Two Factor

The Two-Factor plugin adds an extra layer of security to your WordPress login by requiring users to provide a second form of authentication in addition to their password. This helps protect against unauthorized access even if passwords are compromised.

Setup Instructions

Important: Each user must individually configure their two-factor authentication settings.

For Individual Users

1. Navigate to your profile: Go to “Users” → “Your Profile” in the WordPress admin
2. Find Two-Factor Options: Scroll down to the “Two-Factor Options” section
3. Choose your methods: Enable one or more authentication providers (noting a site admin may have hidden one or more so what is available could vary):
   • Authenticator App (TOTP) – Use apps like Google Authenticator, Authy, or 1Password
   • E-mail codes – Receive one-time codes via email
   • Backup Codes – Generate one-time backup codes for emergencies
   • Dummy Method – For testing purposes only (requires WP_DEBUG)
4. Configure each method: Follow the setup instructions for each enabled provider
5. Set primary method: Choose which method to use as your default authentication
6. Save changes: Click “Update Profile” to save your settings

For Site Administrators

• Plugin settings: The plugin provides a settings page under “Settings → Two-Factor” to configure which providers should be disabled site-wide.
• User management: Administrators can configure 2FA for other users by editing their profiles
• Security recommendations: Encourage users to enable backup methods to prevent account lockouts

Available Authentication Methods

Authenticator App (TOTP) – Recommended

• Security: High – Time-based one-time passwords
• Setup: Scan QR code with authenticator app
• Compatibility: Works with Google Authenticator, Authy, 1Password, and other TOTP apps
• Best for: Most users, provides excellent security with good usability

Backup Codes – Recommended

• Security: Medium – One-time use codes
• Setup: Generate 10 backup codes for emergency access
• Compatibility: Works everywhere, no special hardware needed
• Best for: Emergency access when other methods are unavailable

E-mail codes

• Security: Medium – One-time codes sent via email
• Setup: Automatic – uses your WordPress email address
• Compatibility: Works with any email-capable device
• Best for: Users who prefer email-based authentication

FIDO U2F Security Keys

• Deprecated and removed due to loss of browser support.

Dummy Method

• Security: None – Always succeeds
• Setup: Only available when WP_DEBUG is enabled
• Purpose: Testing and development only
• Best for: Developers testing the plugin

Important Notes

HTTPS Requirement

• All methods work on both HTTP and HTTPS sites

Browser Compatibility

• TOTP and email methods work on all devices and browsers

Account Recovery

• Always enable backup codes to prevent being locked out of your account
• If you lose access to all authentication methods, contact your site administrator

Security Best Practices

• Use multiple authentication methods when possible
• Keep backup codes in a secure location
• Regularly review and update your authentication settings

For more information about two-factor authentication in WordPress, see the WordPress Advanced Administration Security Guide.

Voor meer geschiedenis, zie dit bericht.

Acties & filters

Hier is een lijst van actie en filter hooks voorzien door de plugin:

• two_factor_providers filter overschrijft de beschikbare twee-factor providers zoals e-mail en tijd-gebaseerde eenmalige wachtwoorden. Array waarden zijn PHP classnames van de twee-factor providers.
• two_factor_providers_for_user filter overschrijft de beschikbare two-factor providers voor een specifieke gebruiker. Array waarden zijn instanties van provider klassen en het gebruikersobject WP_User is beschikbaar als het tweede argument.
• two_factor_enabled_providers_for_user filter overschrijft de lijst van twee-factor providers die zijn ingeschakeld voor een gebruiker. Het eerste argument is een array van ingeschakelde provider classnames als waarden, het tweede argument is de gebruiker ID.
• two_factor_user_authenticated actie die het ingelogde WP_User object ontvangt als eerste argument om de ingelogde gebruiker te bepalen direct na de authenticatie workflow.
• Het filter two_factor_user_api_login_enable beperkt de authenticatie voor REST API en XML-RPC tot alleen applicatie wachtwoorden. Geeft de gebruikers ID als tweede argument.
• two_factor_email_token_ttl filter overschrijft het tijdsinterval in seconden dat een e-mail token wordt beschouwd na generatie. Accepteert de tijd in seconden als eerste argument en de ID van het WP_User object dat wordt geverifieerd.
• two_factor_email_token_length filter overschrijft het standaard aantal van 8 tekens voor e-mail tokens.
• two_factor_backup_code_length filter overschrijft het standaard aantal van 8 karakters voor back-up codes. Biedt de WP_User van de bijbehorende gebruiker als tweede argument.
• two_factor_rest_api_can_edit_user filter bepaalt of de twee-factor instellingen van een gebruiker bewerkt kunnen worden via de REST API. Het eerste argument is de huidige $can_edit boolean, het tweede argument is de gebruiker ID.
• two_factor_before_authentication_prompt action which receives the provider object and fires prior to the prompt shown on the authentication input form.
• two_factor_after_authentication_prompt action which receives the provider object and fires after the prompt shown on the authentication input form.
• two_factor_after_authentication_input action which receives the provider object and fires after the input shown on the authentication input form (if form contains no input, action fires immediately after two_factor_after_authentication_prompt).
• two_factor_login_backup_links filters the backup links displayed on the two-factor login form.

Redirect After the Two-Factor Challenge

To redirect users to a specific URL after completing the two-factor challenge, use WordPress Core built-in login_redirect filter. The filter works the same way as in a standard WordPress login flow: