Skip to content

Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) (PRO) adds a second login step for selected roles - extra proof beyond the password via email code and/or an authenticator app.

  • Enforce 2FA for selected roles after password authentication.
  • Methods: Email code (8-digit) and/or Authenticator app (TOTP).
  • Users configure methods, backup codes, and defaults on their profile.
  • Email code validity, Wrong code limit, optional Profile setup grace period, optional Remember this browser.
  • Optional: require application passwords for REST/XML-RPC when the user is in an enforced role (unavailable if Disable Application Passwords is on).
  • Users list shows a 2FA status column; privacy export/erase supported.
  • Disables its login enforcement if the standalone “Two-Factor” plugin is active (conflict notice).

Enable it if:

  • Administrators or shop managers need stronger login security.
  • You can deliver email codes reliably (or users will use authenticator apps).
  • You want role-based enforcement rather than optional-only 2FA.
  • Select roles to apply Two Factor Authentication to
  • 2FA methods - Email code, Authenticator app (at least one)
  • Email code validity (5-60 minutes options)
  • Wrong code limit
  • Profile setup grace period
  • Remember this browser
  • REST / XML-RPC - require application passwords for enforced roles (when available)
  1. Go to WP PowerSuite -> Modules -> Security.
  2. Toggle Two-Factor Authentication (2FA) on (PRO license required).
  3. Select roles and methods, save.
  4. Have each enforced user open their profile to confirm email and/or set up an authenticator app and save backup codes.
  • Enforce 2FA for a test role, assign a test user, enable email method.
  • Log out, log in with that user.
  • ✅ Pass: after password, the 2FA screen asks for a verification code; correct code completes login.
  • Set up authenticator on the profile and verify a TOTP login path.
  • ✅ Pass: app code works; backup code works once.
  • ❌ Fail: check role selection, method enabled, mail delivery, and standalone Two-Factor plugin conflict notice.
  • No code email. Fix wp_mail/SMTP; use authenticator method as fallback.
  • Standalone Two-Factor plugin notice. Deactivate that plugin or disable this module.
  • REST clients fail for enforced roles. Configure application passwords (and do not enable Disable Application Passwords), or adjust the REST/XML-RPC setting.
  • Grace period lockout. Extend grace period or complete profile setup before it expires.
What does Two-Factor Authentication do?

It requires selected roles to enter an email or authenticator code after their password at login.

Is Two-Factor Authentication free?

No. It is a PRO module and requires an active license.

Where do users set up authenticator apps?

On their WordPress profile under Two-Factor Authentication, including backup codes.

What if the standalone Two-Factor plugin is installed?

PowerSuite shows a conflict notice and does not run its login enforcement until that plugin is deactivated.

How do I turn Two-Factor Authentication off?

Go to WP PowerSuite -> Modules, find Two-Factor Authentication (2FA), and toggle it off.

Developer notes (hooks & filters)

Source: modules/two-factor-authentication/module.php (+ user-profile.php). Boot: standard · context: both.

Notable hooks: authenticate, login_form_wpps_2fa, login_init, AJAX wpps_2fa_login / wpps_2fa_verify / wpps_2fa_resend, wpps_2fa_session_ttl, wpps_2fa_max_verify_attempts, privacy exporters/erasers.