Two-factor authentication (2FA) is a security solution that can be used to protect your website login. It works by requiring a code to be entered after the initial entry of login credentials. This helps prevent weak or exploited passwords from being used to gain access.
WordPress has many plugins that can provide 2FA. This article compares four different plugins that provide a variety of features:
We have tested only the free versions of these plugins. The following table compares some of the main features found in 2FA plugins.
2FA Plugin Comparison Video
Plugin Features Table
All of these plugins provide 2FA, but their differences mainly lie in their features and the way they are configured. These plugins can meet the needs of a simple WordPress site and accommodate larger sites like eCommerce sites.
Comparing Plugins
Wizard Setup
The wizard provides easy step-by-step instructions to set up 2FA.
You will immediately notice the difference between using a wizard when configuring these plugins. The initial setup can be confusing for a novice 2FA user. A wizard guides you through the setup of WP 2FA and miniOrange Google Authenticator. This gives a person who is not familiar with 2FA a way to quickly set it up.
TOTP and HOTP support
Time-based one-time password (TOTP) and hash-based one-time password (HOTP) are used to authenticate logins. TOTP requires an authenticator, and HOTP can be used with an authenticator or via email or SMS.
All of these plugins support TOTP to authenticate users. This is usually done with an app like Google Authenticator. Wordfence does not support HOTP (hash-based one-time password). And only WP 2FA and miniOrange Google Authenticator support email authentication.
Since email access can be an additional weak point exploited by hackers, it is often recommended not to use email-based authentication. miniOrange is the only plugin that can also support multi-factor authentication (MFA) with hardware keys. If you want to use email authentication, we recommend that you also include a hardware key for authentication through your premium upgrade.
Grace period for installation
This is a period allowed by an administrator for users to set up their 2FA settings. It can be programmed in hours or days. During that period, users are not required to use 2FA. Once the period has expired, users will not be able to log in without 2FA.
Using 2FA shouldn’t be a burden for your users. A grace period should be considered as it gives users time to learn about the security solution and adjust to its use.
The grace period feature is only excluded from two-factor authentication (from the makers of UpdraftPlugs).
backup codes
These codes allow users to log in via 2FA in case their authenticator is not with them or if it has been lost.
Only two-factor authentication (from the makers of UpdraftPlus) leaves out the option of having backup codes. Two-factor authentication provides backup options after a premium upgrade.
Custom form support
Many plugins and plugins change the normal WordPress login. Three of the four plugins reviewed provide support for these custom login forms.
The free version of miniOrange Google Authenticator includes many custom login forms. Two-factor authentication (from the makers of UpdraftPlus) also provides support for custom logins, but more forms will be available after upgrading to the premium version. WP 2FA refers to these custom logins as third-party plugin compatibility.
Only Wordfence plugin does not support custom login forms.
Premium
Most of the plugins in this review have premium upgrades that can be purchased for a price. The premium versions add features and functionality to the plugin.
The only plugin that doesn’t bombard you with update options is Wordfence Login Security. If you want to upgrade your security options, you should use the full Wordfence login security plugin.
miniOrange Google Authenticator only supported one user until recently. That’s up to three admin users at this point. The premium package is important if you use this plugin for multiple user roles. You also have the most extensive upgrade options to use the plugin.
Two-factor authentication (from the makers of UpdraftPlus) only provides backup codes and the mandatory use of 2FA when you purchase the upgrade.
The premium version of the WP 2FA plugin adds many features, including authentication options, Whitelabel, trusted devices, technical support, and many other features. Its expansion rivals miniOrange and has a cheaper starting price of $29/year.
The verdict
If the criteria for comparing these plugins are features and effective security for 2FA, then they would rank like this:
miniOrange Google AuthenticatorWP 2FAWordfenceTwo Factor Authentication (from the makers of UpdraftPlus)
When you compare plugins for WordPress users, it often comes down to a few things: ease of use, feature set, and cost. The benefit of using 2FA will far outweigh the cost, but it’s also very important to choose the solution that works best for you.
If you are an advanced user and have a large and complicated WordPress site with many users, you may want to focus on WP 2FA and miniOrange Google Authenticator. They provide a wide variety of authentication options that they can support for their various users. Plus, both are easy to set up with wizards for initial setup.
If you are a simple WordPress user and want a plugin that provides easy 2FA usage with minimal bells and whistles, then Wordfence may be your choice. It is free and mainly concentrates its functions on protecting the WordPress login.
Two-Factor Authentication (from the makers of UpdraftPlus) provides 2FA and many of the features of the other plugins, but you’ll need to upgrade to enforce 2FA usage. Installing the free version only provides the option to use 2FA. If you are experimenting with 2FA and plan to gradually improve the functionality of your site, you might want to consider this plugin as it is not expensive to upgrade.
The premium version of this plugin starts at $26/year.
These four two-factor authentication plugins for WordPress are great solutions for providing 2FA. Deciding on the best solution will depend on your type of installation, your users, and your needs for adding 2FA to your WordPress site.