Two Factor Authentication
Secure WordPress login with this two factor authentication (TFA / 2FA) plugin. Users for whom it is enabled will require a one-time code in order to log in. From the authors of UpdraftPlus – WP’s #1 backup/restore plugin, with over two million active installs. Are you completely new to TFA? If so, please see our FAQ. Features (please see the “Screenshots” for more information): Supports standard TOTP + HOTP protocols (and so supports Google Authenticator, Authy, and many others). Displays graphical QR codes for easy scanning into apps on your phone/tablet TFA can be made available on a per-role basis (e.g. available for admins, but not for subscribers) TFA can be turned on or off by each user TFA can be required for specified user levels, after a defined time period (e.g. require all admins to have TFA, once their accounts are a week old) (Premium version), including forcing them to immediately set up (by redirecting them to the page to do so) Supports front-end editing of settings, via [twofactor_user_settings] shortcode (i.e. users don’t need access to the WP dashboard). (The Premium version allows custom designing of any layout you wish). Site owners can allow “trusted devices” on which TFA codes are only asked for a chosen number of days (instead of every login); e.g. 30 days (Premium version) Encrypt the TFA-generating secret keys using an on-disk encryption key, so that an attacker would need to break into both your WordPress database and your files in order to break TFA codes (as well as breaking a user’s password in order to use them) Works together with “Theme My Login” (both forms and widgets) Includes support for the WooCommerce and Affiliates-WP login forms Includes support for Ultimate Membership Pro Includes support for CozmosLabs Profile Builder Includes support for Ultimate Member login forms (Premium version) Includes support for Elementor Pro login forms (Premium version) Includes support for bbPress login forms (Premium version) Includes support for Easy Digital Downloads login forms (Premium version) Includes support for RegistrationMagic login forms (Premium version) Includes support for login forms from the Gravity Forms User Registration add-on (Premium version) Includes support for login forms (shortcode forms only) from Paid Memberships Pro (Premium version) Includes support for any and every third-party login form (Premium version) without any further coding needed via appending your TFA code to the end of your password Does not mention or request second factor until the user has been identified as one with TFA enabled (i.e. nothing is shown to users who do not have it enabled) WP Multisite compatible (plugin should be network activated) Simplified user interface and code base for ease of use and performance Added a number of extra security checks to the original forked code Alert users if someone appears to have found out their password, as indicated by successfully entering a password but repeatedly entering an incorrect TFA code. Emergency codes for when you lose your phone/tablet (Premium version) When using the front-end shortcode (Premium version), require the user to enter the current TFA code correctly to be able to activate TFA Works together with “WP Members” (shortcode form) Administrators can access other users’ codes, and turn them on/off when needed (Premium version) Why use TFA / 2FA ? Read this! https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ How Does TFA / 2FA Work? This plugin uses the industry standard TFA / 2FA algorithm TOTP or HOTP for creating One Time Passwords. These are used by Google Authenticator, Authy, and many other OTP applications that you can deploy on your phone etc. A TOTP code is valid for a certain time. Whatever program you use (i.e. Google Authenticator, etc.) will show a different code every so often. Plugin Notes This plugin began life in early 2015 as a friendly fork and enhancement of Oscar Hane’s “two factor auth” plugin.
Top keywords
- tfa16×2.47%
- premium14×2.16%
- premium version14×2.16%
- version14×2.16%
- login12×1.85%
- forms11×1.69%
- includes11×1.69%
- includes support11×1.69%
- support11×1.69%
- code8×1.23%
- login forms8×1.23%
- user8×1.23%
Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning
Most security plugins hand you a dashboard full of alerts and expect you to know what to do next. Shield works differently. It blocks threats automatically, repairs what it can on its own, and then shows you exactly what still needs your attention — ranked by impact, not volume. Less noise. More action. 🤖 Security That Runs Itself The most powerful thing Shield does is what it handles without you: Automatic IP Blocking — every visitor is quietly scored as they interact with your site. Failed logins, firewall blocks, silentCAPTCHA failures, and other signals accumulate into a reputation score. When a visitor’s score crosses the threshold, Shield blocks them — automatically, without you lifting a finger Automatic File Repair — when a file integrity scan finds a changed WordPress core file, Shield pulls the original from WordPress.org and restores it. Detected and fixed, without waiting for you to act Automatic Bot Recognition — Shield identifies legitimate crawlers (Google, Bing, DuckDuckGo, Yandex, Apple) and known services (ManageWP, Pingdom, Stripe, CloudFlare) and never blocks them. Your SEO and monitoring tools keep working 🧭 Guided Security, Not Just a Dashboard Shield organises your security into four focused areas so you always know where to look: Queue — things that need your attention, ranked by priority. Not everything at once — just what matters right now Investigate — dig into blocked IPs, security events, and the specific signals that triggered each one Configure — guided setup for each protection area, with clear recommendations matched to your site Reports — a clear view of what Shield has blocked, detected, and repaired over time The goal: guide you quickly towards action, not bury you in data. 🛡️ Free Protection Bot Blocking & Firewall silentCAPTCHA — blocks bad bots on login, registration, lost password, and comment forms using passive signals invisible to real visitors. No CAPTCHA keys. No external requests. No JavaScript that breaks your forms. Everything runs on your server (GDPR friendly). Firewall rules blocking common WordPress attack patterns — SQL injection probes, known exploit signatures, suspicious request parameters XML-RPC protection — disable or restrict entirely, including pingbacks and trackbacks REST API firewall — block unauthenticated requests Fake crawler detection — identifies bots spoofing legitimate search engines Login & Account Security Two-factor authentication (2FA) — email codes, Google Authenticator, or YubiKey OTP for all users Brute force protection with configurable login attempt limits and cooldown Session locking — tie sessions to a browser or IP to stop account theft after a successful login User enumeration blocking — closes off ?author= probes used to harvest usernames before an attack Scanning & Integrity Core file scanning — compares WordPress core against official checksums and repairs changed files automatically Suspicious PHP detection — flags PHP files in locations where they have no business being Abandoned plugin detection — identifies unmaintained plugins most likely to carry unpatched vulnerabilities Visibility & Control Security Admin PIN — lock Shield’s own settings so other administrators cannot quietly weaken your configuration Security activity log — logins, user changes, plugin and theme events, post edits, and suspicious requests: Everything in one clear view IP Rules — automatic & manual block and bypass rules, CIDR range support, full per-IP request history 🤝 CrowdSec Integration Shield is the only WordPress security plugin with a native CrowdSec integration. CrowdSec aggregates threat signals from millions of sites into a shared IP reputation network — your site blocks known attackers before they ever probe you, using intelligence far beyond your own traffic history. ✨ ShieldPRO Passkeys — phishing-resistant, passwordless login for users Backup login codes — emergency 2FA access when a device is lost AI-based malware scanner — detects known and unknown PHP malware Plugin & theme file scanning — compares installed files against WordPress.org originals, flagging unauthorised changes Vulnerability scanning — active checks across all installed plugins and themes Broader spam protection — WooCommerce, EDD, Contact Form 7, Ninja Forms, Elementor, and more Traffic rate limiting — cap request rates per IP to absorb high-volume bot floods User suspension — manual or automatic suspension of idle accounts MainWP integration White Label — rename and rebrand Shield for client sites Who It’s For Shield suits site owners, agencies, and MSPs who want protection that runs itself — not a plugin that demands constant attention to be useful. If you have been burned by security plugins that generate more noise than protection, or dashboards that tell you everything is wrong without telling you what to fix, Shield was built to be the alternative.