Setup: Automatic – uses your WordPress email address
Compatibility: Works with any email-capable device
Best for: Users who prefer email-based authentication

FIDO U2F Security Keys

Deprecated and removed due to loss of browser support.

Dummy Method

Security: None – Always succeeds
Setup: Only available when WP_DEBUG is enabled
Purpose: Testing and development only
Best for: Developers testing the plugin

Important Notes

HTTPS Requirement

All methods work on both HTTP and HTTPS sites

Browser Compatibility

TOTP and email methods work on all devices and browsers

Account Recovery

Always enable backup codes to prevent being locked out of your account
If you lose access to all authentication methods, contact your site administrator

Security Best Practices

Use multiple authentication methods when possible
Keep backup codes in a secure location
Regularly review and update your authentication settings

For more information about two-factor authentication in WordPress, see the WordPress Advanced Administration Security Guide.

Para más antecedentes, consulta esta entrada.

Acciones y filtros

Aquí hay una lista de ganchos de acción y filtro proporcionados por el plugin:

El filtro two_factor_providers anula los proveedores de dos factores disponibles, como el correo electrónico y las contraseñas de un solo uso basadas en el tiempo. Los valores del array son nombres de clases PHP de los proveedores de dos factores.
El filtro two_factor_providers_for_user anula los proveedores de dos factores disponibles para un usuario específico. Los valores del array son instancias de clases de proveedor y el objeto de usuario WP_User está disponible como el segundo argumento.
El filtro two_factor_enabled_providers_for_user anula la lista de proveedores de dos factores activados para un usuario. El primer argumento es un array de nombres de clases como valores de proveedores activados, el segundo argumento es el ID del usuario.
La acción two_factor_user_authenticated, que recibe el objeto de conexión WP_User como primer argumento, para definir el usuario registrado justo después del flujo de trabajo de identificación.
El filtro two_factor_user_api_login_enable restringe la identificación para la API REST y XML-RPC a solo contraseñas de aplicación. Ofrece el ID de usuario como segundo argumento.
El filtro two_factor_email_token_ttl anula el intervalo de tiempo en segundos que un token de correo electrónico es tenido en cuenta después de la generación. Acepta el tiempo en segundos como el primer argumento y el ID del objeto WP_User que está siendo identificado.
El filtro two_factor_email_token_length omite el contador por defecto de 8 caracteres para los tokens por correo electrónico.
El filtro two_factor_backup_code_length omite el contador por defecto de 8 caracteres para los códigos de respaldo. Ofrece WP_User del usuario asociado como segundo argumento.
El filtro two_factor_rest_api_can_edit_user omite si se pueden editar los ajustes de dos factores de un usuario a través de la API REST. El primer argumento es el $can_edit boleano actual, el segundo argumento es el ID de usuario.
two_factor_before_authentication_prompt action which receives the provider object and fires prior to the prompt shown on the authentication input form.
two_factor_after_authentication_prompt action which receives the provider object and fires after the prompt shown on the authentication input form.
two_factor_after_authentication_input action which receives the provider object and fires after the input shown on the authentication input form (if form contains no input, action fires immediately after two_factor_after_authentication_prompt).
two_factor_login_backup_links filters the backup links displayed on the two-factor login form.

Redirect After the Two-Factor Challenge

To redirect users to a specific URL after completing the two-factor challenge, use WordPress Core built-in login_redirect filter. The filter works the same way as in a standard WordPress login flow:

add_filter( 'login_redirect', function( $redirect_to, $requested_redirect_to, $user ) {
    return home_url( '/dashboard/' );
}, 10, 3 );

Two-Factor

Setup Instructions

For Individual Users

For Site Administrators

Available Authentication Methods

Authenticator App (TOTP) – Recommended

Backup Codes – Recommended

Códigos por correo electrónico

FIDO U2F Security Keys

Dummy Method

Important Notes

HTTPS Requirement

Browser Compatibility

Account Recovery

Security Best Practices

Acciones y filtros

Redirect After the Two-Factor Challenge

WordPress.com

Productos

Funcionalidades

Recursos

Empresa

Idioma

Aplicaciones móviles

Two-Factor

Setup Instructions

For Individual Users

For Site Administrators

Available Authentication Methods

Authenticator App (TOTP) – Recommended

Backup Codes – Recommended

Códigos por correo electrónico

FIDO U2F Security Keys

Dummy Method

Important Notes

HTTPS Requirement

Browser Compatibility

Account Recovery

Security Best Practices

Acciones y filtros

Redirect After the Two-Factor Challenge

WordPress.com

Productos

Funcionalidades

Recursos

Empresa

Idioma

Aplicaciones móviles

Redes sociales