Best WordPress 2FA plugins (free and paid)

Short answer: For most WordPress sites in 2026, Two Factor (the WordPress.org core-team plugin) is the right starting point – it is lightweight, supports TOTP and backup codes, and is maintained by the same people who write WordPress itself. WP 2FA is the strongest pick if you need to enforce 2FA across user roles with a wizard-driven setup and policy controls, miniOrange 2FA offers the widest method buffet in a single plugin (TOTP, email, SMS, security questions) but its free tier is capped at three users, and Duo Universal is the right enterprise choice if you already use Duo elsewhere or need passkey and push-notification support out of the box. Google Authenticator (the Ivan-maintained plugin, not Google) is the simplest possible TOTP-only option for single-admin sites, and the full Wordfence plugin bundles 2FA into a broader security stack if you want one plugin instead of two. The question almost every “best 2FA plugin” review skips: the method you choose for your second factor matters more than which plugin presents it. SMS 2FA is broken against motivated attackers; TOTP and hardware keys are not. Most of this article is about that distinction.

Plugin	Free or paid	Best for	Skip if
Two Factor (by WordPress.org)	Free	Lightweight TOTP + email + backup codes, maintained by core team	You need role-based enforcement or a setup wizard for non-technical users
WP 2FA (Melapress)	Free + Premium (~$45/yr+)	Wizard-driven setup, policy enforcement, passkeys, grace periods	You only need 2FA for yourself – the policy engine is overkill
miniOrange 2FA	Free (3-user limit) + Premium	Widest method support in one plugin: TOTP, SMS, email, WhatsApp, Telegram, security questions	You have more than three users and do not want to pay
Duo Universal	Free up to 10 users + paid ($3/user/month)	Passkeys, push notifications, biometrics, hardware keys via Duo’s cloud	You do not want a third-party 2FA service or are below 10 users on a tight budget
Google Authenticator (Ivan)	Free	Single-admin sites that want one TOTP option and nothing else	You need backup codes, role enforcement, or anything beyond per-user TOTP
Wordfence (full plugin)	Free + Premium ($119/yr+)	Sites that want 2FA bundled with WAF, malware scanning, and threat intelligence	You only want a 2FA plugin and not a full security suite

The honest framing most 2FA-plugin roundups skip: in 2026, an attacker who can phish or SIM-swap can defeat SMS 2FA without much effort. NIST has discouraged SMS as a primary second factor since 2017, and active-account-takeover groups routinely target high-value WordPress admins via mobile-carrier social engineering. TOTP (the rotating six-digit code from an app like Google Authenticator, Authy, or 1Password) is dramatically harder to phish in real time, and hardware security keys (YubiKey, Titan, or any FIDO2 key) are practically unphishable. The best 2FA plugin is the one that makes the right method easy for your users – not the one with the most checkboxes.

What 2FA actually does#

A WordPress login normally needs one thing: a password. Two-factor authentication adds a second proof of identity that must be presented at the same time. The two factors are usually:

• Something you know. The password.
• Something you have. A phone running an authenticator app, a hardware security key, an email inbox, or a registered device that can receive a push notification.

The plugin sits between wp-login.php and the WordPress dashboard. After the password check passes, the plugin intercepts the request, prompts for the second factor, and only completes the login if both succeed. If a credential is stolen – through reuse, phishing, malware, or a leaked database – the attacker still cannot log in without the second factor.

Where 2FA stops a real attack:

• Brute force and credential stuffing. Even with the right password from a leaked database, the attacker hits the second-factor prompt. The mechanics of these attacks are covered in brute force attacks on WordPress.
• Phishing pages that capture the password. TOTP and hardware keys are not transferable – the code or signature only works on the real site, in real time, for the user who generated it.
• Sessions stolen by malware. If the malware can capture an active session cookie, 2FA does not stop it (this is what session hijacking does). But for any flow that requires re-authentication – changing a password, deleting a user, installing a plugin in some configurations – 2FA still blocks the privileged action.

Where 2FA does not help:

• A user already logged in on a compromised browser. Once the cookie exists, the second factor is in the past.
• A plugin or theme vulnerability that bypasses the login flow entirely (SQL injection that creates a new admin user, RCE that runs code as the web server). 2FA only protects the login path.
• Weak account recovery. If your WordPress can email a password reset link to a compromised inbox, 2FA on the login form is bypassable.

This is why the plugin’s recovery story matters as much as its primary method. A site with TOTP enforced and one-click email recovery is, functionally, an email-2FA site – the strongest method is only as strong as the weakest fallback.

TOTP, SMS, hardware keys, magic links: the method matters more than the plugin#

The single most important decision is which method you and your users will actually use.

TOTP (Time-based One-Time Password) generates a six-digit code that rotates every 30 seconds, computed from a shared secret and the current time. Codes are produced by an app on the user’s phone or computer (Google Authenticator, Authy, 1Password, Bitwarden, FreeOTP, Microsoft Authenticator). TOTP works offline, has no per-message cost, and is the de facto industry standard for 2FA outside of FIDO/WebAuthn. Every plugin in this article supports TOTP. This should be the default choice unless you have a reason to use something else.

Hardware security keys / passkeys (FIDO2 / WebAuthn) are physical devices (YubiKey, Google Titan, SoloKey) or platform credentials stored in the OS keychain (Apple Passkeys, Windows Hello, Android passkey). The browser performs a cryptographic challenge-response with the key. The signature is bound to the exact site origin, so a phishing site at wp-login-paypal-secure.com cannot replay it on the real WordPress. This is the strongest available method. The trade-off: every user needs a key (or a passkey-capable device), and key recovery is harder than re-printing backup codes. WP 2FA, Duo Universal, miniOrange (paid YubiKey support), and the full Wordfence plugin support hardware keys directly. Two Factor supports them via the companion two-factor-provider-webauthn plugin.

SMS sends the second-factor code as a text message. Do not use SMS as your only second factor for a WordPress admin account. SIM-swapping attacks have been used to take over high-value accounts repeatedly since 2018. The carrier-side process for porting a phone number is, in practice, vulnerable to social engineering. SMS as a backup method, when the primary is TOTP or hardware, is reasonable for low-stakes accounts. As the primary factor for an admin login, it is the worst of the available options.

Email codes / magic links send a one-time code or a clickable login link to the user’s registered email. The strength of email 2FA equals the strength of the email account itself. If the user has 2FA on their inbox (which Gmail, Outlook, and most major providers offer for free), this is reasonable. If they do not, email 2FA on WordPress is a thin layer – a compromised email gives an attacker the password reset and the second factor in the same place.

Push notifications (Duo Push, Authy push) prompt the user to approve a login on their phone. Strong against passive phishing, but vulnerable to “MFA fatigue” attacks – the attacker repeatedly triggers prompts hoping the user will approve one to make them stop. Duo and miniOrange (premium) implement number-matching to mitigate this; older push systems do not.

Backup codes are one-time codes (usually 10) generated when the user enrolls. Used when the primary method is unavailable – phone lost, app uninstalled, SMS not arriving. Backup codes are not a 2FA method by themselves; they are an emergency hatch. Every plugin worth installing supports them. The ones that do not (Google Authenticator by Ivan being the notable example) require a manual workaround if a user gets locked out.

The article from here on is about which plugin presents these methods well, not about which method is best – that is the decision you should make first.

How we picked these six plugins#

The wordpress.org plugin directory has dozens of plugins tagged “2fa”. Most are abandoned, several are commercial-only with thin wordpress.org listings, and a couple of historically popular ones are now actively dangerous to install on a fresh site.

We covered the six plugins that are actively maintained as of May 2026, support TOTP at minimum, and represent architecturally distinct approaches.

What we deliberately skipped:

• Duo Two-Factor Authentication ( duo-wordpress ). The legacy Duo plugin reached end-of-support on September 30, 2024. It still appears in directory searches but has not been tested with the last three major WordPress releases and is no longer maintained. The successor is Duo Universal, listed below.
• Wordfence Login Security (the standalone plugin). Wordfence announced this plugin will be discontinued around July 1, 2026, and is directing users to the full Wordfence plugin instead. We list the full Wordfence plugin in this article rather than the soon-to-be-archived spinoff. If you have Wordfence Login Security installed today, you have until mid-2026 to migrate.
• Authy plugin and other “branded authenticator” plugins. Twilio is winding down the consumer Authy app on desktop. There is no current authoritative WordPress integration. Use TOTP instead – any plugin will accept Authy as a TOTP source.
• iThemes Security 2FA module. The 2FA functionality is now part of Solid Security (covered in best WordPress security plugins) rather than a standalone plugin. We did not duplicate it here.
• Anything not in the WordPress.org repository or from a known commercial vendor. Several “free” 2FA plugins on lesser-known marketplaces have shipped with backdoors over the years. A 2FA plugin needs to be from a vendor you trust – this is the hill to die on.

Verified-status table (last checked 2026-05-09):

Plugin	Source	Active installs	Last update	Tested up to
Two Factor	wordpress.org/plugins/two-factor	100,000+	Mar 27, 2026	6.9.4
WP 2FA	wordpress.org/plugins/wp-2fa	100,000+	Feb 25, 2026	6.9.4
miniOrange 2FA	wordpress.org/plugins/miniorange-2-factor-authentication	10,000+	Apr 13, 2026	6.9.4
Duo Universal	wordpress.org/plugins/duo-universal	2,000+	Jan 6, 2026	6.9.4
Google Authenticator (Ivan)	wordpress.org/plugins/google-authenticator	20,000+	Apr 7, 2026	7.0
Wordfence	wordpress.org/plugins/wordfence	5,000,000+	(multiple recent)	6.9.4

Two Factor (by WordPress.org)#

Use it if: You want a lightweight, dependency-free 2FA plugin maintained by the WordPress core team itself. You are comfortable with each user enabling 2FA from their own profile page rather than being walked through a setup wizard.

Don’t use it if: You need to enforce 2FA across user roles, want a setup wizard for non-technical users, or need a polished WooCommerce-integrated UI.

What you get (free):

• TOTP via any authenticator app (Google Authenticator, Authy, 1Password, Microsoft Authenticator, Bitwarden, FreeOTP)
• Email codes
• Backup codes (10 generated, one-time use)
• Per-user enrollment from the standard WordPress profile page
• Site-wide settings page added in the recent 0.16.0 release for disabling specific providers
• Open source, GitHub-hosted, contributed by core developers including George Stephanis (the original author and a member of the WordPress security team)
• WebAuthn / hardware key support via the companion plugin two-factor-provider-webauthn

What it does not include:

• Role-based enforcement (you cannot say “all editors must use 2FA”)
• Setup wizards or guided onboarding
• WooCommerce-specific integrations
• SMS as a method (deliberate – the maintainers consider SMS too weak to recommend)

Common gotchas:

• The plugin removed FIDO U2F support in version 0.16.0 (March 2026) due to browser deprecation. If you were relying on it, install two-factor-provider-webauthn for the modern equivalent.
• The settings UI is intentionally sparse. There are filter hooks for almost everything ( two_factor_providers , two_factor_providers_for_user , two_factor_email_token_ttl ), but no GUI for them. This is a feature for developers and a frustration for non-developers.
• Site administrators can edit other users’ 2FA settings from the user profile page. This is correct for account recovery; it is also why the WordPress admin password itself needs to be strong.

WP 2FA (by Melapress)#

Use it if: You have multiple users and need to enforce 2FA across roles, want a setup wizard for less technical users, or care about passkeys and policy controls. The free version is genuinely usable – this is not a freemium plugin where the free tier is crippled.

Don’t use it if: You only need 2FA for yourself or a single admin. The policy engine and grace-period system are designed for sites with many users; they add visual noise on a one-person site.

What you get (free):

• TOTP and email codes
• 16-digit backup codes
• Passkey support (passwordless login)
• Wizard-driven setup for both site-wide configuration and individual users
• 2FA policies with grace periods (require setup within N days, lock out after)
• Apply 2FA site-wide, to specific roles, or per user
• REST API for headless WordPress and AJAX login forms
• No data sent to Melapress

What you get (Premium, ~$45/year for one site at intro pricing):

• YubiKey and other hardware keys
• SMS, email link, and Authy push as additional methods
• One-click WooCommerce integration
• Trusted devices (skip 2FA on a recognized device for N days)
• Allow the next login without 2FA (an admin-controlled “rescue this user” toggle)
• Zero-setup email 2FA for users who never configured anything
• White labeling

Common gotchas:

• Melapress also makes WP Activity Log, Melapress Login Security, and Melapress Role Editor. These are good plugins, but the WordPress admin will accumulate “Melapress” menus if you install several. They are independent products, not a suite.
• WooCommerce Customer-role 2FA can collide with custom checkout flows. One recent reviewer reported that custom WooCommerce deposit-payment URLs broke when 2FA was enabled for the Customer role. The fix is usually to scope 2FA to backend roles only (Administrator, Editor, Shop Manager).
• The “Brute Force Protection” feature can produce duplicate OTP emails if both the brute-force module and the email-2FA module are sending. Disable one of them if users report multiple codes.

miniOrange 2FA#

Use it if: You need the widest range of 2FA methods supported in one plugin and have a small number of users (or budget for the premium tier). miniOrange’s strength is method coverage – if a method exists, this plugin probably has it.

Don’t use it if: You have more than three users on a free-only budget. The free tier is capped at three users; the upsell path is aggressive.

What you get (free, 3-user limit):

• TOTP via Google Authenticator, Microsoft Authenticator, LastPass Authenticator, Duo Authenticator, Authy, FreeOTP
• OTP via email
• OTP via SMS (limited transactions)
• OTP via Telegram
• Email verification via link (one-click)
• Security questions
• Backup codes
• Role-based 2FA configuration
• Custom email templates
• Login activity reports

What you get (Premium, pricing varies by tier):

• Lift on the 3-user cap
• WhatsApp 2FA
• YubiKey
• Trusted devices, IP allowlists
• Page-level 2FA protection (require 2FA to view specific pages, not just to log in)
• Custom SMS gateway support (use your own Twilio, Plivo, etc.)
• Multisite support (network-wide policies)
• Full white labeling

Common gotchas:

• The free 3-user cap is the most common surprise. If your site has more than three accounts that should use 2FA, you are looking at a paid plan.
• SMS and Email OTP transactions go through miniOrange’s cloud unless you configure a custom gateway (premium). For an SMS-heavy site this can become a metered cost.
• The plugin has had multiple security-fix releases in the past 18 months (vulnerability fixes around 2FA bypass, KBA validation, IP-lookup XSS, broken access control, session hijacking). The fixes are landing, but the cadence suggests the surface area is large. Keep this plugin updated promptly.
• The setup wizard surfaces upgrade prompts for paid features alongside free ones; non-technical users sometimes click into a premium method and stall.

Duo Universal#

Use it if: You already use Duo elsewhere in your business (corporate SSO, VPN, RDP), need the strongest enterprise-grade 2FA without rolling your own, or want passkey and push-notification support without writing custom integration code. Free for up to 10 users at no cost.

Don’t use it if: You do not want a third-party 2FA service in the loop, you have more than 10 users on a tight budget ($3 per user per month adds up), or you want a plugin that runs entirely on your own server.

What you get (free, up to 10 users):

• Passkey, biometric, and hardware-token support via Duo’s Universal Prompt
• Duo Push notifications with number-matching (mitigates MFA-fatigue)
• TOTP via Duo Mobile
• Phone callback and SMS as backup methods
• Per-role enforcement
• Branded prompt with your logo

What you get (paid, $3/user/month for >10 users):

• All of the above for unlimited users
• Advanced reporting and policy controls
• Trusted devices, geographic restrictions
• Risk-based authentication

Important migration note: If you currently have the legacy “Duo Two-Factor Authentication” plugin ( duo-wordpress ) installed, that plugin is end-of-life. Duo’s official migration path is to install Duo Universal, reconfigure your application in the Duo Admin Panel as a “Web SDK” application, and switch over. Detailed steps are in Duo’s documentation at duo.com/docs/wordpress.

Common gotchas:

• Duo authentication round-trips through Duo’s cloud. If Duo has an outage, logins will fail (this is rare in practice but has happened). Plan a recovery path – typically one local admin account exempt from Duo.
• Passkeys created during the trial period are tied to the specific OS where they were created. Adding a new device after the trial ends requires a paid plan.
• The plugin replaces the WordPress 2FA prompt with Duo’s iframe. Theme conflicts with the iframe styling occur occasionally, especially with login-page customizers like LoginPress.

Google Authenticator (by Ivan)#

Use it if: You want a single-admin TOTP plugin with no policy engine, no method selector, and no marketing UI. You are comfortable with the fact that this plugin has no backup codes and no recovery flow other than disabling the plugin via FTP if you get locked out.

Don’t use it if: You need backup codes, role enforcement, or anything beyond per-user TOTP. You are not technical enough to recover via FTP if your phone is lost.

What you get:

• TOTP via any authenticator app
• Per-user enable/disable from the WordPress profile page
• App password feature for XML-RPC and the WordPress mobile apps (use cautiously – this weakens 2FA for those endpoints)
• “Relaxed mode” that accepts codes from a 4-minute window instead of 30 seconds (for sites with clock-drift issues)

What it does not include:

• Backup codes. The maintainer has historically pointed users to the third-party “Authenticator Plus” Android app for cloud backup of TOTP secrets, which is not the same as having one-time recovery codes built into WordPress.
• Role-based enforcement, policies, grace periods
• Email or SMS fallback methods
• Hardware key support
• A recovery UI – if you lose your phone and have not saved the QR-code secret, you must SSH in and delete the plugin folder to log back in

Recent history note: This plugin was effectively unmaintained for several years before a new maintainer ( ivankk ) released version 0.55 in April 2026 with PHP 7.4-8.5 compatibility fixes. It is alive again, but the maintenance cadence is one developer’s spare time. It is the right pick when you want minimum surface area and accept the trade-offs; it is the wrong pick if 2FA is critical infrastructure for a site with multiple users.

Common gotchas:

• Server clock drift breaks TOTP. The plugin’s “relaxed mode” hides the symptom; the real fix is making sure NTP runs on the server.
• App passwords for XML-RPC bypass 2FA. If you turn this on, the XML-RPC endpoint is no longer 2FA-protected for that user. Either accept that, or disable XML-RPC entirely.
• The plugin has not had a recovery UI added even in the rescued 0.55 release. If a user loses their phone, an admin must SSH or FTP in to remove their TOTP entry from the database.

Wordfence (full plugin)#

Use it if: You want 2FA bundled with a Web Application Firewall, malware scanner, login hardening, and threat intelligence in one plugin. You are looking for a security suite, not a 2FA plugin.

Don’t use it if: You only want 2FA. Wordfence is a heavy plugin (the scanner alone consumes meaningful CPU and database resources), and using it just for 2FA is overkill.

What you get (free):

• TOTP for any user role
• Login CAPTCHA (Google reCAPTCHA v3)
• XML-RPC protection (block or 2FA-gate)
• Plus the rest of Wordfence: WAF rules, malware scanner, file integrity monitoring, threat-intelligence feed
• WooCommerce login form support

What you get (Premium, $119/year+):

• Real-time WAF rule updates and threat-intelligence feed (free version is delayed by 30 days)
• Country blocking
• Two-factor SMS (worth using only as a fallback, not a primary method)

Common gotchas:

• The standalone Wordfence Login Security plugin is being discontinued in July 2026. If you have it installed today, the migration is to install the full Wordfence plugin and uninstall the Login Security spinoff. Settings do not auto-migrate; you reconfigure.
• Wordfence’s scanner can be heavy on shared hosting. If you only want the 2FA features without the scanner, you can disable the Scan section entirely in the Wordfence settings – the 2FA module continues to work.
• The full plugin has its own update cadence and admin-bar widgets that some site owners find intrusive. If a 2FA-only plugin like Two Factor or WP 2FA is sufficient, that is the leaner answer.

Quick-reference matchup table#

If you…	Pick
Just need 2FA on your one-person admin account, fastest setup	Two Factor (by WordPress.org)
Have 5-50 users and need to enforce 2FA across roles	WP 2FA (free for backend roles, Premium if you want WooCommerce or YubiKey)
Want one plugin with every method (TOTP/SMS/email/Telegram/security questions)	miniOrange 2FA
Already use Duo for corporate SSO or VPN	Duo Universal
Want passkey / hardware-key support without a third-party cloud	WP 2FA (free, with a passkey-capable browser)
Need WordPress 2FA but already run Wordfence as a security suite	Use Wordfence’s built-in 2FA, do not stack a second plugin
Want absolute minimum: TOTP, no UI, no extras	Google Authenticator (Ivan), accepting the recovery trade-off
Currently have legacy Duo Two-Factor Authentication installed	Migrate to Duo Universal before mid-2026
Currently have Wordfence Login Security installed	Migrate to the full Wordfence plugin before July 2026
Have an internal-only WordPress that only Hostney customers and delegates ever sign into	Consider Hostney’s WP SSO instead of a 2FA plugin (see below)
Run WooCommerce and want 2FA for shop managers but not customers	WP 2FA Premium (one-click integration) or scope a free plugin to backend roles only

How long does it take to see results#

Time after enabling 2FA	What changes
Same day	Brute-force credential-stuffing attempts on /wp-login.php start failing at the second-factor prompt. You will see attempts in the audit log; logins will not complete.
First week	Time spent in support: every user who gets locked out hits backup codes, an admin override, or a manual reset. Plan for two or three of these in the first week even on a five-user site.
First month	Per-user “I lost my phone” friction drops to near zero once everyone has saved their backup codes. Average user logs into WordPress with 2FA in under 15 seconds.
First quarter	If you required 2FA across roles, the population of accounts that “never use 2FA but theoretically have admin access” goes to zero. This is the largest residual risk most WordPress sites have, and the cleanup is permanent.
Ongoing	Account-takeover incident rate from credential reuse drops sharply. Phishing pages that successfully capture passwords get caught at the second-factor step instead of producing a defaced site three days later.

Common mistakes#

• Using SMS as the only second factor for an admin account. SIM-swapping is a real attack against high-value accounts. Use TOTP or hardware keys for admins; reserve SMS as a backup, if at all.
• Forgetting to enable backup codes. When 2FA is required and the user has no recovery code, the only path back into the account is an admin override or direct database access. Generate backup codes during enrollment and store them in a password manager.
• Enforcing 2FA without a grace period. If you switch on “all users must use 2FA” today and a user has not enrolled, they cannot log in. Either give them a grace period (WP 2FA, Duo Universal, miniOrange Premium) or onboard everyone before enforcing.
• Letting wp-login.php be the only entry point you protect. WordPress also accepts logins via XML-RPC and the REST API. Confirm your 2FA plugin protects these (Two Factor and Wordfence do; some others have gaps). If they do not, disable XML-RPC entirely.
• Stacking two 2FA plugins. Running Two Factor and WP 2FA, or Wordfence’s 2FA and WP 2FA, produces double prompts at best and lockouts at worst. Pick one and uninstall the other.
• Trusting “remember this device” forever. Trusted-device features (WP 2FA Premium, miniOrange Premium, Duo) reduce friction at the cost of security. Set the trust window to 30 days, not 365.
• Recovery email on a free webmail account with no 2FA itself. If your WordPress can email a password reset to a Gmail account that has no 2FA, your site has no 2FA – it has a one-step bypass via email. Audit your account recovery email and make sure it has 2FA.
• Skipping the lost-device drill. Pretend your phone fell in the river. Walk through how you would get back into the site. If the answer involves “ask the host to disable the plugin,” your recovery story is not actually a recovery story.
• Ignoring app-password and application-password gaps. WordPress core supports application passwords for the REST API and some plugins add their own. These bypass 2FA by design. Audit which users have them and revoke any that are not in active use.
• Treating 2FA as a substitute for password hygiene. It is an additional layer, not a replacement. A reused password plus 2FA is still better than a strong password without 2FA, but a strong unique password plus 2FA is the actual goal.

Hostney's WP SSO: an alternative when external users are not in the picture#

Most WordPress sites need a 2FA plugin because someone outside the hosting account – a contributor, a customer, a vendor – logs into wp-admin. For sites where that is not the case (you and your delegates are the only people who ever sign in to WordPress), Hostney offers a different shape of solution: single sign-on from the Hostney control panel directly into WordPress.

How it works:

1. You sign into the Hostney control panel using your Hostney account credentials, including any 2FA you have enabled on your control-panel login.
2. From the WordPress site’s row in the control panel, you click “Login”.
3. The control panel mints a one-time, SHA-256 hashed token (60-second TTL) and redirects you to https://yoursite.com/hostney-login?token=... .
4. The token is validated server-side against the Hostney backend, and you are logged into wp-admin without typing a WordPress password.

There is also a per-site setting called security_sso_only that locks WordPress login to SSO only – effectively disabling password login at wp-login.php for owners and delegates. With that flag on, the only path into wp-admin is through the Hostney control panel, which already has your account-level 2FA in front of it.

When this is the right choice:

• Internal-only sites. Marketing site, internal documentation, intranet, agency staging environments. The only people who ever log in are you and your team, and they all access through the Hostney control panel anyway.
• Agencies managing client sites where the agency is the only operator. Delegate access in Hostney lets clients invite their agency without giving up control-panel ownership. Agency staff sign in once at Hostney and get to wp-admin in one click – the WordPress login becomes a closed door.
• Sites where wp-login.php is constantly attacked and you would rather it not exist as an authentication endpoint at all. SSO-only mode means brute-force attempts at /wp-login.php cannot succeed – there is no password to guess.

When this is not the right choice:

• Sites with external contributors or customers (membership sites, community blogs, multi-author publications, WooCommerce stores). External users do not have Hostney accounts; they need a normal WordPress login flow with 2FA on top.
• Sites where the WordPress login URL is shared with non-Hostney services (LMS plugins, learning platforms, custom membership systems built on wp_signon ). SSO-only would break those flows.
• WooCommerce frontend customer logins. SSO-only protects wp-admin; customer accounts on the storefront still use the standard login form. For those, install one of the 2FA plugins above.

You can also use both – 2FA plugin for external users, SSO for the agency or owner. The plugin will recognize that an SSO-authenticated session has already passed authentication and skip the 2FA prompt for that session.

The point is not that SSO replaces 2FA in general. It replaces it specifically for the use case where every actual user already authenticates through Hostney. For everyone else, a 2FA plugin is the right tool.

Summary#

For most WordPress sites, the choice is between Two Factor (lightweight, core-team-maintained, no policy engine) and WP 2FA (free tier with policy enforcement, premium tier with passkeys and WooCommerce integration). If you have an unusual method requirement (SMS, WhatsApp, security questions), miniOrange covers more ground in one plugin than anything else, with the caveat that the free tier is capped at three users. If you are already using Duo elsewhere or want enterprise-grade push and passkey support, Duo Universal is the answer. Google Authenticator by Ivan is the right pick only if you want absolute minimum and accept the lack of backup codes.

Whichever plugin you pick, the method matters more than the plugin. Use TOTP or hardware keys as the primary factor. Use SMS only as a fallback, if at all. Save your backup codes somewhere you will find them in two years. Confirm your plugin protects XML-RPC and the REST API along with wp-login.php . And test the lockout-recovery flow before you need it.

If your site only needs to be logged into by you and your delegates through the Hostney control panel, the WordPress SSO option above lets you skip the plugin question entirely – your control-panel 2FA becomes WordPress’s 2FA, and the WordPress login form stops mattering.

For the broader security stack that 2FA fits into, see the best WordPress security plugins for WAFs, scanners, and threat-intel; brute force attacks on WordPress and how to stop them for the attack model 2FA defends against; and how to find and change the WordPress login URL for the related “obscure the login endpoint” question that 2FA does not solve but pairs with.