Two-Factor Authentication (2FA)
Two-Factor Authentication (2FA) (PRO) adds a second login step for selected roles - extra proof beyond the password via email code and/or an authenticator app.
What it does
Section titled “What it does”- Enforce 2FA for selected roles after password authentication.
- Methods: Email code (8-digit) and/or Authenticator app (TOTP).
- Users configure methods, backup codes, and defaults on their profile.
- Email code validity, Wrong code limit, optional Profile setup grace period, optional Remember this browser.
- Optional: require application passwords for REST/XML-RPC when the user is in an enforced role (unavailable if Disable Application Passwords is on).
- Users list shows a 2FA status column; privacy export/erase supported.
- Disables its login enforcement if the standalone “Two-Factor” plugin is active (conflict notice).
When to use it
Section titled “When to use it”Enable it if:
- Administrators or shop managers need stronger login security.
- You can deliver email codes reliably (or users will use authenticator apps).
- You want role-based enforcement rather than optional-only 2FA.
When not to use it
Section titled “When not to use it”Settings
Section titled “Settings”- Select roles to apply Two Factor Authentication to
- 2FA methods - Email code, Authenticator app (at least one)
- Email code validity (5-60 minutes options)
- Wrong code limit
- Profile setup grace period
- Remember this browser
- REST / XML-RPC - require application passwords for enforced roles (when available)
How to enable it
Section titled “How to enable it”- Go to WP PowerSuite -> Modules -> Security.
- Toggle Two-Factor Authentication (2FA) on (PRO license required).
- Select roles and methods, save.
- Have each enforced user open their profile to confirm email and/or set up an authenticator app and save backup codes.
How to test it
Section titled “How to test it”- Enforce 2FA for a test role, assign a test user, enable email method.
- Log out, log in with that user.
- ✅ Pass: after password, the 2FA screen asks for a verification code; correct code completes login.
- Set up authenticator on the profile and verify a TOTP login path.
- ✅ Pass: app code works; backup code works once.
- ❌ Fail: check role selection, method enabled, mail delivery, and standalone Two-Factor plugin conflict notice.
Troubleshooting
Section titled “Troubleshooting”- No code email. Fix wp_mail/SMTP; use authenticator method as fallback.
- Standalone Two-Factor plugin notice. Deactivate that plugin or disable this module.
- REST clients fail for enforced roles. Configure application passwords (and do not enable Disable Application Passwords), or adjust the REST/XML-RPC setting.
- Grace period lockout. Extend grace period or complete profile setup before it expires.
What does Two-Factor Authentication do?
It requires selected roles to enter an email or authenticator code after their password at login.
Is Two-Factor Authentication free?
No. It is a PRO module and requires an active license.
Where do users set up authenticator apps?
On their WordPress profile under Two-Factor Authentication, including backup codes.
What if the standalone Two-Factor plugin is installed?
PowerSuite shows a conflict notice and does not run its login enforcement until that plugin is deactivated.
How do I turn Two-Factor Authentication off?
Go to WP PowerSuite -> Modules, find Two-Factor Authentication (2FA), and toggle it off.
Developer notes (hooks & filters)
Source: modules/two-factor-authentication/module.php (+ user-profile.php).
Boot: standard · context: both.
Notable hooks: authenticate, login_form_wpps_2fa, login_init, AJAX wpps_2fa_login / wpps_2fa_verify / wpps_2fa_resend, wpps_2fa_session_ttl, wpps_2fa_max_verify_attempts, privacy exporters/erasers.