How Do I Set Up Two-Factor Authentication in WordPress?

WP Ghost includes built-in two-factor authentication with three methods: authenticator app codes, email codes, and passkeys (Face ID, Touch ID, Windows Hello, hardware keys). All three are free. Setup takes under two minutes per user, and no separate 2FA plugin is needed.

Why 2FA Matters for WordPress Security

Passwords alone are not enough. Credential stuffing attacks use leaked password databases to try known username/password combinations against your login page. If a user reused a password from another breached site, the attacker gets in on the first try, no brute force needed. Two-factor authentication blocks this completely. Even with the correct password, the attacker cannot pass the second verification step. Combined with WP Ghost’s hidden login path and brute force protection, 2FA makes your WordPress login one of the hardest targets on the web.

Enable the 2FA Feature

Go to WP Ghost > Overview > Features and switch on 2FA. Click Start Feature Setup to go directly to the 2FA settings, or navigate to WP Ghost > 2FA Login > Settings manually. Choose your preferred method and click Save. You can also enable User Choice for 2FA so each user picks their own method from their profile.

Method 1: Authenticator App (2FA Code)

This method uses apps like Google Authenticator, Authy, Microsoft Authenticator, or LastPass Authenticator. The app generates a rotating six-digit code that changes every 30 seconds.

Go to WP Ghost > 2FA Login > Settings, select 2FA Code, and click Save. Then click Add Two-Factor Authentication to go to your User Profile. Scan the QR code with your authenticator app (or use the text key if your app doesn’t support QR scanning). Enter the generated code to verify the connection. After verification, generate and download your backup codes. Store them somewhere safe, like a password manager or printed in a secure location. Each backup code can only be used once.

From now on, every login will ask for the current code from your authenticator app after your password.

Method 2: Email Code

This method sends a unique one-time code to the user’s email address on every login. No app installation required.

Go to WP Ghost > 2FA Login > Settings, select Email Code, and click Save. Click Add Two-Factor Authentication and enter the email address where codes should be sent. Click Submit. Generate and download your backup codes.

Important: this method depends on your site’s ability to send emails reliably. Use an SMTP plugin like WP Mail SMTP, FluentSMTP, or Easy WP SMTP to make sure codes are delivered. Without SMTP, codes may land in spam or never arrive. Always generate backup codes as a safety net.

Method 3: Passkey (Face ID, Touch ID, Windows Hello)

Passkeys are the most secure method. They use your device’s built-in biometric authentication, so there are no codes to type and no emails to wait for. Passkeys are phishing-resistant by design: the cryptographic challenge is bound to your specific domain, so a fake login page cannot intercept the authentication.

Go to WP Ghost > 2FA Login > Settings, select Passkey, and click Save. Click Add Two-Factor Authentication, then click Add Passkey. Your browser or device will prompt you to create a passkey using Face ID, Touch ID, Windows Hello, a fingerprint reader, or a hardware security key. Confirm the prompt. You can register multiple passkeys from different devices, like your laptop fingerprint reader and your phone’s Face ID, so you always have a backup.

For the complete passkey guide including device compatibility and troubleshooting, see the Setting Up 2FA with Mobile Apps tutorial. For the full 2FA configuration guide covering all methods and shared settings, see the Two-Factor Authentication tutorial.

After Setup: Test and Monitor

Before logging out, test your 2FA by opening a private browser window and logging in there. Verify that the second factor prompt appears and that your code, email, or passkey works correctly. Once confirmed, log out of your main session.

Monitor all 2FA login attempts from WP Ghost > 2FA Login > 2FA Logins. The monitor shows the user’s email, timestamp, success or failure status, and which 2FA method was used. Check this regularly. Repeated failed attempts from the same account may indicate a targeted attack.

Frequently Asked Questions

Which 2FA method should I choose?

Passkey is the most secure and fastest. It is phishing-resistant and requires just a single biometric gesture. Authenticator app codes are the most widely compatible and do not depend on email delivery. Email codes require no app installation but depend on reliable email. If you are unsure, start with authenticator app codes or enable User Choice so each person picks their own method.

What are backup codes and do I really need them?

Yes. Backup codes are one-time-use recovery codes that let you log in if you lose your authenticator app, your email is down, or your passkey device is unavailable. Generate them during setup and store them in a secure place. Without backup codes, losing your second factor means getting locked out. If that happens, see the emergency disable guide for recovery options.

Is 2FA free in WP Ghost?

Yes. All three 2FA methods, including passkeys with Face ID, Touch ID, and Windows Hello, are included in the free version of WP Ghost. No premium upgrade is required for any 2FA functionality.

Does 2FA work with WooCommerce login?

2FA applies to the standard WordPress login form. If WooCommerce uses the default WordPress login (which is the default behavior), 2FA protects WooCommerce logins automatically. WP Ghost is fully compatible with WooCommerce.

Does WP Ghost modify WordPress core files?

No. 2FA is implemented through WordPress hooks, filters, and the WebAuthn JavaScript API (for passkeys). No core files are modified. Disabling 2FA removes the second-factor requirement instantly.