Two-factor authentication (2FA) means that logging in requires two things: something you know (your password) and something you have (a code generated on your phone or sent to your email). Even if an attacker gets hold of your password, they cannot log in without the second factor.
For WordPress admin accounts, 2FA is one of the most effective single security measures you can add.
Why it matters for WordPress
WordPress admin access is valuable. It gives full control over the site — content, settings, installed software, user accounts. A compromised admin account is effectively a compromised site. Passwords alone are not a reliable defence: they get reused, phished, or guessed. 2FA adds a layer that is not affected by any of those vulnerabilities.
How it works in practice
After entering a username and password, the user is prompted for a one-time code. This is typically generated by an authenticator app on a mobile device, or sent via email. The code expires quickly, so intercepting it without the physical device is not practical.
For most WordPress sites, 2FA is straightforward to enable and adds minimal friction to the login process for legitimate users — while making unauthorised access dramatically harder.
Who should have it enabled
At minimum: all admin-level accounts. For sites with multiple users at different access levels, extending 2FA to editor accounts is also worth considering. The higher the access level, the more important the protection.
2FA is one of the security measures we configure as part of a proper WordPress setup. If you want to know whether your site’s admin accounts are properly protected, a website checkup will tell you. More in our security knowledge base.
Dealing with a hacked or infected site? Learn about our malware removal service →