Sep 302015

WordPress Two Factor Authentication Core Files post talks about security and two factor implementation for your website.

Last Updated: February 10, 2020

Latest News: I updated the information below.

WordPress are going in the right direction. They have decided to implement better security into the core file system. This will help fight brute force login attempts and stolen passwords. This new security feature might not be added to the core files. You can read more about it from the following URL the-two-factor-plugin-is-currently-on-a.

What does this means for many of you running WordPress? You won’t have to install a Two Factor plugin any more if you had one installed unless you prefer and like the plugin you are using. It also means that it will be extremely challenging for hackers to brute force attack into your website.

The images below are taken using the following versions WordPress 4.3.1 and 4.4 Alpha. The plugin works with WordPress 5.3.2.

Note: You might also be interested in reading the following tutorial Google Authenticator Security WordPress.

Two Factor  version 0.5.1 changelog. Check the following changelog URL two-factor releases.

Plugin To Install:

WordPress Two Factor Authentication Core Files

Step 1 ) The following image shows you the standard WordPress profile before you activate the plugin.


Step 2 ) Once you activate the plugin you will see the following settings.

Two-Factor Options

  • Email – Authentication codes will be sent to your email address.
  • Time Based One-Time Password (Google Authenticator) – View Options ?
  • FIDO Universal 2nd Factor (U2F) – Requires an HTTPS connection. Configure your security keys in the “Security Keys” section below.
  • Backup Verification Codes (Single Use) 0 unused codes remaining. (Click on Generate Verification Codes button)
  • Dummy Method


Step 3 ) The following image Application Passwords allows you create new Application Password Names. This is a great feature to add. It allows you to keep track and only allow certain smartphones, tablets or other mobile devices access to your website.

In the example below I added kogan name as my smartphone device. This generated a password uBaC jGlg UqZ4 dCZ4.

You can keep track for all your devices through the following fields.

  • Name
  • Created
  • Last Used
  • Last IP


Step 4 ) The following image Security Keys allows you to generate security keys if you selected this option in Step 2 ) above.

Note: U2F requires an HTTPS connection. You won’t be able to add new security keys over HTTP. 


You can see how much security this new feature will add to WordPress once it is implemented. I know all of you will be very happy once it is out.

I will be updating this tutorial from time to time so keep coming back for the latest updates.

If you have a questions send me an e-mail or leave a comment.


I have been working in IT since 1999 and I enjoy the challenges it brings me. I love developing websites with WordPress. I spend a lot of time helping out in forums. I have been writing tutorials since 2011. Now I am learning how to manage my own VPS "Virtual Private Server.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>



We use cookies in order to give you the best possible experience on our website. By continuing to use this site, you agree to our use of cookies.
Privacy Policy