Adding Two-Factor Authentication (2FA) to your WordPress login boosts security by requiring a verification code and your password. This guide will show you how to set up 2FA without using a plugin, ensuring better security for your website.
Why Use 2FA on WordPress?
- Extra security: Even if someone steals your password, they can’t log in without the verification code.
- Easy to use: No need for external apps—just enter a code sent to your email.
- Temporary codes: Codes expire in 5 minutes, reducing the risk of unauthorized access.
Step-by-Step Guide to Implement 2FA
Step 1: Intercept Login & Send a Verification Code
This snippet generates a 6-digit code and emails it to the site admin when a user logs in. Add the following code to your functions.php file (preferably in a child theme):
function custom_2fa_login_redirect($user, $password) {
if (is_wp_error($user)) return $user;
$two_fa_code = wp_rand(100000, 999999);
update_user_meta($user->ID, '2fa_code', $two_fa_code);
update_user_meta($user->ID, '2fa_code_time', time());
$admin_email = get_option('admin_email');
wp_mail($admin_email, 'WordPress Login Code', "Your verification code: $two_fa_code");
set_transient('pending_2fa_user_' . $user->ID, $user->ID, 300); // Code expires in 5 mins
wp_redirect(home_url('/wp-login.php?step=2fa&user_id=' . $user->ID));
exit;
}
add_filter('authenticate', 'custom_2fa_login_redirect', 20, 2);
Step 2: Display the 2FA Code Input Field
This form asks users to enter the verification code before logging in:
function custom_2fa_login_form() {
if (isset($_GET['step']) && $_GET['step'] == '2fa' && isset($_GET['user_id'])) {
echo '<form method="post" action="'.esc_url(home_url('/wp-login.php')).'">
<p><label for="2fa_code">Enter the verification code:</label>
<input type="text" name="2fa_code" required></p>
<input type="hidden" name="user_id" value="'.esc_attr($_GET['user_id']).'">
<input type="submit" name="verify_2fa" value="Verify Code">
</form>';
exit;
}
}
add_action('login_form', 'custom_2fa_login_form');
Step 3: Verify the Code & Grant Access
This function checks if the entered code matches the stored code and allows login is valid:
function verify_custom_2fa_code() {
if (isset($_POST['verify_2fa']) && isset($_POST['user_id'])) {
$user_id = intval($_POST['user_id']);
$entered_code = sanitize_text_field($_POST['2fa_code']);
$stored_code = get_user_meta($user_id, '2fa_code', true);
$code_time = get_user_meta($user_id, '2fa_code_time', true);
if ($entered_code === $stored_code && time() - $code_time <= 300) {
delete_user_meta($user_id, '2fa_code');
delete_user_meta($user_id, '2fa_code_time');
wp_set_auth_cookie($user_id);
wp_redirect(admin_url());
exit;
} else {
wp_redirect(home_url('/wp-login.php?step=2fa&user_id=' . $user_id . '&error=invalid_code'));
exit;
}
}
}
add_action('init', 'verify_custom_2fa_code');
How 2FA on WordPress Works in Simple Terms
- Log in with username & password → The system generates a 6-digit code.
- Code sent to the admin email → The login is paused until verification.
- Enter the code on the login page → If correct, access is granted.
This method strengthens security by preventing unauthorized logins even if someone has your password.
Final Thoughts
Implementing 2FA on WordPress manually provides an extra layer of security without relying on third-party plugins. If you’d rather not modify your functions.php, you can use a plugin like WPCode to insert this snippet instead.
Let me know if you have any questions or need adjustments. Stay secure!
