2FAS – Two Factor Authentication


Secure your WordPress Administration area with 2FAS plugin

Each time you log in to the WordPress admin area, you will be requested by the system to provide an additional way of authentication in the form of TOTP codes.
To secure your mobile phone from loss or apps being deleted, you can generate a list of once-off backup codes, or pin a credit card to the system, and receive codes via SMS or VMS.

2FAS is available to all users as soon as it’s installed and registered. Registration is needed because the 2FAS plugin communicates with the powerful 2FAS API. That gives an opportunity to make authentications, send text messages, make automated voice calls and many more.

If you use 2FAS Authenticator app, the verification of stage 2 can be carried out by confirming the login on the phone without the need to re-type the token in the browser (push authentication).

2FAS uses industry standard TOTP tokens, the same kind used by:
– 2FAS Authenticator
– Google Authenticator
– Microsoft Authenticator
– Authy
– FreeOTP
– and many others…

We use third party services to make this plugin work:
https://2fas.com – for authentication requests and communication with a mobile app
https://pusher.com – for a realtime feedback in a browser

Get instant protection against:

Brute-force attacks

When undergoing a brute-force attack, your password can be discovered by the attacker. This is the only vulnerability you will experience with 2FAS. 2FAS’s intelligent security feature provides a finite amount of time in which the attacker access the correct token. After the access period has ended, the attacker is locked out for security reasons.

WordPress takeovers

Many people use the same password or a similar password for many online services. Repeatedly used passwords remain are vulnerable in cyberspace. Using the 2FAS plugin on your WordPress site makes access without a 2FAS registered device very difficult.

Phishing and keylogger attacks

If you’re not completely sure that the devices used by you or your sub-users are completely free of keyloggers and viruses, then using 2FAS to protect your WordPress site from security breaches is a great solution!

Any password discovery attempt is useless with 2FAS. Without the token generated by your 2FAS, conventional access to your WordPress site is almost impossible.


For more information check out our website at https://2fas.com

If you need our support, please contact us at support@2fas.com

Zrzuty ekranów

  • The first step of the login process — providing the login and the password.
  • The second step of the login process — providing the token on an untrusted device.
  • Configuring the two-factor authentication in the 2FAS plugin.
  • Code required on the second step of the login process is generated by a mobile application.


  1. Log in to your WordPress administration area and go to the „Plugins” menu option on the left side.
  2. Click the „Add New” button at the top of the page.
  3. Search for „2FAS” and click the „Install Now” button.
  4. When 2FAS successfully installs, click the „Activate Plugin” link.
  5. Go to the 2FAS Dashboard menu option and create 2FAS account.
  6. Follow the steps of the plugin wizard (scan the QR code and provide your token in order to verify it).
  7. That’s it! Now your WordPress administration area is protected by 2FAS.

Plugin requirements:

  • PHP 5.4 or newer (PHP 7.3 or newer is recommended)
  • PHP extensions: cURL, GD, Multibyte String and OpenSSL
  • WordPress 3.8 or newer (WordPress 5.2 or newer is recommended)
  • JavaScript enabled
  • A database user must have privileges for creating and deleting tables

Important notice: 2FAS plugin is not compatible with multisite mode.

If you have any problems with the installation, please contact us at support@2fas.com


Why do I need the 2FAS plugin?

If you’re not completely sure your devices or ones used by your sub-users are completely free of keyloggers and viruses, then it is a great solution.
Without the token generated by your smartphone, any password discovery attempt will be useless with 2FAS plugin.

Do I need to enter a token each time I log in to the WordPress admin?

No, it is not necessary. The 2FAS plugin determines whether or not the user is required to enter a token as an additional form of authentication.

What do I need to do to start using the 2FAS plugin?

The most common way to use the 2FAS plugin is to configure your smartphone to generate tokens. We recommend installing 2FAS Authenticator but you can download any Time-based One-time Password (TOTP) app (e.g. Google Authenticator, Authy, FreeOTP, etc.).

2FAS Authenticator app largely speeds up the verification process and makes it much more convenient, as it enables you to log in by one click on your mobile, without the need of retyping the code.

Can I use a browser extension instead of my smartphone to generate tokens?

Yes, you can; however, it isn’t as safe as using your smartphone.
The main idea of the two-factor authentication is based on using different devices or channels, which can verify a user. When you are using a browser extension, then you are not protected from malware or viruses, which can catch your token.

What methods can I use as a second factor?

In general, our plugin offers four authentication methods: TOTP app, offline code, text message, and an automated voice call. TOTP is the primary method and the other are backup methods. You can use them if you don’t have access to a mobile application.

Is it free?

It is completely free if you’re using tokens (TOTP, e.g. for 2FAS Authenticator app).
If you’d like to use text messaging or voice call, you need to create an account at 2fas.com and see our pricing, since prices vary depending on cell phone carriers. We charge only for the messages that are sent (authentication).

What is your privacy policy?

2FAS plugin sends to our API data which is important to provide website security and high quality technical support. Below you can find what kind of data is being sent:
– Website URL with the name and version of the WordPress installation
– PHP version
– 2FAS plugin version
– Browser name

This data is necessary in order to provide technical support.


24 czerwca 2020
Found this plugin after a long search and this is exactly what I am looking for! Easy installation, no hidden features you get after paying! So completely free. If you want to receive SMS messages instead of a push in the app on your phone, there is a paid service, which is clearly explained. Use the plugin now for a few weeks and no problem, set up and working within 2 minutes! Top!
28 kwietnia 2019
2FAS is an excellent WordPress plugin that i have been using for over a year without any problems. 2FAS is a WordPress plugin developed with really good code that uses few resources and is really light. Furthermore the 2FAS plugin developers for WordPress provide an excellent, fast and professional assistance service. The WordPress 2FAS plugin does exactly what it promises and does it really well. For me the 2FAS plugin for WordPress greatly increases the security of websites developed with wWordPress. 2FAS plugin for WordPress is excellent and i recommend it to everyone !
24 kwietnia 2019
I switched 2FAS Light to this one - works good for me.
30 marca 2019
I had been using this plugin for about six months and really liked it's functionality even at the free level. However, recently I have had to remove it. A recent update to the plugin has caused themes on several sites I host and manage to insert blank space in the headers, footers, and menus. The recent update of the plugin was tested on a clean install with the same themes and the default theme with the same formatting problems. The recent update also affects the admin console by disallowing views of the Add New Plugins page, and the page and post listings from the admin panel. The same sites experienced significant slow downs for logged in users. Sites using Astra theme exoerience problems for all users, sites using Neve only for logged in users, other themes experienced some variation of the problems above depending on user level. I am hoping for a fix, but am looking for an alternative plugin for now.
7 lutego 2019
I chose this plugin as it works on a Windows phone with Microsoft Authenticator, which some of the others don't. I've set it up on 2 sites so far, and you can choose which roles will need to provide authentication. Registration is required, but that's true of lots of things. So far, so good!
Przeczytaj 13 recenzji

Kontrybutorzy i deweloperzy

„2FAS – Two Factor Authentication” jest oprogramowaniem open source. Poniższe osoby miały wkład w rozwój wtyczki.


Log zmian

3.0.3 (Feb. 8, 2021)

  • Upgrade cookies support
  • Check adblocker when sending Push Notification