WordPress 6.9 is available! Please update now.

Two-Factor Authentication

Learn more about Two-Factor Authentication

Two-Factor Authentication, or 2FA, significantly improves login security for your website. Wordfence 2FA works with a number of TOTP-based apps like Google Authenticator, FreeOTP, and Authy. For a full list of tested TOTP-based apps, click here.

Editing User:   webteam_brockbuilt (you)
1. Scan Code or Enter Key

Scan the code below with your authenticator app to add this account. Some authenticator apps also allow you to type in the text version instead.

2. Enter Code from Authenticator App

Download Recovery Codes Optional

Use one of these 5 codes to log in if you lose access to your authenticator device. Codes are 16 characters long plus optional spaces. Each one may be used only once.

  • 5258 a77a 7d7c ea16
  • a83b 40a5 116b f7cc
  • 3250 9292 82fa 962c
  • 4cc4 10ad e3e1 abed
  • 5993 ab5b 7142 1668

Download

Enter the code from your authenticator app below to verify and activate two-factor authentication for this account.

Activate

Server Time: 2025-12-15 19:22:42 UTC (2025-12-15 19:22:42 UTC+0)
Browser Time:
Corrected Time (NTP): 2025-12-15 19:22:42 UTC (2025-12-15 19:22:42 UTC+0)
Detected IP: 216.73.216.151

Login Security Settings

Learn more about Login Security
Cancel Changes  Save Changes

User Summary

Manage Users
Role Total Users 2FA Active 2FA Inactive
Administrator 3 0 3
Total 3 0 3

2FA

    • For roles that require 2FA, users will have this many days to set up 2FA. Failure to set up 2FA during this period will result in the user losing account access. This grace period will apply to new users from the time of account creation. For existing users, this grace period will apply relative to the time at which the requirement is implemented. This grace period will not automatically apply to admins and must be manually enabled for each admin user.
      • Allow remembering device for 30 days
      • If enabled, users with 2FA enabled may choose to be prompted for a code only once every 30 days per device.
        • Require 2FA for XML-RPC call authentication
        • If enabled, XML-RPC calls that require authentication will also require a valid 2FA code to be appended to the password. You must choose the "Skipped" option if you use the WordPress app, the Jetpack plugin, or other services that require XML-RPC.
        • Skipped
      • Disable XML-RPC authentication
      • If disabled, XML-RPC requests that attempt authentication will be rejected, whether the user has 2FA enabled or not.

WooCommerce & Custom Integrations

      • WooCommerce integration
      • When enabled, reCAPTCHA and 2FA prompt support will be added to WooCommerce login and registration forms in addition to the default WordPress forms. Testing WooCommerce forms after enabling this feature is recommended to ensure plugin compatibility.
      • Show Wordfence 2FA menu on WooCommerce Account page
      • When enabled, a Wordfence 2FA tab will be added to the WooCommerce account menu which will provide access for users to manage 2FA settings outside of the WordPress admin area. Testing the WooCommerce account interface after enabling this feature is recommended to ensure theme compatibility.
      • 2FA management shortcode
      • When enabled, the "wordfence_2fa_management" shortcode may be used to provide access for users to manage 2FA settings on custom pages.
      • Use single-column layout for WooCommerce/shortcode 2FA management interface
      • When enabled, the 2FA management interface embedded through the WooCommerce integration or via a shortcode will use a vertical stacked layout as opposed to horizontal columns. Adjust this setting as appropriate to match your theme. This may be overridden using the "stacked" attribute for individual shortcodes.

reCAPTCHA

        • Enable reCAPTCHA on the login and user registration pages
        • reCAPTCHA v3 does not make users solve puzzles or click a checkbox like previous versions. The only visible part is the reCAPTCHA logo. If a visitor's browser fails the CAPTCHA, Wordfence will send an email to the user's address with a link they can click to verify that they are a user of your site. You can read further details in our documentation.
      • reCAPTCHA v3 Site Key
        reCAPTCHA v3 Secret
          • reCAPTCHA human/bot threshold score
          • A reCAPTCHA score equal to or higher than this value will be considered human. Anything lower will be treated as a bot and require additional verification for login and registration.
      • Run reCAPTCHA in test mode
      • While in test mode, reCAPTCHA will score login and registration requests but not actually block them. The scores will be recorded and can be used to select a human/bot threshold value.

General

      • Allowlisted IP addresses that bypass 2FA and reCAPTCHA
        • Allowlisted IPs must be placed on separate lines. You can specify ranges using the following formats: 127.0.0.1/24, 127.0.0.[1-100], or 127.0.0.1-127.0.1.100.
    • NTP

    • NTP is a protocol that allows for remote time synchronization. Wordfence Login Security uses this protocol to ensure that it has the most accurate time which is necessary for TOTP-based two-factor authentication.

      NTP is currently enabled.

      • Show last login column on WP Users page
      • When enabled, the last login timestamp will be displayed for each user on the WP Users page. When used in conjunction with reCAPTCHA, the most recent score will also be displayed for each user.
      • Delete Login Security tables and data on deactivation
      • If enabled, all settings and 2FA records will be deleted on deactivation. If later reactivated, all users that previously had 2FA active will need to set it up again.