Two-Factor Authentication

TOTP-based 2FA — works with any authenticator app.

LoginPlus implements time-based one-time passwords (TOTP) as defined in RFC 6238 — the same standard used by Google Authenticator, Authy, and 1Password.

User enrollment

  1. Go to Users → Your Profile (or Profile in the admin bar).
  2. Scroll to the Two-Factor Authentication section.
  3. Click Generate Secret — a QR code and a text key appear.
  4. Scan the QR code with your authenticator app (Google Authenticator, Authy, etc.).
  5. Enter the 6-digit code shown in your app to confirm, then click Enable 2FA.
  6. Copy and store the shown recovery codes somewhere safe.

Logging in with 2FA

After entering your username and password, WordPress redirects to a second step where you enter your 6-digit code. The code is valid for 30 seconds. Entering an expired code shows a clear error — no lockout is triggered for incorrect TOTP codes (only password failures count toward brute force).

Email OTP fallback

If you don’t have your authenticator app on hand, click send a code to your email on the 2FA step instead. LoginPlus emails a 6-digit code to your account’s email address, valid for 10 minutes. To prevent abuse, you can request at most 3 emailed codes within any 5-minute period.

Recovery codes

Each user receives 8 one-time recovery codes (formatted like XXXX-XXXX-XXXX) at enrollment. A recovery code can be used in place of a TOTP code and is immediately invalidated after use. If you run out of recovery codes, disable and re-enable 2FA from your profile to generate new ones.

Enforcing 2FA for admins

Enable Require 2FA for administrators in LoginPlus → Settings → Two-Factor Authentication. When this is on, any user with the administrator role who has not enrolled in 2FA is redirected to their profile page immediately after login — they cannot access the admin dashboard until they set up 2FA.

Disabling 2FA

Users can disable 2FA from their profile by clicking Disable 2FA. This removes the stored secret and all recovery codes.