Two-Factor Authentication

Enabling Two-Factor Authentication in iThemes Security Pro

iThemes Security supports multiple WordPress two-factor authentication methods so that users can use the method that works the best for them.

  • Mobile app – iThemes Security supports two-factor authentication apps such as Google Authenticator, Authy, Toopher and FreeOTP. These mobile apps are to be installed on a smartphone or tablet, and generate a time-sensitive code that must be supplied when logging in.
  • Email – Time-sensitive codes are supplied via email to the email address associated with the user’s account. Note: Your WordPress site must support sending emails for this method to work (for example, sending WordPress-generated emails such as password reset and new account emails).
  • Backup codes – Provides a set of one-time use codes that can be used to login in the event the primary two-factor method is lost. Note: These codes are intended to be stored in a secure location.

NEW! Simplified Two-Factor Authentication Settings

We’ve simplified the Two-Factor Authentication Setup by providing recommended settings for the Authentication Methods Available to Users Section. The “All Methods” setting is recommended so that users can use the method that works the best for them.

wordpress two-factor-settings

Using the drop-down in this section, you can customize the authentication methods available to users.

authentication methods

Note: The following Two-Factor Authentication features require the email method in order to function: User Type Protection, Vulnerable User Protection, Vulnerable Site Protection.

NEW! WordPress User Level Two-Factor Authentication (User Type Protection)

iThemes Security Pro now provides a way to require WordPress user accounts of specific roles to use two-factor if the account doesn’t already do so. The “Privileged Users” setting is highly recommended as this forces all users that can change site settings, software, or content to use two-factor authentication for their account login.

user level protection

You can also customize which user roles are required to use two-factor. Just use the “Select Roles Manually” option from the drop-down.

user type protection

Note: Once these settings are saved, the selected users will be required to enter the code sent to the email address associated with their account to login.

NEW! Vulnerable User Protection and Vulnerable Site Protection

You can now enforce two-factor authentication for “vulnerable users” and for all users if iThemes Security detects that the site is vulnerable. To enable these two settings, simply check the box next to the setting to activate.

  • Vulnerable User Protection – Requires WordPress user accounts that are considered vulnerable, such as having a weak password or for recent brute force attacks, to use two-factor if the account doesn’t already do so. Enabling this feature is highly recommended.
  • Vulnerable Site Protection – Requires all WordPress users to use two-factor when logging in if iThemes Security detects the site is vulnerable (such as running outdated or software known to be vulnerable). Enabling this feature is highly recommended.

WordPress Two-Factor Authentication Setup

Once two-factor authentication is enabled with the iThemes Security Pro plugin, affected individual users can complete two-factor setup from WordPress dashboard.


Individual users can then complete their two-factor authentication setup by visiting the Users > Your Profile page.


From this screen, they can configure the two-factor mobile app of their choice, set their primary authentication method and get their backup codes.

Have more questions? Submit a request
Powered by Zendesk