Two-Factor Authentication
This tutorial has moved to the new WP Ghost Knowledge Base where each feature is presented in detail.
Add two-factor authentication to your WordPress login with WP Ghost (formerly Hide My WP Ghost) using an authenticator app, email code, or passkey (Face ID, Touch ID, Windows Hello). 2FA is free in all versions of WP Ghost.
A stolen password is all it takes. Research shows that 8% of WordPress sites are hacked due to weak or stolen passwords. Brute force attacks surged 130% in 2024 according to LLAR’s 2025 report. Even with brute force protection limiting login attempts, a leaked password from another breach can succeed on the first try.
Two-Factor Authentication (2FA) closes this gap. It requires a second verification step after the password, so a stolen password alone cannot grant access. WP Ghost supports three methods: authenticator app codes, email codes, and passkeys (biometric/hardware authentication). All three are free.
This tutorial covers the full WP Ghost > 2FA Login panel: activation, method selection, per-method setup, shared settings, and login monitoring.
Why 2FA Is Essential
Passwords alone are no longer sufficient. Even strong, unique passwords can be compromised through data breaches on other services, phishing attacks, or malware. 2FA adds a second layer that is independent of the password itself.
| Without 2FA | With WP Ghost 2FA |
|---|---|
| Stolen password grants full access | Password alone is useless without the second factor |
| Phishing attack captures credentials | Passkey method is immune to phishing by design |
| Brute force can succeed with a lucky guess | Second factor blocks access even after correct password |
| No visibility into login activity | 2FA Logins monitor tracks all authentication attempts |
How to Enable 2FA in WP Ghost
Activate the 2FA Feature
Go to WP Ghost > Overview > Features and switch on 2FA. Click Start Feature Setup to open the 2FA settings.
Once activated, the 2FA panel is available at WP Ghost > 2FA Login in the main menu.
Go to WP Ghost > 2FA Login > Settings and switch on Use 2FA Authentication.
Choose a 2FA Method
WP Ghost offers three 2FA methods. You can enforce a single method for all users, or enable User Choice so each user picks their preferred method from their profile.
2FA Code – a one-time code generated by an authenticator app (Google Authenticator, Authy, Microsoft Authenticator, or LastPass Authenticator). The code rotates every 30 seconds. Best for teams who are comfortable with authenticator apps.
Email Code – a one-time code sent to the user’s email address on each login. No app installation required. Depends on reliable email delivery from your WordPress site. Use an SMTP plugin like WP Mail SMTP to ensure codes are delivered.
Passkey – your device’s built-in security (Face ID, Touch ID, Windows Hello, Android biometrics, or a hardware security key like YubiKey) verifies your identity. No codes to type, no emails to wait for. One tap or glance and you are in. This is the most secure option because passkeys are phishing-resistant by design.
Configure Shared Settings
These settings apply to all 2FA methods. Find them at WP Ghost > 2FA Login > Settings.
Max Fail Attempts – how many times a user can enter an incorrect 2FA code before their IP is blocked. Default: 5.
Ban Duration – how long (in seconds) the IP is blocked after exceeding the max fail attempts. Default: 900 (15 minutes).
Failed Attempts Message – an alert shown to users when failed 2FA attempts occurred on their account. Uses {count} for the number of failed attempts and {time} for the duration since the last failure.
Lockout Message – the message shown instead of the login form when a user is locked out. Uses {time} for the remaining lockout duration.
Delete 2FA Data on Plugin Uninstall – removes all 2FA configuration and user data when WP Ghost is uninstalled.
2FA Code Method (Authenticator App)
The authenticator app generates a rotating one-time code that changes every 30 seconds. Users enter the current code on the login page after their password.
Set Up 2FA Code
In WP Ghost > 2FA Login > Settings, select 2FA Code and click Save. Then click Add Two-Factor Authentication.
You will be taken to your User Profile where a QR code is displayed. Open your authenticator app and scan the QR code. If your app only supports manual entry, use the text version shown in Step 2 of the setup screen.
After scanning, the app starts generating rotating codes. Enter the current code in the verification field and click Submit.
Once verified, every login will require the current code from your authenticator app after your password.
For detailed app-specific setup guides, see: Google Authenticator, Authy, Microsoft Authenticator, LastPass Authenticator.
Generate Backup Codes
After setup, generate backup codes immediately. These one-time-use recovery codes are your safety net if you lose access to your authenticator app. Click Generate Backup Codes, then Download Codes to save them. Store them in a password manager or a secure printed location. Click Finalize to complete the process.
If you need to re-sync your authenticator app or start over, use the Reset Key option in your User Profile.
2FA Email Code Method
A unique one-time code is sent to the user’s email address on each login. No app installation required. The user enters the code on the login page to complete authentication.
Set Up 2FA Email Code
In WP Ghost > 2FA Login > Settings, select Email Code and click Save. Then click Add Two-Factor Authentication.
You will be taken to your User Profile where you enter the email address for receiving authentication codes. Click Submit to complete the setup.
Once configured, a unique code is sent to your email on every login attempt. Enter the code on the login page to confirm your identity.
Email delivery required
This method depends on your WordPress site being able to send emails reliably. Install an SMTP plugin like WP Mail SMTP to ensure codes are delivered. Without SMTP, codes may not reach users. Generate backup codes as a safety net.
After setup, generate backup codes the same way as the Code method. Click Generate Backup Codes, download them, and click Finalize. To change the email address later, use the Reset Email Address option in your User Profile.
2FA Passkey Method
Passkeys use your device’s built-in security to verify your identity. After entering your password, your device prompts you to authenticate with Face ID, Touch ID, Windows Hello, Android biometrics, or a hardware security key. One tap or glance and you are in. The entire second factor takes under 2 seconds.
Passkeys are the most secure 2FA option because they are phishing-resistant by design. The cryptographic challenge is bound to the specific domain, so your device will not authenticate against a fake login page even if it looks identical to yours. No shared secret is ever transmitted.
Set Up Passkey 2FA
In WP Ghost > 2FA Login > Settings, select Passkey and click Save. Then click Add Two-Factor Authentication.
You will be taken to your User Profile. Click Add Passkey. Your browser prompts you to create a passkey using Face ID, Touch ID, Windows Hello, or your device’s preferred authentication method. Confirm the prompt to complete setup.
You can add multiple passkeys from different devices. For example, register your laptop’s fingerprint reader and your phone’s Face ID. If one device is unavailable, the other still works.
Passkeys are supported on all major platforms: iPhone and iPad (Face ID, Touch ID), Android (fingerprint, face unlock), macOS (Touch ID), Windows (Windows Hello), Chrome, Safari, Firefox, Edge, and hardware keys like YubiKey. Password managers like 1Password, Bitwarden, and Dashlane can sync passkeys across devices.
For the full deep dive into passkey authentication, see the Passkey 2FA in WP Ghost tutorial.
Monitor 2FA Logins
Track all 2FA authentication attempts from WP Ghost > 2FA Login > 2FA Logins.
The monitor shows the user’s email, the timestamp of the last access, whether the attempt succeeded or failed, and which 2FA method was used. Check this regularly to identify unusual activity. Repeated failed attempts from the same account may indicate a targeted attack.
Troubleshooting
2FA Code from Authenticator App Is Not Accepted
The most common cause is a time sync issue between your device and the server. Authenticator codes are time-based. If your device’s clock is off by more than 30 seconds, codes will be invalid. On your phone, enable automatic time sync in your system settings. If the problem persists, use the Reset Key option in your User Profile and re-scan the QR code.
Email Code Is Not Arriving
Your WordPress site is not sending emails reliably. Install and configure an SMTP plugin like WP Mail SMTP. Check your spam and junk folders. If you are locked out, use a backup code to log in, then fix email delivery.
Locked Out and Cannot Access 2FA
Use a backup code. If you did not generate backup codes, check the emergency disable guide, use the rollback settings, or add a constant in wp-config.php to disable WP Ghost temporarily. This removes the 2FA requirement so you can log in and reconfigure.
Passkey Not Working on a New Device
Passkeys are device-specific. A passkey created on your laptop does not automatically work on your phone unless you use a password manager that syncs passkeys (1Password, Bitwarden, iCloud Keychain). Add a separate passkey from each device you use, or use a syncing password manager. If you cannot authenticate on any device, use a backup code and register a new passkey from the authenticated session.
Frequently Asked Questions
Which 2FA method should I use?
Passkey is the most secure because it is phishing-resistant and the fastest to use. 2FA Code (authenticator app) is the most widely compatible and does not depend on email delivery. Email Code requires no app installation but depends on reliable email delivery. If you are unsure, start with 2FA Code or enable User Choice to let each person decide.
What are backup codes and why are they important?
Backup codes are one-time-use recovery codes that let you log in if you lose access to your authenticator app, email, or passkey device. Generate and download them during 2FA setup. Store them in a password manager or a secure printed location. Each code can only be used once.
Is 2FA free in WP Ghost?
Yes. All three 2FA methods (Code, Email, Passkey) are included in the free version of WP Ghost with no limitations.
Does 2FA work with WooCommerce?
2FA applies to the WordPress login form. If WooCommerce uses the standard WordPress login (which is the default), 2FA protects it. WP Ghost is fully compatible with WooCommerce.
Can I translate 2FA messages?
Yes. When WPML or Polylang is active, 2FA messages and button labels can be translated from the string translation panel in your translation plugin.
Does WP Ghost modify WordPress core files?
No. 2FA is added through WordPress hooks and filters. No core files are modified. Disabling the 2FA feature removes all 2FA requirements instantly.
Related Tutorials
Complete your login security system:
Setting Up 2FA with Mobile Apps – step-by-step guides for Google Authenticator, Authy, Microsoft Authenticator, and LastPass.
Passkey 2FA in WP Ghost – deep dive into passkey authentication with Face ID, Touch ID, and Windows Hello.
Temporary Logins – passwordless time-limited URLs for developers and clients.
Brute Force Attack Protection – protect login forms with reCAPTCHA and attempt limits.
Change and Hide the Login Path – move your login page to a custom URL.
Activate Security Tweaks – login page design and redirect configuration.
Website Security Check – run a complete security audit.