Two-factor authentication (2FA) is a security solution that can be used for protecting your website log-in. It works by requiring a code to be entered after the initial entry of login credentials. This helps prevent weak or exploited passwords from being used to gain access.
WordPress has many plugins that can provide 2FA. This article compares four different plugins that provide a variety of features:
- WP 2FA by WP White Security
- Two Factor Authentication by David Anderson, original plugin by Oskar Hane, and enhanced by Dee Nutbourne (from the authors of UpdraftPlus)
- Wordfence Login Security by Wordfence
- miniOrange Google Authenticator by miniOrange
We have tested only the free versions of these plugins. The table below compares some of the main features found in 2FA plugins.
2FA Plugins Comparison Video
Table of Plugin Features
|Wizard Setup||TOTP and HOTP support||Grace period for setup||Backup codes||Custom Form Support||Premium|
|WP 2FA||Yes||TOTP and HOTP (via email)||Yes||Yes||Yes||Yes|
|Two Factor Authentication (from the makers of UpdraftPlus)||No||TOTP and HOTP (NOT by email)||No||Yes (Premium)||Yes (Premium)||Yes|
|Wordfence Login||No||TOTP only||Yes||Yes||No||No (full security plugin)|
|miniOrange Google Authenticator||Yes||TOTP and HOTP (email or SMS)||Yes||Yes||Yes||Yes|
All of these plugins provide 2FA, but their differences are mainly in their features and the way they are set up. These plugins can meet the needs of a simple WordPress site and accommodate bigger sites like eCommerce sites.
Comparing the Plugins
The wizard provides easy step-by-step instructions to set up 2FA.
You will immediately notice the difference between using a wizard when setting up these plugins. The initial setup may be confusing to a novice user of 2FA. A wizard guides you through the setup for WP 2FA and the miniOrange Google Authenticator. This gives a person unfamiliar with 2FA a way to configure it quickly.
TOTP and HOTP Support
Time-based One-time Password (TOTP) and Hash-based One-time Password (HOTP) are used for authenticating logins. TOTP requires an authenticator, and HOTP can be used with an authenticator or over email or through SMS.
All of these plugins support TOTP for authenticating users. This is typically done with an application like Google Authenticator. HOTP (Hash-based One-Time Password) is not supported by Wordfence. And only WP 2FA and miniOrange Google Authenticator support authenticating over email.
Since email access can be an additional weak point exploited by hackers, it is often recommended not to use email-based authentication. miniOrange is the only plugin that can also support multiple-factor authentication (MFA) with hardware keys. If you wish to use email authentication, we would recommend that it also include a hardware key for authentication through their premium upgrade.
Grace Period for Setup
This is a period allowed by an administrator for users to set up their 2FA configuration. It can be set in hours or days. During that period, users are not required to use 2FA. After the period has expired, users will not be able to log in without 2FA.
The use of 2FA should not be a burden on your users. Allowing them a grace period should be considered as it allows users time to learn about the security solution and adapt to its use.
The grace period feature is only excluded from the Two Factor Authentication (from the makers of UpdraftPlugs).
These codes allow users to get in through 2FA in case their authenticator is not with them or if it’s been lost.
Only Two Factor Authentication (from the makers of UpdraftPlus) leaves out the option to have backup codes. Two Factor Authentication provides backup options after a premium upgrade.
Custom Form Support
Many plugins and add-ons change the normal WordPress login. Three of the four reviewed plugins provide support for these custom login forms.
miniOrange Google Authenticator’s free version includes many custom login forms. The Two Factor Authentication (from the makers of UpdraftPlus) also provides support for custom logins, but more forms would be available after upgrading to the premium version. WP 2FA refers to these custom logins as providing compatibility with third-party plugins.
Only the Wordfence plugin does not support custom login forms.
Most of the plugins in this review has premium upgrades that can be purchased for a price. The premium versions add features and functionality to the plugin.
The only plugin that does not bombard you with upgrade options is Wordfence Login Security. If you want to upgrade their security options, you need to use the full Wordfence Login Security plugin.
miniOrange Google Authenticator only supported one user until recently. It’s up to three administrator users at this point. The premium package is important if you use this plugin for various user roles. It also has the most extensive upgrade options for using the plugin.
Two Factor Authentication (from the makers of UpdraftPlus) only provides backup codes and compulsory use of 2FA when you purchase the upgrade.
The WP 2FA plugin premium version adds many features, including authentication options, Whitelabel, trusted devices, technical support, and many other features. Its expansion rivals miniOrange and has a cheaper starting price of $29/year.
If the criteria for comparing these plugins are features and effective security for 2FA, then they would be ranked like this:
- miniOrange Google Authenticator
- WP 2FA
- Two Factor Authentication (from the makers of UpdraftPlus)
When you compare plugins for WordPress users, it often boils down to a few things: ease of use, feature set, and cost. The benefit of using 2FA will far outweigh the cost, but it’s also very important to choose the solution that works best for you.
If you’re a power user and have a large, complicated WordPress site with many users, then you may want to focus on WP 2FA and miniOrange Google Authenticator. They provide a wide variety of options for authentication that can support your various users. Additionally, they both are easy to configure with wizards for initial setup.
If you’re a simple WordPress user and want a plugin that provides straightforward 2FA use with minimal bells and whistles, then Wordfence may be your choice. It is free and mainly concentrates its features on protecting the WordPress login.
Two Factor Authentication (from the makers of UpdraftPlus) does provide 2FA and many of the features of the other plugins, but you would need to upgrade it to enforce 2FA use. Installing the free version only provides the option to use 2FA. If you’re experimenting with 2FA and plan to gradually improve your site’s functionality, you might consider this plugin, as it is not expensive to upgrade.
This plugin’s premium version has a starting price of $26/year.
These four two-factor authentication plugins for WordPress are all great solutions to provide 2FA. Deciding on the best solution will depend on your type of installation, your users, and your needs for adding 2FA to your WordPress site.